You appear to be offline. Some site functionality may not work.
Call Us

Security blog

Engineering a more resilient internet

Fastly Director of Security Engineering Maarten Van Horenbeeck shares his experiences of how the security community can protect the “global commons” that the internet has become.

GitHub’s Joe Williams discusses mitigating security threats

At Fastly Altitude 2015, Joe Williams, a computer operator at GitHub, gave a talk on mitigating security threats (like DDoS attacks) with a CDN. This post is an overview of his talk, with full video…

How to fuzz a server with American Fuzzy Lop

In this blog post, I’ll describe how to use AFL’s experimental persistent mode to blow the doors off of a server without having to make major modifications to the server’s codebase. I’ve used this technique…

FREAK does not affect Fastly services

Fastly is not vulnerable to Logjam — we only offer the more secure Elliptic Curve variant of the Diffie-Hellman key exchange (ECDHE), and the RSA key exchange mechanism for clients that don’t support ECDHE. Since…

Improving visibility into CA operation with Certificate Transparency

If you follow the security news cycle, you may have seen recent discussions about Google detecting a Certificate Authority (CA) in China improperly issuing certificates capable of transparently (that is, without warning) imitating Google...

Addressing the challenges of TLS, revocation, and OCSP

Rotation, expiration, and revocation of secrets are all important concerns that require careful and difficult up-front design. Transport Layer Security (TLS), the protocol underlying secure web traffic (HTTPS), is one of the cryptographic systems with…

March 19 OpenSSL Security Advisory

Fastly has evaluated each of these vulnerabilities and found that only one moderate-severity bug affects our configuration. We are currently testing the patch and coordinating a global release of the updated software across Fastly’s network….

TLS at the edge and server-side security

We’re huge fans of Transport Layer Security (TLS) at Fastly. Here’s a behind-the-scenes look at how we do encryption at the edge, which can also serve as overall best practices for handling server-side...

Getting an A in security: SHA-2 migration and disabling RC4

As many of you know, TLS best practices have changed a lot in the past two years. Recently, Fastly has changed how we configure TLS to make it even more secure. This includes migrating our…

Securing the news: TLS for media sites

TLS is especially applicable to news sites. News organizations bear a public responsibility to accurately report the news, and need to take the steps necessary to ensure credibility. The security of online news content is…

Caching the Uncacheable: CSRF Security

In this post, I investigate several strategies for maintaining security while improving cacheability. I use Ruby on Rails for the examples, but the techniques apply to nearly any web application framework.

Disabling SSLv3 Due to POODLE Vulnerability

Based on our understanding of the POODLE vulnerability (mainly the fact that there is currently no workaround), and the fact that we have very little traffic running over SSLv3 (around .5% globally), we are disabling...