Perfect Forward Secrecy and more…

Last month we started rolling out some subtle changes to SendSafely that many users may not have noticed. For starters, we are now taking advantage of some new SSL features that Amazon announced back in February for the Elastic Load Balancer technology that we use for handling end-user SSL connections. Our front-end load balancers now support Perfect Forward Secrecy on all SSL/TLS connections. Perfect Forward Secrecy provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.  With the addition of PFS we earned an A+ from SSL Labs, the highest possible rating.

Today’s scramble to patch the OpenSSL “Heartbleed” Vulnerability underscores the grim reality that security technologies themselves are not immune from being vulnerable. Those of you familiar with how SendSafely works under the hood know that we take a layered approach to security. We assume from the start that one of the layers can, and will, fail at some point. SSL is far from the only layers that we implement to keep your data private.   

In addition to enhancing our SSL configuration, we also rolled out changes to our client-side APIs that improve performance when handling large files. Our APIs now segment large files and PGP encrypt each segment individually, reducing the overall amount of disk space and RAM needed to perform file encryption and decryption. The biggest benefit of this change is that browser-based users no longer need to use our signed Java Applet when uploading or downloading large files (provided that your browser supports HTML5).

Over the last 12 months, Oracle made a number of significant changes to how the Java Runtime enforces security with Java Applets. While these changes were well intentioned, they were very poorly executed and significantly degrade the user experience due to the large number of confusing (and constantly changing) visual security warnings and prompts. We also found that some of the new changes make backwards compatibility nearly impossible. We are very excited that going forward only users with older web browsers (specifically Internet Explorer 8 or 9) will need Java to use SendSafely.

Topics: Engineering