惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Cisco Blogs
Cyberwarzone
Cyberwarzone
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
SecWiki News
SecWiki News
Martin Fowler
Martin Fowler
T
Tor Project blog
N
Netflix TechBlog - Medium
C
Cybersecurity and Infrastructure Security Agency CISA
V
Vulnerabilities – Threatpost
V
Visual Studio Blog
GbyAI
GbyAI
PCI Perspectives
PCI Perspectives
D
DataBreaches.Net
Jina AI
Jina AI
H
Heimdal Security Blog
云风的 BLOG
云风的 BLOG
P
Privacy International News Feed
A
About on SuperTechFans
J
Java Code Geeks
美团技术团队
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News | PayPal Newsroom
有赞技术团队
有赞技术团队
MyScale Blog
MyScale Blog
博客园 - 司徒正美
C
Check Point Blog
T
Threat Research - Cisco Blogs
Attack and Defense Labs
Attack and Defense Labs
宝玉的分享
宝玉的分享
AI
AI
Simon Willison's Weblog
Simon Willison's Weblog
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
P
Proofpoint News Feed
Blog — PlanetScale
Blog — PlanetScale
Apple Machine Learning Research
Apple Machine Learning Research
Hugging Face - Blog
Hugging Face - Blog
The Last Watchdog
The Last Watchdog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
I
InfoQ
阮一峰的网络日志
阮一峰的网络日志
Cisco Talos Blog
Cisco Talos Blog
W
WeLiveSecurity
Hacker News: Ask HN
Hacker News: Ask HN
Recent Commits to openclaw:main
Recent Commits to openclaw:main
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
D
Docker
博客园 - Franky
Security Archives - TechRepublic
Security Archives - TechRepublic

Fastly Blog

Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Six Common Live Streaming Mistakes (And How to Avoid Them) How Fastly and Skyfire Enable Trusted Agentic Commerce at the Edge Bot Defense is Table Stakes. Machine Traffic Requires a Business Strategy AI Traffic Grew 6.5x Faster Than Human Traffic This Year Python SDK Beta: How the Language of AI Runs Faster and Safer with Fastly Give AI Agents the Markdown They Actually Want How to Configure Local Logging for an On-Prem Next-Gen WAF Agent Accountability Without Control Is Breaking Security Leadership Fastly Joins the Agentic AI Foundation (AAIF) to Guide Edge AI Interoperability The E-commerce Industry in the AI Era: Has the Agentic Flood Hit? No Margin for Error: What the FIFA World Cup Teaches Us About Performance at the Edge Why iGaming Infrastructure is Breaking and What Comes Next The Publishing Industry in the AI Era: Why Bot Strategy is Now a Business Strategy Bad Performance Kills SaaS/PaaS Growth — Why Your CDN Matters Why your code is safe from Copy Fail on Fastly Compute Myth or Marvel: Claude Mythos and What it Means for Security Introducing Compliance Audit Reports Supporting Google Private AI Compute with Privacy-Preserving Edge Infrastructure Fastly Nearly Half the Web Isn’t Human: Inside Fastly’s Threat Insight Report Media over QUIC: Can Streaming Finally Have Both Scale and Low Latency? Introducing Fastly’s Redesigned Homepage: Your Central Hub for Actionable Insights The False Choice of Indiscriminate Blocking: Why Technical Precision is the New Standard for an Open Internet What is CVE-2026-23869? React Server Components Security Alert Fastly enables first-party tagging for Google Advertisers Shrink Your Bill With Efficient Software Your AI coding agent just got better at Fastly Fastly Ranked as a Leader in the 2026 Forrester Wave™ for Edge Development Platforms Fastly at RSAC 2026: New Advances in AppSec, Bot Management, and Deception Mastering the Edge: What Golf Can Teach Us About Speed, Precision, and Performance Real-Time CDN Monitoring for Live Events with Bronto Imperva Alternatives Fastly + Scalepost: Extending the Fastly platform to manage AI Crawlers Best content delivery networks for bot management Vibe Shift? Senior Developers Ship nearly 2.5x more AI Code than Junior Counterparts Maximizing Compute Performance with Log Explorer & Insights Fastly CDN Expands Scaling Fastly Network: Balancing Requests | Fastly Best Practices for Multi-CDN Implementations | Fastly Compute@Edge: Serverless Insights by Company | Fastly Fastly can teach you about the Wasm future in just 6 talks Fastly's Observability Unleashed: New Updates and Insights Optimizing your multi-CDN infrastructure to improve performance Stay ahead of attackers by pushing your security perimeter to the edge Are APIs the Key to Digital Innovation or a Trojan Horse? Fastly Academy: on-demand learning at your fingertips. | Fastly 30 Years of Web: Building for Tomorrow 4 Ways Legacy WAF Fails to Protect Your Apps Adobe boosts performance and MTTR with Epsagon and Fastly logs | Fastly Beta" A New Serverless Compute Environment Early TLS at Fastly Technical trainings & the future of edge delivery at Altitude 2016: a year in review Innovation Capacity Defined: Tech Stack Values | Fastly Deep Log Visibility Offered by Logentries | Fastly Caching the Uncacheable: CSRF Security Increase Your Hit Ratio With This Simple Tip
Fastly
Shane Burgess · 2026-06-15 · via Fastly Blog

We were proud and excited when Mozilla shipped Firefox 149 on March 24th with a free, built-in VPN. The headlines focused on the user-facing story: no extra software to install, a single toggle to mask your IP address. We wanted to share the infrastructure underneath, the proxy network that makes the privacy guarantee actually hold.

