Security at Transloadit
We should distrust platforms that claim they are 100% secure, and you won't catch Transloadit making claims like that. Our pledge instead is that privacy & security is our number one concern. We openly share what we do to keep you safe.
What we do to keep you secure.
Here’s a list of things we are doing to keep you and your data secure.
Policy
-
We are GDPR, CCPA, HIPAA compliant, and these cover all operations.
-
We have an internal
#securitychannel where we raise awareness and share and discuss all the latest relevant threats. We continuously review and update policies here. -
All teammates and consultants that handle sensitive data must sign a contract that covers NDA, 2FA, encrypted hard drives, update management, and more.
-
We run a security program and are continuously penetration tested, both by automated scanners as humans.
-
Vendors with access to information are all listed on our Privacy page.
-
All teammates are vetted, access is granted on a need-to-know basis, and revoked when the need to longer exists. We confirm that when workers leave.
-
We're an open company and transparency is a core value of ours. We share vulnerabilities with the public on our blog and on Twitter and have done so since 2009. We contact customers with a DPA by email within two business days, should the nature of the vulnerability not mean that we pose more users in more harm by sharing that early.
-
As a remote company, we do not have an office/internal network with demilitarized zones and have embraced BeyondCorp security principles (a Zero Trust implementation). Whitepapers available here. We do segment different parts of our infrastructure and use firewalls to restrict traffic in and out of our network at strategic points, and deploy VPCs to isolate traffic and create network zones.
-
Transloadit is a highly technical company, and everything is code. This includes policies, configuration, infrastructure (via Terraform), this lets us subject any change in the company to change management via version control, peer reviews, tests, CICD, and rollbacks. Documentation for all changes in the company can be found in Pull Requests, and accompanying markdown documents. Hardening guidelines are documented as code.
-
We allow people to keep traffic in a single region, by embedding it in their endpoints, for instance
https://api2-eu-west-1.transloadit.com.
Authorization & Encryption
-
All data in transit is encrypted with A+ rated TLS, non-HTTPS requests to our API and website are forced to switch to use HTTPS.
-
Sensitive data at rest is encrypted with AES256.
-
We're PCI DSS compliant for credit cards stored through Stripe.
-
You can use GitHub oAuth to centrally manage accounts and access. SAML is on the roadmap.
-
There are account owners and collaborators, owners have more privileges (can invite, cancel, etc).
-
For dangerous or sensitive operations our website asks to re-authenticate, to start a "sudo" session that lasts for 15 minutes.
-
For accounts with passwords we enforce mimumum security requirements.
-
Passwords are crytpographically one-way hashed via bcrypt with salts and peppers.
Hardening & Process
-
Our service runs on AWS, and we follow their security best practices. Our servers run on Ubuntu. Administrators use sudo to elevate privileges when necessary.
-
Our Best Practices make it easy give Transloadit the least amount of access to your files
-
Our encoding (the most risky part as we execute commands on behalf of 3rd parties) runs on stripped down machines that have no secrets on them, we utilize sandboxing in addition to this.
-
We deploy Rate Limiting on account, IP, and audit event level.
-
All relevant production log entries are stored remotely, with pattern matching and alerts for malicious intent, as well as unexpected crashes, exceptions and other error conditions.
-
We harden system images and roll out new ones on every change automatically via Packer and CICD, this applies to all clusters. Security patches are rolled out automatically. Other versions are pinned and opt in. We have process in place to roll out emergency patches instantly.
-
We have thousands of unit tests, system tests, integration tests, e2e tests, confirming changes are secure, correct, performant.
-
We use prepared statements and leverage frameworks to escape and sanitize user input.
-
Our API deploys Signature Authentication to make tempering of requests impossible. More on this also in API Security and Securing Your Assembly Instructions.
-
We scan incoming files for viruses via 🤖/file/virusscan.
Uptime & Continuity
-
Our vault that holds Credentials and Templates is encrypted and synced to an off-site location. Offline copies of our code and this vault are kept off the public internet.
-
We run in 3 different isolated regions. Active production can suffer the outage of two out of three regions without the need for manual intervention, but customers will need to follow our Best Practices guide to make optimal use of this.
-
We deploy monitoring and (thousands of) alerts for system health, product health, and abuse (attack signatures, audit events).
-
Our statuspage is completely separate from our production platform, all the way up to the domain registrar, and lets you know of any issue affecting production, as well as the @TLStatus Twitter account.
Responsible Disclosure of a Security Vulnerability.
At Transloadit, we care a great deal about security. We realize that mistakes can happen, but we are always looking to fix and prevent those. That is why we really appreciate it when you notify us if you find a security issue.
Rewards
If the issue is valid - i.e. when we think it should be fixed, and you are the first to report it - you will be awarded a place in our Hall of Fame. For severe cases we hand out swag of choice from shop.transloadit.com. We do not have cash bounties on offer.
Hall of Fame
Please include in your report how you would want to be credited in the Hall of Fame. You can supply a site and a name or handle, but we draw a line where things get too noisy, spammy, or offensive.
