Abstract: A first server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different, second, server. The first server transmits messages between the client device and the second server where the second server has access to a private key that is not available on the first server. The first server receives from the second server a set of session key(s) used in the secure session for encrypting/decrypting communication between the client device and the first server. The session key(s) are generated using a master secret that is generated using a premaster secret generated using Diffie-Hellman public values selected by the client device and the second server. The first server uses the session key(s) to encrypt/decrypt communication with the client device.

Abstract: An edge server of a distributed edge compute and routing service receives a tunnel connection request from a tunnel client residing on an origin server, that requests a tunnel be established between the edge server and the tunnel client. The request identifies the hostname that is to be tunneled. An IP address is assigned for the tunnel. DNS record(s) are added or changed that associate the hostname with the assigned IP address. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the edge server for the tunneled hostname. The edge server receives a request for a resource of the tunneled hostname from another edge server that received the request from a client, where the other edge server is not connected to the origin server. The request is transmitted from the edge server to the origin server over the tunnel.

Abstract: A browser receives a web page that includes a script that is configured to control subsequent requests of the browser for at least the web page and caches a first portion of the web page that includes reference(s) to other web resource(s). A subsequent request for the web page is dispatched to the script which returns the cached first portion of the web page to the browser and a request for the full web page is made. Request(s) are also transmitted for the web resource(s) referenced in the first portion of the web page without waiting for the full web page to be received. When the full web page is received, if the first portion of the page matches the corresponding portion of the full page, that corresponding portion is removed from the full page and the remaining page is returned to the browser.

Abstract: A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, a response that includes a redirection instruction to a second location is transmitted. The response includes a first number of redirects to be completed prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, the remote server determines whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

Abstract: A network optimizer receives, from a client device, a request for a network resource including a first version identifier identifying a first version of the network resource. A request for the network resource is transmitted to a far end network optimizer with a second version identifier that identifies a second version of the network resource. The network optimizer receives, from the far end network optimizer, a response that includes a first differences file that specifies first difference(s) between the second version with a most current version of the network resource. The response does not include the entire network resource. The network optimizer transmits to the client device a second response including a second differences file that identifies differences between the most current version of the network resource and the first version of the network resource causing the generation of an updated version of the network resource at the client device.

Abstract: A method and apparatus for managing CNAME records such that CNAME records at the root domain are supported while complying with the RFC specification (an IP address is returned for any Address query for the root record). The authoritative DNS infrastructure acts as a DNS resolver where if there is a CNAME at the root record, rather than returning that record directly, a recursive lookup is used to follow the CNAME chain until an A record is located. The address associated with the A record is then returned. This effectively “flattens” the CNAME chain. This complies with the requirements of the DNS specification and is invisible to any service that interacts with the DNS server.

Abstract: A near end point of presence (PoP) of a cloud proxy service receives, from a client device, a request for a network resource. A far end PoP from a plurality of PoPs of the cloud proxy service is identified. Responsive to determining that a version of the network resource is stored in the near end PoP, a request for the network resource is transmitted to the far end PoP with a version identifier that identifies that version. The far end PoP receives, from the near end PoP, a response that includes difference(s) between the version of the network resource stored in the near end PoP with a most current version of the network resource. The response does not include the entire network resource. The near end PoP applies the specified difference(s) to the version that it has stored to generate an updated version of the network resource, and transmits it to the client device.

Abstract: A server receives a SYN packet and generates a SYN packet signature from the SYN packet. The server generates multiple aggregate signatures for the SYN packet signature that each include a generalized value for at least one element, where each aggregate signature has a different level of specificity and corresponds with a different fingerprint table. The server sequentially iterates through the fingerprint tables starting with the most specific aggregate signature and the most specific fingerprint table until a match exceeding a counter threshold is found, if any. If an aggregate signature does not match a fingerprint in a fingerprint table, the aggregate signature is added to that fingerprint table and an initial value for the counter is set. A bytecode using an attack fingerprint as input is generated in a form understandable by a network filter, and installed in a network filter.

