Websites of all sizes and types are using encryption to protect and enhance their content and user’s experience. Encryption can offer you assurance when sending sensitive data to the right user, and can protect content from theft or manipulation when in transit. It can even provide privacy if you are worried about a third party eavesdropping on your communications.
Lately, web developers have been using encryption for another purpose; it is the only way to be sure that the user is experiencing your website the way you intended. Today, it is common for users to access websites in non-neutral networks, such as college campuses or airplanes. This opens a gateway for outside influencers to impact the way your website is experienced. These outside actors can inject malware, advertisements or potentially replace your website completely.
Verizon Digital Media Services is positioned perfectly to provide effective encryption that’s simple to implement, protecting you against these growing threats. Our delivery network enables and supports data encryption efforts via a variety of digital certificate types and extensions, effectively encrypting and preserving the enterprise-grade performance you’d expect from a content delivery network (CDN).
TLS Encryption Overview
The most fundamental protection you can provide for your content and your users is to incorporate encrypted protocols, such as Transport Layer Security (TLS), formerly SSL (Secure Sockets Layer). TLS is used to create secure connections for delivering websites, payment information and any other important or sensitive information across the web. TLS uses X.509 certificates and asymmetric cryptography to enable your users to verify your website’s identity and authenticity. Once that trust is established, a symmetric session key is used to encrypt data flowing between the parties at a much faster rate.
The Verizon CDN provides support for the HTTPS protocol to both the customer origin and to the end user. Customers can deploy their own certificate for use by the CDN, or they can use certificates provided by Verizon. We recommend Verizon provided TLS certificates (from DigiCert), optimized for performance on the Verizon CDN. The types of certificates offered cover a wide variety of potential uses, including:
– SHARED — A quick, easy and low-cost option where a domain is secured using a resource shared with other CDN customers.
– DEDICATED — A private option used to secure a single customer’s domains using a dedicated certificate resource.
– DEDICATED WILDCARD — A dedicated certificate used to secure one domain and all of its first-level sub-domains. For example, a certificate for *.example.com secures www.example.com, mail.example.com, etc.
– DEDICATED EXTENDED VALIDATION — A dedicated certificate that uses the highest level of authentication and is specifically created to boost and maintain user confidence along with improving commerce conversion rates.
The Verizon CDN also provides support for a configurable list of TLS ciphers. The default cipher configuration used by the caching servers in the CDN is optimized for performance while maintaining a high security level. Cipher configurations can also be customized on a per-customer basis to suit the specific encryption needs of the website.
Encryption is only as strong as your ability to keep the cryptographic keys confidential so they can’t be copied and used in unintended ways. For use on the CDN, private keys for the SSL certificates are stored encrypted in the Verizon cloud. From end-to-end, our key management processes have been reviewed and approved by third-party auditors against PCI Compliance Standards. You can be sure that whether it’s your own cert you are using, or one we’ve provided for you, it’s in good hands.
Certificate Validation Performance
As a CDN, performance is at the heart of everything we do, which is why we wanted to make sure that we could offer the fastest performing HTTPS in the market. With the DNS part already taken care of, we focused on the SSL Handshake itself and improving certificate validation times. By supporting OCSP Stapling (Online Certificate Status Protocol Stapling), we speed up the time it takes for a client to verify the authenticity of a certificate by 35 percent, enabling our servers to send OCSP validation during the TLS handshake and our customers to achieve the fastest HTTPS transaction times.
Verizon’s CDN can also support certificate pinning to protect against the risk of fraudulent, but properly signed, certificates when retrieving content from an origin webserver.
Pinning leverages the knowledge of a pre-existing relationship between Verizon and our customers so that the CDN only accepts a pre-selected list of certificates or certificate authorities (CAs) when communicating with the customer’s origin servers.
Our CDN customers can also further reduce the risk of fraudulent certificates by pinning the CA’s certificates presented by the CDN to web browsers, such as Chrome and Safari. This can be done by adding the CAs to the “pinsets” maintained by Chromium Project. The Verizon CDN’s certificate pinning feature, along with the ability to pin certificates in certain browsers, enables our customers to white-list specific CAs, excluding CNNIC, and others as they wish.
Whether you need to protect your content and users from cyber attacks or you need to have the fastest commerce website with high conversion rates, Verizon’s CDN has a solution for you. We’re here to help you solve this question, “Is your Content Secured?”
Richard Marcus, Manager of Security Operations and Compliance
For more posts in our security series please read: