Beefing up security: SSL upgraded
As we have stated many times before, 100% security is a myth. Of course, that is not to say that we aren’t doing everything we can to keep the use of our service as secure as possible. 100% security may be unattainable, but we sure are aiming for that 99.9%!
An important way of keeping you safe is by encrypting data, both data at rest as well as in transit. The main way we achieve the latter is by using HTTP over SSL (also called HTTPS) everywhere. Our website encryption on Transloadit.com was already rated “A+” on SSL Labs, an authority when it comes to SSL expertise and judging whether your website’s security is up to scratch. We thank this to loadbalancers provided by AWS. When it comes to our API, we have to run our own SSL and, for some time, this meant that we had a lower grade there. Something we badly wanted to address.
Today, we are happy to report that our API is now also on par with the “A+” standard!
Optimal security on a wide variety of platforms
It is actually fairly easy to attain a high security rating, provided that only the latest ciphers in crypto technology are used. This, however, also has a considerable downside: any older Java and Android platforms, as well as nearly all versions of Internet Explorer, are excluded from using HTTPS as they cannot "speak" these newer and more secure standards. A number of our customers, but especially their end-users, are still making use of these platforms. Breaking their existing HTTPS integrations – or asking all of them to not encrypt traffic at all – was not an option for us.
We were wondering how AWS pulled it off to have both A+ grading, as well as support for all platforms except Internet Explorer 6.
That is when we found out about a clever hack. While it is not certain that AWS employed the same method, the strategy involves sniffing incoming traffic very early on, figuring out if we are dealing with a modern client, and then routing them to a different HTTPS back-end than the less advanced clients.
Browsers that are capable will then be served by the back-end with the best encryption possible, whereas those that aren't will be served by the back-end that also supports weaker forms of encryption.
Granted, this is not a flawless solution either as it means keeping a few older ciphers around, but we feel it is still considerably better than three alternatives: blocking the Transloadit service for anyone on an older Android device, exposing capable clients to weaker ciphers, or asking our customers who deal with older devices to refrain from using HTTPS at all. We figure that even though some ciphers have issues, using them for platforms that don't know any better, is still better than making them talk with no protection at all.
From our testing, we have learned that we are now able to offer the highest grade of encryption on recent platforms that are capable of supporting it, while still retaining the ability to serve the same 44 different platforms out there to the best of their capabilities. The only exception is IE6. We can no longer offer encryption to this browser, as it would require us to keep supporting SSLv3, which would open us up to a wide range of attack vectors and bring our customers in harm’s way. IE6 is a platform we dropped official support for the same time that Microsoft did. If you still need to support IE6, security as an argument, frankly, is already out the window, and we recommend not using HTTPS in this isolated case.
As promised, we will never charge you for any security features. Anyone will be able to make use of this SSL offering. Free of charge, and it is effective immediately.
This has been a complicated operation and, as with any heart surgery, unforeseen complications may arise. If you encounter any problems, please let us know!
Share your Transloadit project to earn $300
We love seeing how our community uses Transloadit. Tweet @transloadit to get your proposal approved, share what you’ve built in the form of a blog post or a tutorial on your website, and earn a $300 Gift certificate of your choice as well as a full year of the Startup Plan, at no cost after you publish.
Get started for free with the Community Plan, or, if you are a student, get an upgrade via the GitHub Student Developer Pack.
Get started for free
- Free plan with 5 GB encoding credit
- Set monthly spending limits
- Try without a credit card
- Highly available, globally distributed platform
- Cancel at any time
- Costs displayed for each upload/conversion
Follow us on Twitter:Follow @transloadit
We're SO STOKED to announce the Transloadit Community Plan! 🎉🎉🎉 Unlimited uploading, importing and exporting, 5GB of encoding/month, and access to 50 different file conversion features for all.— 🤖 Transloadit (@transloadit) July 2, 2020
Best part? It's free. Forever. 🤑 Find out more https://t.co/zXWLi3Xa0G pic.twitter.com/DlY5xz1mPG
Get started today
Our Community Plan is free forever and suffices for most projects. Signup is instant. No credit card needed.Sign up today