Rules
Automated tools can generate a lot of noise for our audit tools, so we
ask you not to use those.
Please keep in mind that we do have rate-limiting for login failures and
many other events, but that it kicks in quite late.
In addition, some parts of our website are static and hosted on S3. We cannot set some
security headers there without passing each request through Lamda which
we decided is inefficient overhead, knowing that with plain HTML files, the attack vectors
that these headers intend to reduce, do not apply.
Hall of Fame
The following security researchers have identified and responsibly disclosed vulnerabilities to us. Top 3 is shown on the list. To see the complete list of people who have contributed to make transloadit a safer place click the show hall of fame button.
Questions, answered.
If you have questions about Transloadit security in general, here are a few Security-related questions and their answers from our FAQ:
-
Are Assembly IDs secure?
Transloadit uses UUIDv4 without dashes for generating these IDs randomly. Guessing, or generating a UUID that matches one of ours, would be as probable as generating a collision. This is so improbable that it is not considered a viable attack vector.
Since we keep around five million Assemblies in active storage at any given time, the chances are admittedly five million times more likely to generate a collision. That being said, since we rate-limit to 250 operations per minute, it would still take machines longer than mankind has existed on earth to generate enough UUIDs to have a 50% probability that one of those will match a UUID that Transloadit has once generated. We deem this far from being a viable attack vector.
For files, the window gets even smaller again as we remove them after 24 hours. A few reasons for why we choose to do this are outlined here.
Beyond the guessing of files or Assembly URLs, it is of course a concern that these addresses would leak somehow. We consider an Assembly ID and file URL private. They are a secret shared between Transloadit, our customer, and depending on your integration, the specific end-user for whom the customer is supplying the files and running the Assembly on your behalf.
This communication between these parties happens over HTTPS, for which we have A+ grading on SSL Labs across the board. If HTTPS is used for integration with Transloadit and the end-user for any request involved, the URLs to Assemblies and files can not leak beyond these trusted parties, to the likelihood of becoming a viable attack vector.
Then there is Transloadit to look at as trusted party. Our policy is that only our trusted core-team-members have access to these files for debugging purposes. We receive millions of files every day and they are just UUIDs to us until a customer asks us to take a closer look.
We run all our processes as non-privileged users, injecting secrets, so if an attacker has possessed these secrets, that means they have gotten root access to our machines somehow. In this case, encryption of the file buckets would not suffice, as with the credentials acquired to get full access to the bucket, the attacker almost certainly also has access to our decryption keys, as is the case when we regard Amazon as hacked. Luckily, both Amazon and Transloadit have a very high focus on keeping our systems secure. But it is true that anyone who would give you a 100% security guarantee here, does in fact, not quite understand security, and you would be wise to steer clear.
-
Can I allow Transloadit's IPs in my firewall?
Our platform is highly volatile in the sense that we'll have 1000 servers online today that will be gone tomorrow. Trying to keep your firewalls up to date with this pace is asking for dropped connections.
We don't funnel outgoing connections (e.g. /sftp/store or Notifications or /http/import) through one point because of performance and SPOF reasons. Using a fleet of proxies that scale along with load puts us back in the same problem, and using NAT has prohibitive limitations performance-wise. The trade-off of our decision to have maximum reliability & throughput is that our outgoing IPs change rapidly.
-
How are my Amazon S3 credentials protected?
If you want us to store files in your S3 bucket, it is recommended to save the credentials in a Template in your account. We keep this Template encrypted in our database.
The keys needed to decrypt these are injected into process memory by another system user. This means that if someone was able to exploit the user under which we run our API or website processes, they could still not access the keys. If they tried to change our code to display or send the credentials, they would have to restart the service (not permitted under that user) and access the key files (also not permitted).
If our servers are rooted, it is a different story. This is why we use firewalls, use protected SSH keys, and limit our sudo, but as any expert will tell you, 100% security is a myth and it is better to prepare for the worst.
This is why we recommend to create IAM policies that only have Put and List permissions on your buckets (for an up to date and precise list of the required permissions, please check the S3 Store documentation), and let Transloadit use that for writing only. So if your credentials were ever stolen and the criminals managed to decrypt them as well - they would still only be able to add more files to this particular bucket, until we notice and intervene.
While, as said, 100% security is a myth, our security philosophy is to make it as hard as possible to for anyone to gain access to your credentials and the keys necessary to decrypt them, and if they do manage to acquire them, to make them as useless as possible.
-
MD5 is not a secure hashing algorithm, why are you using it?
First of all, for signature authentication and all other things that need to be secure we do not use MD5. We provide MD5 hashes for files as a means to detect duplicates from trusted sources, as well as for other purposes where there’s no rewarding use case for the attack vector of calculating colliding hashes.
Since MD5 is both faster to calculate and even more widely available than, for instance, SHA1, a deliberate trade-off was made by providing MD5 hashes for encoding results. It goes without saying that, since MD5 is not secure, you should not be using these hashes as building blocks for anything that is security sensitive in your application.