Trust at scale: Introducing Platform TLS and Subscriber Provided Prefix
The web is evolving to be more secure by default. Web browsers now highlight insecure websites that use the unencrypted HTTP web protocol, and Google Search down-ranks web properties that aren’t using HTTPS.
When Adobe Portfolio heard the announcement that Google’s Chrome browser would be clearly marking any non-HTTPS sites as ‘not secure’, they knew they had to take action to improve the security of all their Adobe Portfolio sites and to protect their brand reputation. Adobe Portfolio helps creative professionals easily and quickly build websites to showcase their work. Their mission is to help creative professionals present their work effectively and elegantly online, and giving customers a site that is secure by default helps bolster professional branding. It also helps build a more secure internet ecosystem for everyone.
“Not only is Fastly’s Platform TLS good for our users to build their brands securely, it’s good for the internet as a whole.” — Mike Sherov, Director of Engineering, Adobe
But supporting security as a default means that every Adobe Portfolio site must automatically have HTTPS — and doing so for thousands of sites is no easy task. HTTPS is enabled by TLS (Transport Layer Security), which secures the connection and any data transmitted between your browser and a server.
That secure connection is established via the TLS protocol, which ensures encrypted communication between client and server, and allows the client to authenticate the identity of the certificate’s holder. TLS relies upon certificates provided by trusted third-party Certificate Authorities, who take on the responsibility of validating that it is okay to issue a certificate to the certificate holder. While it is is fairly straightforward to buy certificates — or obtaining them freely from organizations like Let’s Encrypt — managing those efforts can quickly become complex, requiring coordination across many different vendors. And providing TLS at scale for hundreds of thousands of sites only exacerbates the challenge for those companies. They need a way to provide secure web experiences quickly and at scale.
Today we’re announcing two new offerings on the Fastly platform: Platform TLS and Subscriber Provided Prefix. Both empower companies to provide fast, secure web experiences to their customers and end-users, while reducing the workload on their own internal teams.
Our new Platform TLS product gives companies that offer mass hosting or support multi-brand portfolios the ability to fully automate TLS provisioning at scale, including certificate and key management, through Fastly’s API. It supports delivery and management of hundreds of thousands of certificates, supported by an automated worldwide TLS termination and acceleration solution. This approach has a number of benefits:
The ability to terminate TLS at the edge means you’re offloading the work of handling encrypted transactions from your origin servers. This has a big impact on the performance of your sites or applications.
Platform TLS helps you automate your certificate management (with a dedicated support team there to help), taking a significant load off internal teams and reducing costs of manual processes. For organizations utilizing or moving towards DevSecOps, you can manage certificates in a manner that seamlessly integrates into rapid development cycles.
You have the flexibility to use whichever certificates you prefer, including newer short-term offerings like Let’s Encrypt, and your end-users get a consistent, predictable, secure experience.
Bring your own IP: Subscriber Provided Prefix
This new service is for Fastly subscribers who want to remain in control of their IP address space for the long-term. Whether you need to maintain your IP reputation for outbound mail services, or potentially have to use specific addresses for compliance reasons, this service allows you to “whitelist” your address space and future-proof your customer’s brands, while taking advantage of the capacity and ongoing growth of Fastly’s network.
With this service, you provide your own IP address space to Fastly rather than use Fastly IP addresses. In this case, Fastly announces, routes, and serves your IP space via Fastly infrastructure for use with your production services. You can direct traffic to your own IP addresses, which are reachable via HTTP anycast on Fastly's infrastructure. This service can also be used in conjunction with origin peering and the Fastly DDoS protection and mitigation service to help protect customers by being shielded by Fastly’s global network.
Transparency and trust are core values at Fastly, and we work to embody them in all facets of our business. Not only do we foster deep relationships with our customers, but we in turn empower our customers to build trust with their end-users. The new Platform TLS product and SPP service go hand-in-hand with that mission, helping brands cultivate trust through fast and secure digital experiences. In equipping brands with the tools they need to provide secure services, we help protect them, their users, and ultimately help evolve the security of the web itself.