That proxy is ours. And we think it's worth explaining how it works, why the architecture matters, and what it means for the future of privacy on the web.

The Architecture

The IETF-standardized MASQUE (Multiplexed Application Substrate over QUIC Encryption) protocol forms the basis of our proxy infrastructure. 

MASQUE: The Transport Foundation

MASQUE is built on top of QUIC, and it defines how a client can tunnel arbitrary Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic through an intermediary without that intermediary being able to correlate what the client is doing. Traditional HTTPS stacks TLS on top of TCP. TCP is a reliable, ordered byte stream, and if a single packet gets lost or delayed, TCP stops delivery of everything behind it in the queue until that packet is retransmitted and acknowledged. When streaming a video, you see the buffering spinner in the middle of your stream. TCP is missing 1 or more packets and is holding the data at the TCP layer because it will not give the application layer data out of order. Once TCP retransmits and receives the packet, the stream will continue playing.

QUIC's connection multiplexing means multiple independent streams can flow through a single connection with no head-of-line blocking, critical for browser traffic, which generates dozens of parallel requests per page load. A multiplayer game is constantly sending many types of data simultaneously, player positions, health updates, chat messages, sound events, inventory changes, hit registration. Over TCP, these share one ordered stream. A single dropped packet for any of them freezes everything else. QUIC lets you open multiple streams within one connection, and each stream is independent. A dropped packet in the player position stream doesn't block the health update stream or the hit registration stream. Each type of game data moves forward on its own, so one piece of lost data doesn't cascade into a full freeze.

When Firefox routes your traffic through our MASQUE proxy, your browser opens a connection to Fastly using HTTP CONNECT. Instead of interpreting and forwarding your HTTP request, CONNECT tells the proxy to open a raw TCP tunnel to the destination. Once established, the proxy becomes transparent and just passes bytes back and forth without understanding them. 

A key factor in this is end-to-end encryption. Without CONNECT, a proxy has to decrypt and re-encrypt HTTPS traffic to forward it (man-in-the-middle style). With CONNECT, the TLS handshake happens directly between the client and the destination. The proxy never sees the plaintext. The proxy only knows the destination hostname and port, nothing about what's being transmitted. Because CONNECT creates a raw TCP tunnel, anything can run through it. TLS, Web sockets, custom protocols, even other proxies. The proxy doesn't need to understand whatever protocol runs inside the tunnel.

CONNECT is actually the ancestor of MASQUE. Traditional HTTP CONNECT only tunnels TCP. MASQUE extends the concept to UDP and IP traffic, and moves it to QUIC instead of TCP, which is exactly why it's useful for VPN-style use cases like Firefox's built-in VPN. MASQUE is essentially HTTP CONNECT but for the modern internet.

Firefox’s initial built-in VPN rollout uses standard HTTP CONNECT over HTTP/2. We started with a deliberate, low-risk approach for the initial deployment phase. This gave Mozilla and Fastly a chance to confirm the system's design, its performance in real-world conditions, and how users would interact with it, all while operating at a significant scale. The architecture is designed to evolve toward full MASQUE support, and Firefox plans to leverage MASQUE over HTTP/3 in Fastly’s proxy infrastructure later this year.

Why Fastly is the Right Proxy Partner

The proxy role sounds simple: receive, protect the requesting IP address, and forward. But the operational requirements are significant.

Scale demands are enormous. Firefox has hundreds of millions of active users. Even at modest adoption rates, the proxy needs to handle traffic volumes that would overwhelm purpose-built infrastructure. Our network is already carrying a significant fraction of the internet's traffic. Adding the proxy workload extends what we already do, not a new operational category.

Neutrality matters. Mozilla needed a proxy operator with no commercial incentive to correlate user behavior, no ad business, no data brokerage, and no interest in knowing what Firefox users are browsing. Our business is moving bytes fast and securely, full stop.

A Note on What We Don't Do

Our role in this system needs to be explicit, as we believe transparency contributes to the architecture's trustworthiness. We do not log the destinations of proxied requests. Nor do we subject proxy traffic to deep packet inspection. We do not share connection metadata with Mozilla or any third party beyond what is required for abuse prevention and network operations. 

The Bigger Picture

Firefox's built-in VPN is a signal that browser-native privacy infrastructure, not extensions, not separate applications, not third-party services, is becoming table-stakes. MASQUE is the protocol making that possible at scale. We've been building toward this for years. The VPN launch is a significant deployment of our MASQUE proxy, and we are proud to partner with Mozilla. The web's privacy model is being rebuilt from the protocol layer up, and we are glad to be a part of it.