Hi Reddit. As this is my first AMA I’m open to answering any questions about CloudFlare, founding CloudFlare, raising money, Heartbleed, attacks we’ve seen or anything else you want to know.

For those of you not familiar with CloudFlare (www.cloudflare.com), is a web performance and security company based in San Francisco, CA. Our customers have included Fortune500 companies, Imgur, Wikileaks, the United States Government, the Internal Revenue Service of Pakistan, Lulzsec.... and millions more. Today, about 5% of all web requests pass through our network where we make them faster and protect our customers from attacks.

From online censorship to net neutrality to receiving National Security Letters to raising venture capital to how to keep your site fast and safe, we've seen a lot over the last five years. Happy to answer any questions you have. You also can learn more about topics I'm interested in from CloudFlare's blog (blog.cloudflare.com) or on Twitter (@eastdakota).

A little more about me...

I started programming on an Apple ][+ in 1980 (I was 7 and my mom would sneak me into computer science courses). CloudFlare is my third startup, but I've also worked as a attorney, law professor, ski instructor, and any number of other odd jobs over the years. I still have 3 lines of code left in the CloudFlare code base. I check them every morning to make sure no one has them replaced yet; I fear their days are numbered.

Victoria from Reddit and a few of my colleagues here at CloudFlare will be helping me out today, so let’s get started!

https://twitter.com/eastdakota/status/462328363408175105

Comments: 170 • Responses: 60  • Date: 

jimaek18 karma

What did you mean with this tweet:

Notice anything different about SSL on https://blog.cloudflare.com/ ? (Hint: you shouldn't.) We just enabled something very, very cool.

EastDakota10 karma

:-)

One of the things that is critical to get mass adoption of CloudFlare in highly secure environments like financial institutions is a way to handle SSL without us ever having to be trusted with our customers' SSL keys. We've built something that does that and it's now running on a handful of customers' sites as well as on portions of cloudflare.com (the blog included). That's all I can say for now, but it's pretty cool and we'll be talking about it a lot more in the next few months.

shotgun_ninja1 karma

Don't tell me it's a solution to P=NP. Please.

EastDakota6 karma

No, it's not.

zanywing18 karma

[deleted]

EastDakota27 karma

At a high level: People hate their cell phone providers because their bills are unpredictable. We don't want to be thought of like a cell phone provider.

The scale economics in our business are significant. Our primary variable cost is bandwidth. However, the rate at which bandwidth prices drop is very fast as you start to get to scale. We're now at the scale where we can peer off a significant portion of our traffic, making it effectively free to us. If we can continue to push bandwidth toward zero then it makes sense for us to not charge customers more based on that.

The other thing is that we get smarter about stopping threats with every request that routes through our network. If we charged for bandwidth then it would cause customers to potentially avoid routing traffic through us. That goes against the core value that we provide: effectively a neighborhood watch for the Internet.

jamesrwhite12 karma

What do you think of the progress of HTTP 2? Will Cloudflare be an earlier supporter of it once it gets released like you have done with SPDY?

EastDakota10 karma

Yes.

movenine11 karma

Hey Matt!

What qualities do you look for when you're hiring, and how does one maximise their chances to land an internship? :-)

EastDakota8 karma

We're an engineering-driven organization and we shoot for 80% of our team to be engineers. We hire people from around the world and then move them to San Francisco or London to work on the team. We look for people who have proven they're creative problem solvers. Having contributed to open source projects or taken up hobby coding projects on your own are big positives for us -- even if you're applying for a non-engineering role. Generally, we'd take someone we get along with and think would fit in with the rest of the team (i.e., isn't a jerk) over someone with more experience. We do hire interns across our various teams and have hired several former interns into full-time positions. You can see what jobs we currently have posted on our site:

http://www.cloudflare.com/people

iamtylerdurdenman2 karma

What does a community evangelist do?

EastDakota6 karma

Sets up AMAs. :-)

osujacob10 karma

Big fan of yours, we're a CF Optimized Partner, with a bunch of domains through you guys. Just wanted to give a shout-out and say thanks -- you guys are awesome!