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract: A near end network optimizer receives, from a client device, a request for a network resource. Responsive to determining that a version of the network resource is stored in the near end network optimizer, a request for the network resource is transmitted to a far end network optimizer along with a version identifier that identifies that version. The near end network optimizer receives, from the far end network optimizer, a response that includes a differences file that specifies the difference(s) between the version of the network resource stored in the near end network optimizer with a most current version of the network resource. The response does not include the entire network resource. The near end network optimizer applies the specified difference(s) to the version that it has stored to generate an updated version of the network resource, and transmits the updated version of the network resource to the client device.

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract: A browser receives a web page that includes a script that is configured to control subsequent requests of the browser for at least the web page and caches a first portion of the web page that includes reference(s) to other web resource(s). A subsequent request for the web page is dispatched to the script which returns the cached first portion of the web page to the browser and a request for the full web page is made. Request(s) are also transmitted for the web resource(s) referenced in the first portion of the web page without waiting for the full web page to be received. When the full web page is received, if the first portion of the page matches the corresponding portion of the full page, that corresponding portion is removed from the full page and the remaining page is returned to the browser.

Abstract: A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, a response that includes a redirection instruction to a second location is transmitted. The response includes a first number of redirects to be completed prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, the remote server determines whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

Abstract: A near end point of presence (PoP) of a cloud proxy service receives, from a client device, a request for a network resource. A far end PoP from a plurality of PoPs of the cloud proxy service is identified. Responsive to determining that a version of the network resource is stored in the near end PoP, a request for the network resource is transmitted to the far end PoP with a version identifier that identifies that version. The far end PoP receives, from the near end PoP, a response that includes difference(s) between the version of the network resource stored in the near end PoP with a most current version of the network resource. The response does not include the entire network resource. The near end PoP applies the specified difference(s) to the version that it has stored to generate an updated version of the network resource, and transmits it to the client device.

Abstract: A method and apparatus for causing a delay in processing requests for Internet resources received from client devices is described. A server receives from a client device a request for a resource. The server transmits a response to the first client device indicating that access to the resource is temporarily denied. The response includes a cryptographic token associated with the first request and a predetermined period of time during which the first client device is to wait prior to transmitting another request to access the resource. The server receives a second request for the resource, upon determining that the second request includes a valid cryptographic token, the server causes the second request to be processed. The server receives a third request for the resource, and upon determining that the third request does not include a valid cryptographic token, the server blocks the third request.

Abstract: A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, a response that includes a redirection instruction to a second location is transmitted, where the response includes a first number of redirects that the client device is to complete prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, determining whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

Abstract: A method and apparatus for causing a delay in processing requests for Internet resources received from client devices is described. A server receives from a client device a request for a resource. The server transmits a response to the first client device indicating that access to the resource is temporarily denied. The response includes a cryptographic token associated with the first request and a predetermined period of time during which the first client device is to wait prior to transmitting another request to access the resource. The server receives a second request for the resource, upon determining that the second request includes a valid cryptographic token, the server causes the second request to be processed. The server receives a third request for the resource, and upon determining that the third request does not include a valid cryptographic token, the server blocks the third request.

Abstract: A browser receives a web page that includes a script that is configured to control subsequent requests of the browser for at least the web page and caches a first portion of the web page that includes reference(s) to other web resource(s). A subsequent request for the web page is dispatched to the script which returns the cached first portion of the web page to the browser and a request for the full web page is made. Request(s) are also transmitted for the web resource(s) referenced in the first portion of the web page without waiting for the full web page to be received. When the full web page is received, if the first portion of the page matches the corresponding portion of the full page, that corresponding portion is removed from the full page and the remaining page is returned to the browser.

Abstract: A near end network optimizer receives, from a client device, a request for a network resource. Responsive to determining that a version of the network resource is stored in the near end network optimizer, a request for the network resource is transmitted to a far end network optimizer along with a version identifier that identifies that version. The near end network optimizer receives, from the far end network optimizer, a response that includes a differences file that specifies the difference(s) between the version of the network resource stored in the near end network optimizer with a most current version of the network resource. The response does not include the entire network resource. The near end network optimizer applies the specified difference(s) to the version that it has stored to generate an updated version of the network resource, and transmits the updated version of the network resource to the client device.

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.