Forward secrecy and a reminder about Fastly security advisories

In February of this year we announced Fastly Security Advisories, which we publish to address vulnerabilities discovered on our own platform, as well as significant security vulnerabilities that affect the wider internet community.

Publishing advisories supports our security team’s vision for defending the modern web in two ways:

  • When we’re affected by a vulnerability, we want to be transparent, and provide either assurance or actionable information. We want customers to have access to the right information on an issue so they can accurately determine whether their platform is affected and whether any action is required to protect themselves. We also use advisories to provide detailed post-mortem information on an incident that may have affected customers, such as the GlobalSign TLS certificate revocation errors.

  • When our customers may be affected by a vulnerability, we see our CDN as a tool that can quickly deploy robust, virtual patches that help protect their application, without touching the origin server. An example of this is our advisory for how to mitigate the HTTP_PROXY vulnerability using our CDN.

Last week, we published a security advisory on our resolution of a vulnerability pointed out by a group of security researchers in our implementation of “forward secrecy.” Forward secrecy is a quality of TLS which prevents previously captured data from being decrypted, when TLS keys are stolen at a later date. While we weren’t directly contacted by the researchers, we’d previously been made aware of the issue, and addressed the vulnerability on Friday, November 11. No customer action is required to benefit from the fix.

Threats on the web aren’t going away. Our goal is to continue to work within the broader operator and vendor community to stay on top of emerging security issues, and leverage our security team and platform to deploy those mitigations both for our customers and the larger web community.

If you’d like to stay informed about future security issues and how Fastly mitigates them, you can sign up to receive emails when we publish new advisories here. If you are a security researcher and would like to report a vulnerability to our team, you can find our contact information and our PGP key here.

Maarten Van Horenbeeck
VP of Security Engineering

2 min read

Want to continue the conversation?
Schedule time with an expert
Share this post
Maarten Van Horenbeeck
VP of Security Engineering

Maarten Van Horenbeeck is the Vice President of Security Engineering at Fastly. He is also a Board member, and former Chairman, of the Forum of Incident Response and Security Teams (FIRST), the largest association of security teams, counting 300 members in over 70 countries. Prior to his work at Fastly, Maarten managed the Threat Intelligence team at Amazon, and worked on the security teams at Google and Microsoft. Maarten has a master's degree in Information Security from Edith Cowan University, and is currently pursuing a Masters degree in International Relations. When not working, he enjoys backpacking, sailing and collecting first edition travel literature.

Ready to get started?

Get in touch or create an account.