Any ideas when you might start publishing graphs or statistics for partners? Love to know how much B/W we saved as a total, graphs on signups, etc. Also, any updates for the WHMCS plugin in the future? It just kills me that it only supports one CF DNS domain, so we have to email you guys every time to get Railgun on the account. Plus the automation errors out 90% of the time.

Thanks again, you guys are making the web a better place!

EastDakota4 karma

Thanks for the kudos. We're in the midst of a major (and overdue) rebuild of our logging/analytics infrastructure. As we roll that out to customers, the plan is to put more data in the Partner Portal. We want to make it clear how we're helping you and your customers. We also just hired someone (Ashley) to work more closely with our hosting partners and make sure they're getting the most out of working with CloudFlare. We have more than 5,000 hosting partners and we know there's a lot more we can be doing to help you enhance your service for your customers.

Thanks for being a partner!!

osujacob1 karma

Thanks for replying, and for the information! Couple more questions (if you see this)

1) Any plans to implement non-www for straight CF accounts? That confuses a lot of customers.

2) Railguns association. This is a must, we currently track associations in an Excel spreadsheet. That's pretty bad. Any idea when you might associate that in the partner portal?

Thanks again!

EastDakota1 karma

We want to allow root domains behind CloudFlare via partners. We've got a few different ways of doing that we're playing with. The challenge is we want to maintain flexibility to move customers between IPs in order to isolate them when there's an attack. Since the DNS RFC doesn't allow CNAMEs at the root, it makes it tricky. But we're working on it.

I'm told the Railgun associations should be in the partner account portal relatively soon.

awfml9 karma

Hi Matthew, what are your thoughts about the recent news surrounding the FCC's new net neutrality proposal? How do you think it will affect services like CloudFlare?

EastDakota10 karma

We're watching the FCC's moves on Network Neutrality very closely. My cofounder Michelle (@zatlyn) sits on the Open Internet Advisory Committee for the FCC. CloudFlare is the only startup represented on the committee. We recently retained a DC lobbying firm in part to advocate for network neutrality and we hired our first in-house counsel out of Google and the FCC. This is an important issue for us.

It's hard to overstate the benefits an uncensored, open Internet has created for the world. We're strong proponents of preserving the principles of Network Neutrality that have allowed open innovation. If governments around the world start to chip away at those principles, I'm hopeful that CloudFlare can use our scale and size in the market in order to ensure our customers will still be as fast as possible around the world.

jhulc2 karma

Would CloudFlare ever get involved in a peering dispute if it would mean a better internet in the long term, even though it might result in temporary performance problems?

EastDakota3 karma

We negotiate peering agreements daily. There are occasionally disputes. But, generally, most of the world's ISPs are still open to reasonable peering with us.

EastDakota7 karma

Thanks for participating everyone, that was fun!

Timmarus6 karma

What were your initial reactions to the Spamhaus incident that happened a long time ago?

EastDakota7 karma

I was Spamhaus's attorney very briefly once upon a time, so I've known that team for a while. When their website got knocked down we were happy to help. At first the attacks were big but nothing out of the ordinary. I was out to dinner (on a date) when the big volume. My reaction was: "300Gbps?! Shit. How's the network holding up?" Good news was we'd designed the network to handle quite a bit more traffic. That said, based on how the attack was launched, it was easy to see how the attacker could have scaled it another 10x+. That would have been very bad, and not just for us. Thankfully, while the size of attacks has continued to grow, we're still within an order of magnitude of what Spamhaus saw.

SteeveCo5 karma

I hear good things, mostly, all over about CloudFlare. Can you give your top 3 reasons a smaller WordPress blogger should use your services?

EastDakota8 karma

1) It's free 2) Faster is always better 3) We work closely with the WordPress team and usually get early word of new vulnerabilities and are able to virtually patch them before they're announced

iSloth5 karma

Quite a few content delivery providers are offering local caching servers to ISPs; Google, NetFlix, Akamai to name a few...

