Google CDN 進入 Beta

最近 CDN 產業裡有不少蕭期,其中一個新聞是 Google CDN 進入 beta,Google 藉由在全球佈署的機房來服務。

不過雖然進入了 Beta,但仍然有很嚴重的技術限制,只能透過 GCE 當 origin server,這使得實用性低很多:

Delivers HTTP/HTTPS content originating from Compute Engine VM instances. External origin servers are not supported.

有些特點是跟一般 CDN 不同的,一個是 Google 對 HTTPS 的口號,所以 HTTP 與 HTTPS 的價錢相同。其實你就當做他把 HTTP 的費用收的跟 HTTPS 一樣就好:

SSL Shouldn't Cost Extra
The web is moving to HTTPS, and your cacheable content should, too. With Cloud CDN, you can secure your content using SSL/TLS for no additional charge.

另外一個特點是從技術上就宣稱完全使用 Anycast,而不是見到的 DNS + Anycast:

Serve all your content from a single IP address with low latency worldwide.

另外,計價的方式與其他的 CDN 有不少地方不一樣,另外也有針對中國地區另外處理。

首先是他把 Cache Egress (從 CDN 給使用者) 與 Cache Fill (從 CDN 到 Origin 取得資源) 分開收,一的般 CDN 都只收 Cache Egress 這塊。


Traffic destined for mainland China is served from Google locations outside of mainland China. Performance and reliability may be lower than for traffic served from in-country locations.

言下之意就是另外買 optimized 的頻寬來服務,但還是不會像在中國大陸地區有機房的效果這麼好,不過好處是不需要 ICP 之類的證照。



中國因為一年只讓國民帶五萬美金出國,於是中國的富豪就想到各種方法搬移財產,其中 Boing Boing 介紹的這個方法真的頗棒的 XDDD:「Chinese millionaire sues himself through an offshore shell company to beat currency export controls」。


But there's a better way: for a small sum, you can just set up an offshore shell company, direct it to sue a Chinese company you own, throw the lawsuit, and then, oh well, I guess there's nothing for it but to send a bunch of cash to your shell company, exempted from export controls, in the form of court-ordered damages.

這方法 XDDD

StartSSL 將 放在奇虎 360 的機房內

話說最近用 Nuzzel 用的還算開心,可以抓到不少文章,但意外的是這篇在 Nuzzel 上沒看到,是在 Allen OwnFacebook 時間軸上看到的 (這則)。

原文出自「Why I stopped using StartSSL (Hint: it involves a Chinese company)」。

最主要的安全問題在於 放在中國公司奇虎 360 的機房內,而這是身份認證用的伺服器。基於中國是個人治而非法治的國家 (i.e. 無法確保 CA 的稽核機制是有效的),我決定把 StartSSL 的 root certificate 從 trusted chain 裡面拔掉,以免中獎...

CloudFlare 跟百度合作進入中國市場

昨天的大新聞,CloudFlare 宣佈跟百度合作進入中國市場:「How We Extended CloudFlare's Performance and Security Into Mainland China」。

在「China network」這邊可以看到各種限制,首先是需要有牌 (ICP) 才能用:

CloudFlare customers that wish to serve traffic for their domains across the China network must possess a valid Internet Content Provider (ICP) license. An ICP license is a Chinese government issued license required to host or cache Internet content within mainland China. Learn more about how you can obtain an ICP license here.

另外是不支援 HTTPS:

For the moment the China network does not support HTTPS traffic (HTTP only). Support for SSL/TLS will be made available in the coming months.

目前只開放給 Enterprise 用戶:

Initially, the China network will be limited to Enterprise customers. Over time, as we are better able to operationalize the onboarding of customers, we hope to extend the benefits to all plan levels.

由於要 ICP 的關係,對於境外網站沒有太多幫助。另外也不確定是不是還是用 Anycast 技術,如果是的話就要煩惱某些網站的流量有機會被導到中國了。

China's Great Cannon:中華大加農

在「China’s Great Cannon」這篇文章裡面把最近 GitHub 被攻擊的事件所使用的武器稱為 China’s Great Cannon。文章裡分析了攻擊的方式、造成的影響。

不過... 我只是對取名的人讚嘆而已,可以參考偽基百科的「先行者」條目 XDDD


Slashdot 的「New Compilation of Banned Chinese Search-Terms Reveals Curiosities」這篇引用了「Some curious search terms denied to the Chinese」這篇文章,在 GitHub 上面有個 repository 試著蒐集這些關鍵字:「jasonqng/chinese-keywords



CloudFlare 的擴張計畫

在 CloudFlare 的「One More Thing: Keyless SSL and CloudFlare's Growing Network」這篇文章裡提到了 CloudFlare 的擴張計畫,其中藍色是已經有的點,而橘色是計畫的點:

雖然是說打算在 12 個月內搞定上面的計畫:

The map above shows all the locations where CloudFlare is actively working to turn up data centers over the next 12 months.


另外看起來台灣也會有點,不知道會放到哪裡... (以及 routing 會怎麼繞)

Adblock Plus 將會把預設的 ChinaList 改為 EasyList China

在「Switching default blocking lists for Chinese users」這邊看到 Adblock Plus 的官方公告,新安裝的預設值將會從 ChinaList 改變成 Easylist China


To make these improvements, we employed three people as part-time authors.

天下沒有白吃的午餐,加上這幾年 Adblock Plus 的「妥協」太多,接下來應該沒事去看一下 ChinaList 的討論,到底兩個 blocklist 的差異在哪裡。

AWS 進入北京!

早上的時候就有看到消息了,而剛剛在 AWS 老大 Werner VogelsTwitter 上看到他宣佈 AWS 北京區的成立:

官方公告在「Coming Soon - New China (Beijing) Region」這邊。中國大陸的官方網站在「亚马逊 AWS | Cloud Computing in China on Amazon Web Services (Simplified Chinese)」這邊。


This Region will allow China-based and multinational companies to make use of a broad collection of AWS services while remaining in compliance with China's legal and regulatory requirements.

要注意的是,目前列出來的服務並沒有 CloudFrontRoute53,只有看到這樣的說明:

We have been working with a number of local data center, bandwidth, and content delivery partners to bring this Region to life. Companies such as China Net Center and SINNET will provide the infrastructure, network services, and CDN services that are required to support the launch and operation of AWS technology services in China.




首先是有攻擊者成功利用 Comodo CA 產生 的 SSL certificate:「Report of incident on 15-MAR-2011」,雖然被 revoke (撤銷),但是我們知道 revoke 機制極度脆弱:「Revocation doesn't work」。

過沒幾天,有人發現 AT&TFacebook 的流量會流經中國 ISP 的網路設備:「Facebook traffic mysteriously passes through Chinese ISP」。