Why does Doctolib use Cloudflare?
At Doctolib, cybersecurity is a top priority. Our website and APIs are under permanent attack, either from botnets, black-hat hackers and our beloved white-hat hackers from our Bug Bounty program.
Let’s get straight to the point: why Doctolib, a European company, has chosen Cloudflare as its first layer of protection?
How does Doctolib use Cloudflare?
Basically, Doctolib uses Cloudflare to protect its website against external attacks and as a Content Delivery Network (CDN) to accelerate the experience of millions of users.
The Content Delivery Network allows Doctolib to store static pages and pieces of the website (JavaScript, fonts, images) on the distributed Cloudflare datacenter networks (distributed caching). Thus, when a patient navigates on Doctolib from Marseille or Berlin, the closest Cloudflare data center will quickly provides static files (instead of going from Berlin to Paris).
But the main benefit of Cloudflare is the Web Application Firewall (WAF) it provides. The WAF inspects incoming HTTPS requests and decides whether they are legitimate or suspicious. And that is the killer feature that makes Cloudflare stand out amongst CDN vendors.
Basically, the WAF feature works as follows: when a user establishes a HTTPS connection with doctolib.fr, the underlying DNS request redirects the user to the closest Cloudflare datacenter IP address. The incoming request is then inspected by Cloudflare software to determine if the request contains an attack payload or not. Then, the request is finally forwarded to Doctolib’s real servers, hosted by AWS (in France or Germany).
Cloudflare also provides protection against Distributed Denial of Service attack (DDoS). Those kinds of attacks consist of massive campaigns of requests coming from anywhere to Doctolib, in an attempt to saturate our servers. Thanks to the massive presence of Cloudflare in the world at transport-layer, Cloudflare is able to mitigate those attacks, even before they reach Doctolib’s data centers.
Cloudflare shields incoming traffic from the Internet before reaching our AWS servers
Ok, so why didn’t we go with a homegrown Doctolib solution?
First of all, Cloudflare is a key-player of Internet security. 20% of websites in the world are now shielded by Cloudflare.
This market share allows Cloudflare to detect emerging threats, to have the most accurate list of attack patterns and react more quickly than anyone (for the benefit of all its customers).
Furthermore, Cloudflare owns its own networks and interconnection with tier-1 Internet transit providers. This enables Cloudflare to announce BGP (Border Gateway Protocol) routes among other networks Internet transit provides and thus mitigate DDOS attacks and ensure resiliency.
Doctolib cannot compete with the knowledge and skills Cloudflare has, cannot become its own telecom operator, and cannot afford thousands of the best security engineers to maintain such a technology.
Ok, so why not a European vendor?
As stated above, security is a top priority at Doctolib. We want the best for our customers and users. During the selection of Cloudflare, no European actor was providing such a quality of services, notably:
- Huge traffic capacity and DDoS mitigation
- Keyless SSL
- Regional Services
- Threat scoring
- Fine-grained API with Terraform modules
- Waiting Room (a key feature during COVID crisis)
As of today, Cloudflare is the best Web Application Firewall for Doctolib’s needs.
What are the privacy provisions for Cloudflare usage?
One of the most frequent questions we receive is: As Doctolib uses Cloudflare, it must mean that the traffic is decrypted by Cloudflare. Therefore, the US government can see patient data according to Schrems II, right?
The answer is No.
Technically, it is true that the TLS encrypted communications between the browser and Doctolib are decrypted in the Cloudflare data center and encrypted again to send it to Doctolib. But, this decryption is performed under multiple security provisions described below which allows Doctolib to be 100% sure the data remains secure and the risk of eavesdropping by the US government or a Cloudflare employee is equal to 0.
Traffic is processed only in the EU
Doctolib has contracted the Cloudflare Regional Services option (Data Localization Suite), which allows restricting data processing to Europe. This means the traffic is decrypted on Cloudflare European datacenter only. All traffic to Doctolib’s Cloudflare anycast IP addresses only terminate within Cloudflare EU datacenters. Furthermore, besides the production traffic, metadata and logs generated by Cloudflare remains in EU and IP addresses are truncated (i.e. 1.2.3.4 becomes 1.2.3.-).
Any user can verify Doctolib’s claim about traffic being processed only in Cloudflare EU datacenter. Due to the anycast protocol of Cloudflare’s CDN, running a whois or traceroute command on the IP address resolved by your local DNS does not allow you to verify where the real Cloudflare’s server that will process your request is. But Cloudflare provides a HTTP-level traceroute feature that echoes technical “colo” (i.e. datacenter) which contains the IATA code related to the localisation of the Cloudflare datacenter in use.
You can simply test with your browser https://www.doctolib.fr/cdn-cgi/trace that will echo technical “colo” which contains the IATA code related to the localisation of the Cloudflare datacenter in use.
For more information: https://developers.cloudflare.com/data-localization/regional-services/
The traffic is decrypted on-the-fly, in memory without Doctolib SSL certificate
Doctolib leverages Cloudflare Keyless TLS technology which allows Cloudflare to inspect the content of TLS traffic while not having access to Doctolib’ private keys.
Furthermore, Cloudflare TLS inspection software is a pure in-memory single process. Thus, cleartext data is never written on disk.
If a governmental agency requests Cloudflare to get a server or a disk, as a piece of evidence, neither data nor keys will be on it.
For more information: https://www.cloudflare.com/ssl/keyless-ssl/
Sensitive documents are encrypted client-side
When a patient and a doctor exchange documents (prescriptions, results…) through Doctolib’s platform, those documents are encrypted on the browser-side, thanks to the Tanker technology (a Javascript SDK that encrypts the document with the public key of the recipient). This means that Cloudflare cannot inspect the content of those documents. If you are interested in this top-notch encryption schema, you can have a look at this whitepaper.
Cloudflare has a track record of transparency
Cloudflare publishes the requests they receive from law enforcement and other governmental entities. Cloudflare has an obligation to notify Doctolib of any subpoena or other legal process requesting Doctolib’s information, before any disclosure.
It is important to note Cloudflare’s engagements below:
- Cloudflare has never turned over our encryption or authentication keys or our customers’ encryption or authentication keys to anyone.
- Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
- Cloudflare has never provided any law enforcement organization a feed of our customers’ content transiting our network.
- Cloudflare has never modified customer content at the request of law enforcement or another third party.
- Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
- Cloudflare has never weakened, compromised or subverted any of its encryption at the request of law enforcement or another third party.
Conclusion
Doctolib, as many other tier-1 web platforms, trusts Cloudflare to ensure the highest level of privacy and security for patients and healthcare professionals.
So far, there are no sovereign Cloudflare-like competitors that can provide the same level of protection and have enough performance to handle the volume of traffic Doctolib receives.