Any plans? As would this kind of architecture not be ideal for Cloudflare as you could actually filter DDOS traffic and security threats within the originating network, and save on bandwidth costs.

As a network techy at an ISP, I'd love to see it ;-)

EastDakota6 karma

Yes. We call them mini-PoPs and we have a very large number of ISPs around the world that are asking for them. The challenge is doing it the right way. Akamai, for instance, doesn't terminate SSL from their local caches because they don't want to put customer keys on them. Once you send an ISP a server you can never fully trust that server again. Since we believe that increasing SSL penetration is important, we want to make sure we do local caches right and don't hamper our ability to do that. If you look at some of the people we've hired, you can see what we're up to. We know, for instance, that it's possible to take a computer and send it to an insecure place and ensure that only your code runs on it: that's what an iPhone is, after all. Shouldn't be a surprise, then, that we hired one of the crypto guys from Apple. If you start to think about building a server like building an iPhone then there are a lot of places you can send them to improve performance without increasing risk. I think this is some of the coolest stuff we're working on internally.

ArmoredCavalry4 karma

First off, big fan of CloudFlare, I try to recommend it to anyone looking for a great CDN. Also really glad you offer a free tier, I think it gives you a great advantage over your competitors in enticing users to try out the service!

Now onto my question. Can you share details on what you think is the most exciting upcoming feature for CloudFlare? (besides the SSL change discussed elsewhere).

EastDakota11 karma

I'm excited about our plan to enable SSL even for free customers. The amount of bizdev, systems, and dev ops work necessary to make that happen is staggering. We've literally been working on it for the last two years and the pieces are finally coming together. I'm excited about it because I think we'll double the number of sites protected by HTTPS web-wide the day we turn it on. That's pretty cool.

BastionTwilight4 karma

When will you accept PayPal payments? You've said for so long you will accept this but still nothing. Thanks.

EastDakota35 karma

I promise it's still something we're working on. A complete rework of billing is scheduled for Q3. That will include PayPal (and Bitcoin).

EastDakota3 karma

And, ps, don't think you're alone in being frustrated in how long it's taken. Kills me.

silent04 karma

Any chance that sub-accounts will ever become a feature?

EastDakota4 karma

If by sub-accounts you mean the ability for multiple users to manage an account with different permissions then yes. It's coming with the rollout of the new customer site before the end of Q2.

jimaek2 karma

What about transferring a domain to a different CF account?

EastDakota2 karma

That'll be possible once multi-user is enabled.

manipoli4 karma

[deleted]

EastDakota8 karma

We're working on a bunch of SSL updates. One of the things we want to do is eliminate RC4 since we think it's likely is no longer secure. We'll be blogging about that soon. We've also found some other OpenSSL bugs that made Heartbleed worse, so we've patched those and contributed the patches back to the OpenSSL community. You can read more on a great blog post John Graham-Cumming wrote up:

http://blog.cloudflare.com/searching-for-the-prime-suspect-how-heartbleed-leaked-private-keys

qKalashnikov3 karma

When will Cloudflare have stickers again? I'm dieing to get one ;_;

EastDakota7 karma

We just got a new order of stickers in. I think Damon is planning on doing a give-away next week. Stay tuned!

larrysalibra3 karma

How do you manage to keep so active on social media while keeping up with all of your other management duties? Does your team sometimes post as you?

EastDakota3 karma

Ha. No, no one else posts as me (@eastdakota). I don't post as @CloudFlare -- that's Damon on our team who was our 8th employee and literally invented the position of social media manager once upon a time when he was an early employee at PayPal. For my personal account, I think I tend to post mostly when I'm traveling (usually to complain about United Airlines). If it seems like I'm posting a lot it probably means I'm traveling a lot. Incidentally, still weirds me out a little when people come up to me and say: "I follow you on Twitter."

fmelo73 karma

Any server in Portugal soon?

EastDakota2 karma

We've talked with some Portuguese ISPs about putting in what we call mini-PoPs directly into their data centers. That'll likely happen before the end of 2014. Madrid is coming even sooner: likely by the end of Q2 or early Q3.

lemurph3 karma

Big fan. When are you opening an office in Portland? :) There are a lot of good people here.

