Last week, we celebrated my son’s half-birthday (he is growing up too fast!). One of our family friends gifted us a lava lamp. Gone are those days when lava lamps were popular bedside attractions, but unpacking this gift brought back memories. I remember bringing up the idea of keeping this lava lamp on our bedside to my wife, for nostalgia’s sake, and she gave me this “you’re a weirdo” look with a withering glare. But did you know that lava lamps work tirelessly with soothing glowing bubbles to keep the internet safe from hackers?

👮 Lava Lamp & Internet Security

Cloudflare is a web hosting company that manages thousands of websites, and is responsible for roughly 20% of the internet’s primary internet traffic. If you’re a blogger, then you might already know that Medium is hosted by them, and many of substacks publications are protected by them. They are responsible for billions of requests of web traffic, many of which could be potentially malicious and originate from hackers. In order to deter hackers from breaching your website, they have devised this ingenious security system using simple lava lamps, as shown in the image above.

In San Francisco, at Cloudflare HQ, there is a wall with roughly 100 lava lamps that run continuously. To a novice, this might just look like decorative office art. But it’s more than just a fashion statement, it’s a key piece of their security apparatus. Above the wall of lamps is a camera that is constantly taking pictures of these lava lamps. The positions of the lava bubbles at each interval is then fed into a computer program to be converted into keys, which are then used to build encryption for their web traffic. The secret is not in the lamps themselves but what they produce with the positions of the bubbles — a constant stream of randomness.

💡 Note for Curious Readers

Cloudflare doesn’t keep this a secret. They talk about this very openly. If you’re a tech savvy and would like to read more about how they use the lava bubbles in their encryption, check out this article.

🌋 But Why Lava Lamps?

The key to any secure encryption system is randomness. Each new key that a computer uses to encrypt data must be truly random, so that the attacker won’t be able to figure it out and decrypt the data. The important thing to note here is the ability to create this truly random key.

Some people may ask, aren’t computers are good at generating randomness? You’re partially right. Computers can generate random numbers, that are random, within a given framework. They are designed to spit out predictable logical outputs based on a given input. They are not designed to produce true real life randomness.

For example, one might think that a computer spitting out a random prime number between a million and a trillion is a good system. But knowing that the encryption is based on a prime number between a million and a trillion itself makes it much easier to decrypt. All computer based encryption frameworks work on a similar framework. Every computer can only spit out random numbers based on a framework and parameters defined to it by a human.

What does this mean for cracking the encryption? It is no longer about finding the right key that unlocks a specific encryption, but rather finding the framework in which these random numbers are generated.

So there is a requirement for true randomness in encryption systems. One way is to use manpower and come up with new encryption ideas everytime, but this is an expensive process. The 100x better way, which Cloudflare chose to find true randomness for their encryption, was to use lava lamps.

Lava lamps to the rescue.

Lava lamps are inherently random. It’s impossible to know where bubbles are going to go. Are they going to rise or sink? Are they going to split? Are they going to bounce off each other or are they going to sail past each other? The "lava" in a lava lamp never takes the same shape twice, and as a result, observing a group of lava lamps is a great source for random data. Much like atmospheric, fluid and heat dynamics are nearly impossible to predict with 100% accuracy. This makes lava lamps the perfect encryption creation device.

When the camera watching the lava lamps snaps a picture, that picture is a source of true randomness. The camera takes photos of the lava lamp wall at frequent intervals and sends them to their servers for processing. All images are stored as a series of numbers, with each pixel having its own numerical value, and so each image becomes a string of totally random numbers that the Cloudflare servers can then use as a starting point for creating secure encryption keys. This randomness is then used to create unique encryption keys that are nearly impossible to hack. This is because unlike computer generated encryption keys that are created within a framework using set parameters, these keys are created from an external source of true randomness that is impossible to mimic.

🔐 Cryptographic Entropy

In general, entropy refers to disorder or chaos. But in cryptography, it refers to unpredictability and uncertainty. The more unpredictable and uncertain, the more secure the encryption becomes. Cryptographers actually measure how much entropy a given set of data has in terms of the number of bits of entropy. Since each pixel of the captured image of the lava lamp wall can be uncertain or unpredictable, at Cloudflare, this lava lamp wall is also referred as the Wall of Entropy.

What if a person obstructs the view of the lava lamps?

There is a lot of foot traffic at the Cloudflare HQ lobby, where the lava lamps are located, and people enter and exit the office through the lobby. But these obstructions become part of the randomness that the camera captures, and hence generates entropy.

What if someone damages the camera?

The lava lamp wall is just one of the sources of randomnesses used by Cloudflare. They still have two other sources of randomness which they use in their encryption processes. Since this camera is inside Cloudflare HQ, they can easily fix it and bring it back online.

What are the other sources of randomness used by Cloudflare?

The other two principal offices of Cloudflare are located in London and Singapore. The London office features a double-pendulum system (a pendulum attached to another pendulum, whose movements are chaotically unpredictable) that is photographed. In Singapore, the office uses a small, harmless pellet of uranium to measure its radioactive decay.

🌯 Wrapping Up

In a world with increasing bad actors trying to crack online security systems, cyber security is of atmost importance for governments and organisations. Data breaches and ransomware attacks are growing headaches for security professionals across the globe. While the lava lamps are just the tip of the iceberg when it comes to cyber security at Cloudflare, it is interesting to see something very simple plays a crucial role in their security infrastructure, even in today’s age of AI and Quantum Computing.

Thank you for reading!

Sanjay.

P.S. If you think my writing will be useful to your friends or family, please consider referring them to my publication.

Refer a friend

Or if you feel like supporting my publication, you can