You appear to be offline. Some site functionality may not work.

Forward secrecy and a reminder about Fastly security advisories

Nov 22, 2016 in Security

In February of this year we announced Fastly Security Advisories, which we publish to address vulnerabilities discovered on our own platform, as well as significant security vulnerabilities that affect the wider internet community.

Publishing advisories supports our security team’s vision for defending the modern web in two ways:

  • When we’re affected by a vulnerability, we want to be transparent, and provide either assurance or actionable information. We want customers to have access to the right information on an issue so they can accurately determine whether their platform is affected and whether any action is required to protect themselves. We also use advisories to provide detailed post-mortem information on an incident that may have affected customers, such as the GlobalSign TLS certificate revocation errors.

  • When our customers may be affected by a vulnerability, we see our CDN as a tool that can quickly deploy robust, virtual patches that help protect their application, without touching the origin server. An example of this is our advisory for how to mitigate the HTTP_PROXY vulnerability using our CDN.

Last week, we published a security advisory on our resolution of a vulnerability pointed out by a group of security researchers in our implementation of “forward secrecy.” Forward secrecy is a quality of TLS which prevents previously captured data from being decrypted, when TLS keys are stolen at a later date. While we weren’t directly contacted by the researchers, we’d previously been made aware of the issue, and addressed the vulnerability on Friday, November 11. No customer action is required to benefit from the fix.

Threats on the web aren’t going away. Our goal is to continue to work within the broader operator and vendor community to stay on top of emerging security issues, and leverage our security team and platform to deploy those mitigations both for our customers and the larger web community.

If you’d like to stay informed about future security issues and how Fastly mitigates them, you can sign up to receive emails when we publish new advisories here. If you are a security researcher and would like to report a vulnerability to our team, you can find our contact information and our PGP key here.

Security

You may also like:

Subscribe to our newsletter

Subscribe to our newsletter

Phase two of our TLS 1.0 and 1.1 deprecation plan

In February of last year we updated you on our plans to deprecate TLS 1.0 and 1.1 due to a mandate by the PCI Security Standards Council as well as our continued commitment to maintaining…

The anatomy of an IoT botnet attack

We took a look at some of the more recent (and troubling) threats on the internet, and found that the emerging IoT market is under attack. Internet-connected devices are being churned out of factories and…

Lean Threat Intelligence, Part 4: Batch alerting

In Part 3, we showcased a technology that allows you to route messages to and from topics via Kafka. Now that data is flowing, how can you start monitoring and reacting to security events? In…

Author

Maarten Van Horenbeeck | VP of Security Engineering

Maarten Van Horenbeeck is the Vice President of Security Engineering at Fastly. He is also a Board member, and former Chairman, of the Forum of Incident Response and Security Teams (FIRST), the largest association of security teams, counting 300 members in over 70 countries. Prior to his work at Fastly, Maarten managed the Threat Intelligence team at Amazon, and worked on the security teams at Google and Microsoft. Maarten has a master’s degree in Information Security from Edith Cowan University, and is currently pursuing a Masters degree in International Relations. When not working, he enjoys backpacking, sailing and collecting first edition travel literature.

maartenvhb