EastDakota2 karma

No plans for a Portland office. We run a data center nearby to handle data processing so we may open something at some point, but we believe it's pretty important to have as much of our team in the same office as possible. San Francisco is pretty nice too if anyone wants to move down.

saqibwaqar3 karma

Hey Matthew - Are there any plans to provide security against state-sponsored APT attacks? With a massive network like CloudFlare, there may be an opportunity to track signatures and develop an enterprise product - any thoughts?

EastDakota9 karma

We see what appear to be state-sponsored attacks quite often, although we spend more time on defense than we do on attribution so it's tough to really know the source of the attacks. Right now, for instance, there are news organizations on both side of the conflict in Ukraine using CloudFlare in order to stay online in the face of very large DDoS attacks. I agree with you that, over time, there's a lot we can do with our scale and data to better protect customers from more sophisticated attacks.

manipoli2 karma

[deleted]

EastDakota6 karma

We're opening to partnering with third parties to help enhance our WAF. When we do the big WAF rollout there'll be a number of announcements that I'm really excited about.

Sushubh3 karma

When are we getting a CloudFlare datacenter in India? I know bandwidth is super expensive here but I am guessing you have a lot of users here!

EastDakota8 karma

India makes Brazil look like a cakewalk. The problem in India is the government and their propensity to pass retroactive taxes on data service providers. There are horror stories of network providers that get hit with tax bills based on "the value of the data" flowing through their networks. That uncertainty makes it very hard. We've actually explored putting a facility in Nepal. It made a lot of sense on paper since the country is within ~5ms of Delhi and has a lot of in-bound traffic, but not a lot of out-bound traffic. Unfortunately, we did the math and our volume of traffic, even just from India, would significantly burden Nepal's infrastructure. We haven't given up on India, but it's a great example of how very physical, old world things impact doing business even as a software/services company.

larrysalibra3 karma

Did you write much of the original cloudflare code base?...if so, what was the most difficult thing about transitioning into your current non-coding role? What do the 3 remaining lines you wrote in CloudFlare do?

EastDakota7 karma

Lee Holloway, one of my co-founders, was the technical genius behind CloudFlare and wrote the vast majority of the code. I built the first version of our front end and some other random bits of code along the way. The last bit of my code that is left is around our Always Online feature. If you look at how it handles background AJAX requests to see if the site has come back online and think, "That's janky," now you know why.

jhulc3 karma

Do you have statistics on the amount of requests that are served over IPv6? How is IPv6 usage growing over time for you? Also, thanks for your work to encourage the usage of IPv6, including the free gateway.

EastDakota3 karma

We do, but I don't have them at hand. Martin Levy (@mahtin) on our team is working on a blog post where we'll be sharing them. There's been a marked uptick in IPv6 over the last 6 months, which is great news.

Liverpool24013 karma

What do you think are the biggest threats to the Internet these days? Is it governments, hackers, ourselves, etc.?

EastDakota4 karma

There are a number of significant threats. The Internet, it turns out, is a lot more fragile than people thought. Some threats I'm worried about:

  • Government action to "regionalize" the Internet. Brazil's proposal to require local data residency would have made building a modern web company very difficult.
  • The UN's attempt to take control away from ICANN concerns me. The Internet has always been self-governed by its stakeholders. I'm concerned with the ITU or other governmental organizations stepping in and messing that up.
  • Concentration of services behind a few giants worries me. The challenges of hackers and ISP fast lanes puts pressure to huddle behind the Google's Amazon's and Facebook's of the world. I think that risks something very special about the Internet. That's part of the motivation of CloudFlare: to give you the resources of a giant without forcing you to live in their walled garden.

