As we have stated many times before, 100% security is a myth. Of course, that is not to say that we aren’t doing everything we can to keep the use of our service as secure as possible. 100% security may be unattainable, but we sure are aiming for that 99.9%!
An important way of keeping you safe is by encrypting data, both data at rest as well as in transit. The main way we achieve the latter is by using HTTP over SSL (also called HTTPS) everywhere. Our website encryption on Transloadit.com was already rated “A+” on SSL Labs, an authority when it comes to SSL expertise and judging whether your website’s security is up to scratch. We thank this to loadbalancers provided by AWS. When it comes to our API, we have to run our own SSL and, for some time, this meant that we had a lower grade there. Something we badly wanted to address.
Today, we are happy to report that our API is now also on par with the “A+” standard!
Optimal security on a wide variety of platforms
It is actually fairly easy to attain a high security rating, provided that only the latest ciphers in crypto technology are used. This, however, also has a considerable downside: any older Java and Android platforms, as well as nearly all versions of Internet Explorer, are excluded from using HTTPS as they cannot "speak" these newer and more secure standards. A number of our customers, but especially their end-users, are still making use of these platforms. Breaking their existing HTTPS integrations – or asking all of them to not encrypt traffic at all – was not an option for us.
We were wondering how AWS pulled it off to have both A+ grading, as well as support for all platforms except Internet Explorer 6.
That is when we found out about a clever hack. While it is not certain that AWS employed the same method, the strategy involves sniffing incoming traffic very early on, figuring out if we are dealing with a modern client, and then routing them to a different HTTPS back-end than the less advanced clients.
Browsers that are capable will then be served by the back-end with the best encryption possible, whereas those that aren't will be served by the back-end that also supports weaker forms of encryption.
Granted, this is not a flawless solution either as it means keeping a few older ciphers around, but we feel it is still considerably better than three alternatives: blocking the Transloadit service for anyone on an older Android device, exposing capable clients to weaker ciphers, or asking our customers who deal with older devices to refrain from using HTTPS at all. We figure that even though some ciphers have issues, using them for platforms that don't know any better, is still better than making them talk with no protection at all.
From our testing, we have learned that we are now able to offer the highest grade of encryption on recent platforms that are capable of supporting it, while still retaining the ability to serve the same 44 different platforms out there to the best of their capabilities. The only exception is IE6. We can no longer offer encryption to this browser, as it would require us to keep supporting SSLv3, which would open us up to a wide range of attack vectors and bring our customers in harm’s way. IE6 is a platform we dropped official support for the same time that Microsoft did. If you still need to support IE6, security as an argument, frankly, is already out the window, and we recommend not using HTTPS in this isolated case.
As promised, we will never charge you for any security features. Anyone will be able to make use of this SSL offering. Free of charge, and it is effective immediately.
This has been a complicated operation and, as with any heart surgery, unforeseen complications may arise. If you encounter any problems, please let us know!