How Lava Lamps Help Cloudflare Keep The Internet Safe From Hackers

The internet is ever-expanding, serving as a means to connect billions of people worldwide. With hosting providers and easy website builders such as WordPress doing most of the heavy lifting, just about anyone can create a website — be it for a business, portfolio, or a personal blog. However, behind the ease of creating and accessing content online lies the complex world of web security, protecting our data so it doesn't land in the wrong hands.

Cloudflare is one of the largest companies that provides network and security services on the cloud — you may have already heard of its 1.1.1.1 privacy DNS. It's used by nearly 20% of the web, meaning one in five websites on the internet is protected by Cloudflare — with your data being safeguarded through encryption. A core principle surrounding encrypting and decrypting data is the use of randomly generated cryptographic keys. There are several ways a computer can simulate randomness, but the data it generates can never be truly random.

This is where Cloudflare's "Wall of Entropy" comes in — a large display consisting of over a hundred lava lamps and a camera that periodically captures images. Instead of solely relying on computer-generated data, Cloudflare leverages an element of the physical world to aid with the encryption process. Let's take a deeper dive into how Cloudflare uses lava lamps to protect millions of websites around the globe. 

The Wall of Entropy, as Cloudflare calls it, is situated in its headquarters in California and holds over a hundred individual lava lamps. A camera mounted across the wall snaps a picture and sends it over to Cloudflare's servers, where every pixel of this image is converted into a corresponding numerical value. Since the lava inside these lava lamps is constantly moving, rising, and falling, no two images taken by the camera will ever be the same. 

It's not just the movement of the material within the lava lamps — any light or shadow leaking onto the wall affects the image captured by the camera. When you factor in how different times of the day affect the lighting on the wall, it's practically impossible to recreate the exact same image twice. This wall is located in the busy lobby of the headquarters as well, meaning any cameos by passersby actually contribute to the process of encryption. 

The result is a sequence of truly random numbers, which is then used as a starting point for generating the encryption key. This unpredictability is referred to as entropy, and this forms the foundation of Cloudflare's encryption strategy.

Once Cloudflare has this stream of random numbers as raw entropy, it feeds it to a tool called CSPRNG, or a cryptographically secure pseudorandom number generator. By ensuring that the numerical value obtained from the lava lamps' image, also known as the seed, is updated every so often, the output by the CSPRNG tool is always unpredictable and random.

As if the highly randomized entropy from the lava lamps wasn't enough, Cloudflare mixes the seed with data generated on two different Linux machines. The resulting cryptographic key is then used by Cloudflare to secure communications between your devices and the websites it protects.

Cloudflare also employs two other unique methods of generating truly random data. The first is a double pendulum in the company's London office — the chaotic movement of which results in the formation of unpredictable and random raw data. Cloudflare's Singapore office uses the readings of radioactive decay of a small pellet of uranium to assist with the randomness aspect of encryption.

Computers cannot generate truly random numbers, as all outputs depend on an input — and if a threat actor is able to decipher a company's encryption strategies, they could potentially predict the values of any future cryptographic keys being generated by the system and gain access to your data. Cloudflare's approach to encryption by blending qualities of the physical and digital world is how it has achieved a higher level of security against attackers.