Wolfbeckett3 karma

I've always thought it was funny that Cloudflare's DNS servers have human names like Lars.cloudflare.com instead of the standard numbers like ns1.dnsserver.com. Who's idea was that?

manipoli2 karma

[deleted]

EastDakota5 karma

Yup, that post gives the rationale for it. Some quick points:

  • They're all 2-4 letters long, although we're adding some longer ones soon
  • They don't actually correspond to a pair of servers, but instead reference potentially any server in our network
  • The primary purpose is to differentiate who is the true owner of a site if multiple people register at the same time
  • We figured that names would be less likely for people to mess up than something like ns48

awfml2 karma

What's your favorite color?

EastDakota3 karma

Hmm. Not sure. I just painted my apartment and everything ended up being some shade of gray. That's such a boring answer. Probably something in the cool tones: blue or green more than red, orange or pink. Although... I do like CloudFlare Orange. (But CloudFlare's logo was almost blue: http://blog.cloudflare.com/rejected-cloudflare-logos)

64mb2 karma

What do you use to monitor your servers all around the world?

Also, must say I love the blog, it's a great insight.

EastDakota5 karma

We use a combination of open source tools like Nagios as well as a number of things we've developed internally -- although those too are usually build on open source tools like OpenTSDB and SystemTap. Our SRE team is amazing to keep everything running as we are growing as quickly as we are.

The blog has been a real surprise. If you go back and read the early posts it started out much more like a traditional marketing blog. At some point we started writing more technical posts and they really resonated. Some of the posts that get the most readers are those that are the most technical. We encourage our engineering team to talk about what they're working on.

manipoli2 karma

[deleted]

EastDakota3 karma

I think it's increasingly important to have at least some understanding of the law if you're building a technology company. It's scary the first time the marshall shows up at your office with a warrant (first time it happened to me, incidentally, was at my last startup). Knowing your legal rights, having the confidence and understanding of when and how you should push back, is important. We've started to run seminars for other startups on how to think about the law, law enforcement, and the political process. I think it's been a blind spot for a lot of technology companies to engage in the legal process. We're trying to do a small part to change that.

sundaymouse2 karma

Cloudflare blog mentioned SSL will be available for free customers, any schedule or eta at the moment?

EastDakota2 karma

We're shooting for end of Q2/beginning of Q3.

seraph772 karma

I don't know if this is breaching into the "can't disclose for security reasons" realm, but what is the largest theoretical attack you could mitigate? Say if multiple botnet handlers were to suddenly team up for a joint cause, throwing some insane traffic along the lines of tbps at a site/ISP.

edit: to clarify, I mean mitigate while still keeping the site online, not just blackholing the traffic.

EastDakota2 karma

We have over 2Tbps of mitigation capacity, and we're adding more all the time.

ageisp0lis2 karma

CloudFlare recently took away the ability for people to run CF on top of Incapsula's service, in essence proxying over a proxy and utilizing two CDNs at once. Now this situation, which previously worked fine for a long time, results in an error, "DNS points to prohibited IP". What gives? If it doesn't cause a problem why block it?

EastDakota0 karma

That wasn't intentional. It may have been related to us expanding our CNAME flattening service:

http://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root

Submit a ticket and we'll figure it out. That said, proxying through multiple proxies is probably not a good idea.

jtorraca1 karma

Hi Matt,

What were some of the challenges you faced when starting up CloudFlare in the beginning? If you could sum up the first few years of CloudFlare in one word, what would it be?

EastDakota3 karma

Everyone thought we were crazy. "You're going to get people to switch their DNS to you, route their traffic through you, and you're going to do it by shipping equipment to locations around the world?! You're nuts." I saw someone Tweet the other day that every entrepreneur's superpower is naivety. I think that's right. Had we known all of what was really involved in building CloudFlare I don't think we'd have ever gotten started. But I'm glad we did and enjoy coming to work every day to build something that is literally help build a better Internet.

NorbitGorbit1 karma

What's one business offshoot you wanted to pursue with cloudflare but couldn't because of whatever reason?

EastDakota2 karma

Two:

  • I wanted to create a Gmail alternative to compete with Google. Start with a solid mobile app. Build crypto and security in from the beginning. Notify when your messages were passing over a non-secure SMTP session. Monetize on a simple per-seat basis rather than through ads. I think there are a lot of big companies adopting Google Apps but not excited about it. That feels like a market opportunity.

