Security
Page 12
Lean Threat Intelligence, Part 1: The plan
Fastly Security Researcher Zack Allen discusses how you can draw from open source resources to build a lean and powerful Threat Intelligence plan for your organization.
Introducing Fastly Security Advisories
Today we’re announcing Fastly Security Advisories. Fastly will publish these to address security concerns that either trigger customer interest or require customer action to address.
Introducing the Fastly Security Speaker Series
Today we’re announcing the Fastly Security Speaker Series, an informal event for bringing together researchers and engineers to share research, tools, and ideas. Fastly will bring some of the most innovative and thoughtful security researchers to Fastly headquarters in San Francisco to share their work. Our first event is February 25th, and our first two speakers are Alex Pinto and Rolf Rolles.
Update to our TLS 1.0 and 1.1 deprecation plan
Last October, we announced our deprecation plan for TLS 1.0 and 1.1. The PCI Security Standards has since updated their guidance, and we are revising our deprecation schedule accordingly.
Fastly's plan for plan for TLS 1.0 and 1.1 deprecation
The PCI DSS 3.1 standard has changed. In order to keep you up-to-date and secure online, we’re announcing our plan for TLS 1.0 and 1.1 deprecation.
Engineering a more resilient internet
Fastly Director of Security Engineering Maarten Van Horenbeeck shares his experiences of how the security community can protect the “global commons” that the internet has become.
GitHub’s Joe Williams discusses mitigating security threats
At Fastly Altitude 2015, Joe Williams, a computer operator at GitHub, gave a talk on mitigating security threats (like DDoS attacks) with a CDN. This post is an overview of his talk, with full video and slides included.
How to fuzz a server with American Fuzzy Lop
In this blog post, I'll describe how to use AFL's experimental persistent mode to blow the doors off of a server without having to make major modifications to the server's codebase. I've used this technique at Fastly to expand testing in some of the servers that we rely on and others that we are experimenting with.
FREAK does not affect Fastly services
Fastly is not vulnerable to Logjam — we only offer the more secure Elliptic Curve variant of the Diffie-Hellman key exchange (ECDHE), and the RSA key exchange mechanism for clients that don’t support ECDHE. Since Fastly does not offer any export grade ciphersuite options — and we do not offer the Diffie-Hellman key exchange mechanism — our services are not affected.
Improve CA ops visibility with Cert Transparency | Fastly
If you follow the security news cycle, you may have seen recent discussions about Google detecting a Certificate Authority (CA) in China improperly issuing certificates capable of transparently (that is, without warning) imitating Google TLS-protected websites. As part of the subsequent investigation, Google removed the implicated CA from the list of trusted CAs and indicated that in order for the CA to be considered for re-inclusion, they would have to implement a system known as Certificate Transparency (CT). Below, I’ll outline the basics of CT and how it relates to this and other CA-related incidents in recent history.
Addressing TLS Revocation and OCSP Challenges
Rotation, expiration, and revocation of secrets are all important concerns that require careful and difficult up-front design. Transport Layer Security (TLS), the protocol underlying secure web traffic (HTTPS), is one of the cryptographic systems with the largest deployment and day-to-day use, and serves as a good case study for all of the proceeding concerns. In this post, I’ll discuss how revocation is addressed in TLS, and how it relates to both performance and security.
March 19 OpenSSL Security Advisory
Fastly has evaluated each of these vulnerabilities and found that only one moderate-severity bug affects our configuration. We are currently testing the patch and coordinating a global release of the updated software across Fastly’s network. We anticipate no customer impact or configuration changes.
TLS at the edge and server-side security
We’re huge fans of Transport Layer Security (TLS) at Fastly. Here’s a behind-the-scenes look at how we do encryption at the edge, which can also serve as overall best practices for handling server-side TLS.
Getting an A in security: SHA-2 migration and disabling RC4
As many of you know, TLS best practices have changed a lot in the past two years. Recently, Fastly has changed how we configure TLS to make it even more secure. This includes migrating our TLS certificates from SHA-1 to SHA-2 and disabling RC4 for all our services.
Securing the news: TLS for media sites
TLS is especially applicable to news sites. News organizations bear a public responsibility to accurately report the news, and need to take the steps necessary to ensure credibility. The security of online news content is one of the first steps in verifying its veracity while protecting readers.
Caching the Uncacheable: CSRF Security
In this post, I investigate several strategies for maintaining security while improving cacheability. I use Ruby on Rails for the examples, but the techniques apply to nearly any web application framework.
Disabling SSLv3 Due to POODLE Vulnerability
Based on our understanding of the POODLE vulnerability (mainly the fact that there is currently no workaround), and the fact that we have very little traffic running over SSLv3 (around .5% globally), we are disabling SSLv3 for all Fastly SSL customers, effective immediately. This will mainly affect users of Windows XP Pre-service pack 3 combined with IE version 6. If you are in this group, please upgrade to a more recent browser.
More Advanced Security Features for Your Fastly Account
Security is one of our top priorities at Fastly. We recognize that having your account compromised could have a profoundly negative impact on your business, leaving you and your customers vulnerable and at risk. So, with enthusiastic feedback from our customers, we've been testing out ways to improve account security features. Today, we're pleased to release two-factor authentication and IP account access restrictions.
Fastly Update on 'Heartbleed'
Here’s the latest update on the ongoing resolution to critical OpenSSL vulnerability CVE-2014-0160, aka 'Heartbleed,' which was announced on April 7th and affects nearly every Internet service provider and website using SSL to secure customer traffic.
