We believe that implementing the highest standard of TLS encryption across your website shouldn’t slow it down. As part of our standard service, you can terminate secure TLS connections at our network edge, closer to users, offloading encrypted traffic from your web server for better performance.
Ecommerce transactions or transferring confidential customer data requires strong encryption. Some CDNs apply additional costs to secure this kind of traffic, diverting it to a separate network. Since any internet-facing network is exposed to the same threats, we maintain one compliant, secure, high-performance network for all customer traffic. This ensures a single platform for unified inspection and enforcement of both encrypted and unencrypted traffic flows. In addition, we provide the option to maintain encrypted sessions from client to cache and cache to origin.
Fastly provides a number of certificate hosting options:
- Shared certificates use the Fastly Subject Alternative Name (SAN) certificate to host multiple hostnames or domains on one certificate. You provide your domain name list or one or more wildcard domain name entries. We add these domain names to our certificate SAN field and take care of certificate administration.
- For hosted certificates, Fastly installs TLS certificates into our caches and allocates IP addresses on each cache. We create a new customer-specific DNS Global Domain Map that associates the certificate with the allocated IP addresses. This service is often used for Extended Validation (EV) certificates. Fastly also supports Domain Validated (DV) and Organization Validated (OV) certificates.
- A free TLS service is also available for customers who exclusively use a subdomain of *.ssl.fastly.net.
We’re constantly improving website security and user safety by applying evolving industry standard practices to our services. When the POODLE vulnerability emerged, targeting SSLv3, we disabled all SSLv3 traffic and encouraged customers to move onto the more secure TLS standard. Fastly was also an early adopter of OCSP stapling, a certificate revocation technology that speeds up revocation by avoiding unnecessary roundtrips.