  • I wanted to create a stock exchange that leveled the playing field and limited access to high frequency traders. Potentially even go back to fractional share pricing to give margin back to stock brokers and encourage market research. Was interesting to read Michael Lewis's new book ("Flash Boys") and see that someone is actually trying it.

nefastii1 karma

Clouflare Brazil DataCenter, when?

EastDakota6 karma

Brazil doesn't make doing business there easy. We've had equipment sitting in customs for 3+ months. What my team didn't tell me when we started the Brazil project is that if Brazil customs denies your equipment entry then they burn it. Glad I didn't know when I approved the PO. The other thing that is a pain about Brazil is there's a 100% import duty on all equipment sent there. That means it's 2x the cost to turn up servers in Brazil as it is almost anywhere else in the world. Good news: equipment cleared customs and, last I heard, it was in the process of being racked. Barring something unexpected, Sao Paulo will be online before the end of the month.

tr1ckert1 karma

Hey Matt,

I have been a CloudFlare user since 2010 and I think the service is great. My question is:

What exactly is happening in your system to trigger a domain to bypass CloudFlare (in case of an attack)? Is there a pps limit? Is there a gbps limit? Also, if you enable the DDoS protection page in a reasonable amount of time (e.g. by checking cpu load and calling the api if it's high with a script ran by cron every minute) would you ever risk to get disabled?

EastDakota5 karma

For free/pro accounts, the criteria is when the attack starts to negatively affect other customers. That threshold really depends on the circumstances of the attack. If, for instance, an attack is very regionalized and only hitting one data center then it actually is more likely to cause issues than if it is distributed. That makes it difficult to give hard and fast thresholds. For business/enterprise accounts, we have a policy of keeping them on the system no matter what. We have gone to pretty extraordinary lengths to keep biz/ent customers online under large attacks.

ryangillam1 karma

Is your system going to get less annoying? Got nothing but errors from CloudFare stockholm over the past couple of days.

EastDakota1 karma

Submit a ticket with the RayID and we can figure out what's going on. No known problems in Stockholm recently.

theultraluxee1 karma

Hey there! Whats the biggest attack you have ever mitigated?

EastDakota7 karma

The biggest one we've talked about publicly was just shy of 400Gbps. We've seen a few others that have been bigger than that, but nothing yet that's crossed 500Gbps. I think it's inevitable we will sometime in the next 12 months.

malcarada1 karma

[deleted]

EastDakota1 karma

Yes.

icewatersteam1 karma

Do you have any plans for mainland china in the future. We use one of the big chinese cdns and the service is terrible. I think there is a big market for global CDN that could offer ICP approved services like ChinaCache.

EastDakota1 karma

Stay tuned.

johnjhigginson1 karma

Matthew, congratulations on the success of Cloudflare -- it's been fun to watch it grow. Here's my question: Cloudflare took the lead on Heartbleed and worked in a very open way with other companies and individuals to determine the risks of the defect and how to validate if your site was affected. Cloudflare also helped the NYT deal with a denial of service attack from the SEA about a year ago. That's part of what seems to be an ethos of "it's all of us against the bad guys" ethos in the security community. Do you see that cooperation continuing even though in some circumstances it may not be to the short-term benefit of some companies to "help" their competitors solve problems?

EastDakota3 karma

I hope so. I really dislike the FUD marketing that many old-school security companies engage in. What I'm proud of is that the adjectives that our customers most often describe us with are "smart" and "helpful." We try and keep an ethos across the whole company of never saying: "That's not our problem." It means our support team spends a bunch of time helping people write their Apache configs and other things that don't directly have to do with us. The upshot, however, is that when the NYT comes under attack, we're someone the CTO trusts to call and help out.

spunkysten1 karma

This is a more specific question about net neutrality: What do you think about ISP's charging Netfliz for bandwidth?

