公开(公告)号：US11895227B1

公开(公告)日：2024-02-06

申请号：US18322265

申请日：2023-05-23

Applicant: CLOUDFLARE, INC.

Inventor： Derek Chamorro ,  Michael Pak

IPC: H04L9/08

CPC classification number: H04L9/0825 ,  H04L9/0827

Abstract: A first intermediate key management system (KMS) server of a distributed KMS receives a key lookup service (KLS) query from a KMS client for determining an identity of KMS server(s) that are capable of performing a first operation with a first managed key. The first intermediate KMS server is one of the intermediate KMS servers of the distributed KMS. The first KMS server determines the identity of one or more of the KMS servers that are capable of performing the first operation with the first managed key. The first KMS server transmits a KLS response to the KMS client that includes the identity of the KMS server(s) that are capable of performing the first operation with the first managed key.

公开(公告)号：US11895009B2

公开(公告)日：2024-02-06

申请号：US18147573

申请日：2022-12-28

Applicant: CLOUDFLARE, INC.

Inventor： Braden Ehrat ,  Jay A. Kreibich ,  Jérôme Fleury ,  Michael Vanderwater ,  Nicholas Alexander Wondra ,  Richard Thompson

IPC: H04L45/00 ,  H04L45/44 ,  H04L61/5007

CPC classification number: H04L45/14 ,  H04L45/44 ,  H04L61/5007

Abstract: A request from a client device is received at a first one of a plurality of compute nodes at a first one of a plurality of data centers of a distributed cloud computing network. A destination of the request is determined. An optimized route for transmitting the request toward an origin server that corresponds with the destination of the request is determined, where the optimized route is based on at least in part on probe data between data centers of the distributed cloud computing network for a plurality of transit connections, and where the optimized route has an IP address that encodes an identification of which of the plurality of transit connections is to be used to deliver the request. The request is transmitted to a next hop as defined by the optimized route over the identified one of the plurality of transit connections.

公开(公告)号：US11882199B2

公开(公告)日：2024-01-23

申请号：US17893003

申请日：2022-08-22

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Naga Sunil Tripirineni ,  Rustam Xing Lalkaka ,  Nick Wondra ,  Mohd Irtefa ,  Matthew Browning Prince ,  Andrew Taylor Plunk ,  Oliver Yu ,  Vlad Krasnov

IPC: H04L67/10 ,  H04L12/46 ,  H04L29/06 ,  H04L9/32 ,  H04L67/63 ,  H04L9/40

CPC classification number: H04L67/63 ,  H04L12/4633 ,  H04L12/4641 ,  H04L63/0272 ,  H04L67/10

Abstract: A request is received from a client device over a Virtual Private Network (VPN) tunnel. The request is received at a first one of a plurality of edge servers of a distributed cloud computing network. A destination of the request is determined and an optimized route for transmitting the request toward an origin server is determined. The optimized route is based at least in part on probe data between edge servers of the distributed cloud computing network. The request is transmitted to a next hop as defined by the optimized route.

公开(公告)号：US11880422B2

公开(公告)日：2024-01-23

申请号：US16389879

申请日：2019-04-19

Applicant: CLOUDFLARE, INC.

Inventor： Darren Remington ,  Michael Conrad ,  Killian Koenig ,  Trevor Sundberg ,  David Harnett

IPC: G06Q20/38 ,  G06F16/957 ,  G06F16/958 ,  G06F21/62 ,  G06F21/71 ,  G06F9/451 ,  G06F40/14 ,  H04L67/131

CPC classification number: G06F16/9574 ,  G06F9/452 ,  G06F16/9577 ,  G06F16/972 ,  G06F16/986 ,  G06F21/629 ,  G06F21/6245 ,  G06F21/6281 ,  G06F21/71 ,  G06F40/14 ,  H04L67/131

Abstract: Methods, systems, and techniques for application isolation by remote-enabling applications are provided. Example embodiments provide an Adaptive Rendering Application Isolation System (“ARAIS”), which transparently enables applications to run in an isolated execution environment yet be rendered locally in a manner that facilitates preventing theft of sensitive information while allowing users to interact with any third-party application or website via the local environment without overburdening available bandwidth or computational resources by, in some cases, evaluating only select information responsive only to select events, as compared to whitelist/blacklist techniques, monitoring all information provided by the user, or other techniques. The ARAIS typically includes an orchestrator server that comprises one or more of a sensitive-information theft-prevention logic engine, information-theft prevention engines, or a rules engine. These components cooperate to deliver isolation-ready technology with sensitive-information theft prevention to client applications.

公开(公告)号：US11853776B2

公开(公告)日：2023-12-26

申请号：US18148642

申请日：2022-12-30

Applicant: CLOUDFLARE, INC.