EastDakota6 karma

There's an expression in the law that hard cases make bad law. Netflix is a hard case, so it's hard to generalize from them. At their peak they are responsible for 30% of Internet bandwidth in the United States. That's enough that it imposes real costs on ISPs who have to install new routers, upgrade their backbones, etc. Those costs are real and so the dispute is really over who should have to pay for them. If the cost is imposed on the ISP then they'll, in turn, pass them on to customers. That doesn't seem fair to someone like me who isn't a Netflix subscriber. On the other hand, the ISP's customers are paying the ISP to access any service online, Netflix included. It's a tricky problem.

A lot of the problem comes from the fact that the market developed with all-you-can-eat/flat-fee pricing. That means low bandwidth users end up subsidizing high bandwidth users. You'd probably have a lot fewer market distortions like Netflix if end users paid on a usage basis. Of course, that's an unpopular option, and it's hard to imagine how you transition from one model to the other, but it would be easier for ISPs to get behind network neutrality if they knew they could bake costs of services like Netflix into their pricing. And, incidentally, it's not clear that, over time, customers would be worse off.

(I recognize there's a significant amount of irony in my suggesting that after, earlier in this conversation, saying that CloudFlare has fixed-rate pricing because people hate the surprises inherent with variable-rate pricing.)

The other thing that's gotten a bit lost in the conversation is that I'd guess Netflix is paying less for bandwidth through Comcast directly than they were via Cogent. People don't object to Netflix paying Cogent, but they do to people paying Comcast. The reason, of course, is that Comcast is a terminating access monopoly. Comcast has a monopoly over the access to all their subscribers (i.e., if Netflix wants to reach a Comcast subscriber, one way or another, they need to pay Comcast). That suggests that even if you have competition among end-user ISPs, the ISPs will still have a lot of market power over content providers.

These are hard problems.

ButtPuppett1 karma

Hi Matt

How did you get some of your first customers? Any strategies you can share?

EastDakota8 karma

CloudFlare was born, in part, out of Project Honey Pot (http://www.projecthoneypot.org), an open source project that Lee (@icqheretic) and I started 10+ years ago. CloudFlare's first users were Project Honey Pot members. Our first email to them asked for a helluva leap of faith. Originally, the way you signed up for CloudFlare was by giving us your registrar's username/password. We wrote a little crawler that would login to your registrar, scrape all the DNS info, and then update your name servers. When we first emailed people we didn't have a UI beyond a little box that said something like: "Give us your GoDaddy username/password." It was pretty crazy that people did it, but we'd built a ton of trust with them over the years running PHPot without ever asking for anything in return.

The other fun PHPot story was that when we were first starting we didn't have any money for equipment. Michelle (@zatlyn) suggested that we email all the PHPot users who lived around the Bay Area to see if they had any extra servers. So we did. Emailed about 100 people. Got a ton of replies. Michelle drove around in her little Jetta picking up all the servers. None of them worked, but we were able to take parts from them to cobble together 2 that kind of ran. It was on those two servers we built the first prototype of CloudFlare.

davidaap1231 karma

You guys dropped some hints on your blog about a new website with new analytics etc, any ETA on that ?

EastDakota2 karma

We've been testing a whole new customer website for the last 6 months. Our plan is to begin rolling out the beta over the next few weeks and have it out broadly by the end of the quarter (June). The first version won't have a completely new Analytics frontend, but we're working on the design for that and should roll it out in Q3.

no1k1 karma

Hey Matthew ! First of all thank you for the good tools you providing. I would like to know how did you come up with this idea ? Can you tell us more about your two previous start-up ? Was them totally different from CF?

EastDakota2 karma

The first startup I worked for wasn't my idea. I was the first non-founder employee. It was completely different: an online health benefits brokerage based in Chicago. It was actually a lot like Zenefits, which is a new hot startup doing the same thing 15 years later. I learned a ton in the process.

My second startup is Unspam Technologies. It was in the anti-spam space and is still around (and profitable!) today. I still serve on the Board and Lee (@icqheretic), one of my co-founders at CloudFlare, was our first non-founder employee at Unspam.