Inventor： Kenton Taylor Varda ,  Zachary Aaron Bloom ,  Marek Przemyslaw Majkowski ,  Ingvar Stepanyan ,  Kyle Kloepper ,  Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant

IPC: G06F9/448 ,  H04L67/00 ,  H04L67/02 ,  H04L67/10 ,  G06F9/455 ,  H04L9/40 ,  H04L67/53 ,  H04L67/63 ,  G06F21/53 ,  H04L41/50

CPC classification number: G06F9/4484 ,  G06F9/45558 ,  G06F21/53 ,  H04L9/40 ,  H04L41/50 ,  H04L63/10 ,  H04L67/02 ,  H04L67/10 ,  H04L67/34 ,  H04L67/53 ,  H04L67/63 ,  G06F2009/45587

Abstract: A compute server receives a first request from a client device that triggers execution of a first third-party code piece. The first request is directed to a first zone. A single process at the compute server executes the first third-party code piece. As a result of executing the first third-party code piece, a second request is generated that triggers execution of a second third-party code piece. The second request is directed to a second zone. The single process executes the second third-party code piece. A response is generated to the first request based at least in part on the executed first third-party code piece and the executed second third-party code piece. The generated response is transmitted to the client device.

公开(公告)号：US20230412644A1

公开(公告)日：2023-12-21

申请号：US17936572

申请日：2022-09-29

Applicant: CLOUDFLARE, INC.

Inventor： James Howard Royal

IPC: H04L9/40

CPC classification number: H04L63/20 ,  H04L63/102 ,  H04L63/0807

Abstract: A cloud-based security service that includes external evaluation for accessing a third-party application. The security service receives a request to access a third-party application from a client device. The security service enforces a set of one or more access policies configured for the third-party application including an external evaluation rule. As part of enforcing the external evaluation rule, the security service transmits an external evaluation request to an external endpoint defined in the external evaluation rule. The external evaluation request includes an identity of a user associated with the request. The security service receives the result of the external evaluation. If the external evaluation passed, the security service grants access to the third-party application based at least in part on its passing.

公开(公告)号：US11831607B2

公开(公告)日：2023-11-28

申请号：US17977381

申请日：2022-10-31

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Alexander Wondra

IPC: H04L9/40 ,  H04L12/46 ,  H04L67/10

CPC classification number: H04L63/0236 ,  H04L12/4633 ,  H04L63/029 ,  H04L63/0272 ,  H04L63/0485 ,  H04L67/10

Abstract: Traffic is received at an interface of a compute server. Identity information associated with the traffic is determined including an identifier of a customer to which the traffic is attributable. An egress policy configured for the first customer is used to determine whether the traffic is allowed to be transmitted to a destination where that destination is a resource of a second customer. If the traffic is allowed to be transmitted, the traffic and identity information is transmitted over a cross-customer GRE tunnel to a namespace of the second costumer on the compute server. An ingress policy configured for the second customer is used to determine whether the traffic is allowed to be transmitted to the destination, and if it is, then the traffic is transmitted.

公开(公告)号：US20230367836A1

公开(公告)日：2023-11-16

申请号：US18355587

申请日：2023-07-20

Applicant: CLOUDFLARE, INC.

Inventor： Trevor Sundberg ,  Killian Koenig ,  Darren Remington ,  Benjamin Buzbee ,  Michael Conrad ,  David Harnett

IPC: G06F16/957 ,  G06F16/958 ,  G06F21/62 ,  G06F21/71 ,  G06F9/451 ,  G06F40/14 ,  H04L67/131

CPC classification number: G06F16/9574 ,  G06F16/986 ,  G06F16/972 ,  G06F16/9577 ,  G06F21/6245 ,  G06F21/6281 ,  G06F21/629 ,  G06F21/71 ,  G06F9/452 ,  G06F40/14 ,  H04L67/131

Abstract: A server receives from a client device that is executing a web browser application a request to initiate a remote application in the server. The server instantiates an instance of the remote application. The server intercepts draw commands associated with the remote application instance. The server provides the draw commands to the client to cause the web browser application to render portion(s) of output based on the draw commands. The server receives an input event from the web browser application. The server provides the client one or more draw commands based on the input event to cause the web browser application to render portion(s) of output based on those draw commands.

公开(公告)号：US20230308415A1

公开(公告)日：2023-09-28

申请号：US18326745

申请日：2023-05-31

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Alexander Wondra ,  Igor Postelnik ,  Michael John Vanderwater ,  Adam Simon Chalmers ,  Nuno Miguel Lourenço Diegues ,  Arég Harutyunyan ,  Erich Alfred Heine

IPC: H04L9/40 ,  H04L12/46 ,  H04L67/10

CPC classification number: H04L63/0236 ,  H04L12/4633 ,  H04L63/0485 ,  H04L63/029 ,  H04L63/0272 ,  H04L67/10

Abstract: A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g., user devices of the customer and/or server devices of the customer) of the organization while using address space that potentially overlaps with other customers of the distributed cloud computing network.

公开(公告)号：US20230224290A1

公开(公告)日：2023-07-13

申请号：US18092750

申请日：2023-01-03

Applicant: Cloudflare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L9/40

CPC classification number: H04L63/0823 ,  H04L63/061

Abstract: A server establishes a secure session with a client device where a private key used in the handshake is stored in a different server. An encrypted connection is established between the first server and the second server. A message is received from the client device that initiates a procedure to establish the secure session between the client device and the first server. As part of this procedure, the first server transmits over the encrypted connection a request to the second server to use the private key. The first server receives, over the encrypted connection, a response to the request that includes a result of the use of the private key. The first server uses the result during the procedure to establish the secure session.