RUbernerd1 karma

About a year ago, you told me Kanye West's Stronger was a good song to describe the success of Cloudflare. Considering the last year's experience, would you say that is still an accurate sentiment or would another song better describe it?

EastDakota3 karma

Well, Kayne threatened to sue us because Coinye (the parody crypto coin) was a customer. Can't decide if that makes me more or less likely to do a CloudFlare remix of Stronger.

manipoli1 karma

[deleted]

EastDakota2 karma

We use it to keep things like customer SSL keys secure.

Firesphere1 karma

Hey Matthew,

First off, I love your service and I am enjoying it every day. But how did you manage to go from a small startup to where you are today?

Secondly, my cat says meow. Or something like that.

EastDakota4 karma

One step at a time. I still think of us as a small startup. I walk into the office regularly and still think: where'd all these people come from. I think there's a fiction that startups often have a silver bullet that explains their success. Think about Facebook. There's nothing on its own that is so amazing about Facebook. For them to have built what they did was a million good, small decisions. Then, one day, they woke up and they were huge. There's nothing I can point to as a silver bullet in our story either. We've tried to make a million good, small decisions and tackle problems as they come up. One thing I've learned is that it takes as much effort to solve a big, daunting problem (like CloudFlare) as it does to solve something that seems more manageable. In some ways, big, gnarly problems are actually easier because they attract really smart people to help work on them. And, I don't have a cat, but if I did it would say meow right back.

KarmaNeutrino1 karma

Hey Matt!

  • Do you think the danger from Heartbleed was overexaggerated? Why?

  • Do you code at all any more, or do you have lackeys do do such menial work for you now?

  • What's your current, favourite web startup?

WHen you started up CloudFlare, how far did you see it going?

Thanks!

EastDakota7 karma

Generally, I think that a lot of these Internet vulnerabilities are overhyped. Heartbleed was an exception. It was literally like the plot of that bad Sandra Bullock movie "The Net." There was, effectively, a button that you could push on any server in the world to have it dump the contents of its memory. While everyone focused on it being a crypto vulnerability, the bigger risk continues to be stealing things like login session IDs. That wasn't hypothetical. People were doing it with major services like Yahoo Mail for days after the vulnerability was disclosed. My hunch is we'll still be finding problems created by Heartbleed 2 years from now.

EastDakota2 karma

Hmm. Don't know what my favorite startup is other than CloudFlare. One thing that has been fun is having young startups by the office to brainstorm. Michelle (@zatlyn) and I try and make time to help them out as there were a lot of people who did the same for us when we were getting started.

EastDakota2 karma

I don't code much anymore. Every once in a while I'll bang out a little Javascript or something in order to prototype something, but there's no way my coding skill is anywhere close to where it would need to be in order to program for CloudFlare.

nraynaud0 karma

Just to share a story: some friends did a component on the website of one of the biggest sport event of the planet (I think it's the biggest yearly one, the rest is every 4 years). They used the free cloudflare offer to handle the load. Then the salesman called them saying something of the effect: "that was a nice free ride guys, maybe it's time to grab the checkbook". Oh! Snap! Then the price came: 150€. Awesome.

EastDakota1 karma

That doesn't sound like us, but glad if it was the price was so affordable.

cpqq-1 karma

[deleted]

EastDakota3 karma

We have millions of customers, so it's not a surprise we've got a lot of IPs. We're going to make SSL available to all our customers, even free ones. That will end up chewing up a bunch of IP addresses. Getting a large allocation of IPs was one of the last stumbling blocks we needed to overcome before we could do that. We just received a /12 from ARIN, so that plan is moving forward. I can't think of any other company that uses IPs as efficiently as we do. We've also been a big proponent of IPv6, so we're doing what we can to help with the transition to the future.

EastDakota2 karma

And, PS, Akamai just got a /10.

stevehobbes-1 karma

What's brown and sticky?

EastDakota0 karma

Rice from Koh Sumoi and the Monkey, the Thai place near our office in San Francisco. ;-)