Edge cloud platform provider Fastly just announced Platform TLS, a service designed to automate, configure and scale Transport Layer Security (TLS) certificates. In doing so, they join other edge PaaS CDNs like section.io that already offer SSL or TLS certificates for HTTPS on a modular basis.
TLS (or SSL) certificates for HTTPS are important for websites to have, particularly those which interact with a large amount of customer data as they stop customer information from being leaked and reveal a company’s adherence to modern website security standards.
Implementing top standards for TLS encryption across websites can involve a significant amount of work when performed manually. Fastly says its new service is designed for “companies with personalized spaces for their brands or customers that are looking for scalability”. This kind of service is particularly valuable for large companies, which offer mass hosting or that have multi-brand portfolios, and thus could be managing hundreds of thousands of certificates through multiple different vendors.
In its documentation, Fastly advises users to consider this service if: (i) “you need to support thousands of individual X.509 certificates and their associated private keys” and (ii) “you own and generate your own certificates and private keys (typically obtained from a third-party certification authority such as Let’s Encrypt)”.
The Fastly API enables the full automation of TLS provisioning, including the programmatic management of certificates and keys “in a manner that seamlessly integrates into rapid development cycles” using a web API. Fastly also offers a support team there if necessary. Fastly’s goal with Platform TLS is to empower developers to easily manage certificates at scale (which can be from any certificate authority, such as Let’s Encrypt) and deliver a fast and secure service for its end users.
Platform TLS also enables the termination of TLS at the edge, meaning that Fastly’s clients are able to offload the work of handling encrypted transactions from their origin servers, which can have a significant impact on the performance of sites or applications.
Using the API, customers can:
- deploy new X.509 certificates
- retrieve information about deployed certificates
- update and delete existing certificates
- deploy new private keys
- retrieve information about private keys
- delete private keys
Platform TLS is currently only available as part of a limited availability release. Fastly directs interested customers to contact its sales team directly.
Why are TLS Certificates Important?
In its press release announcing the new extensible service, Fastly explained that the key imperative behind the launch of Platform TLS is the building of trust between company and customer.
“Today, online brand identity is about more than just design and speed; browsing unencrypted sites can lead to third parties observing and tampering with the actions and information of consumers, which in turn can result in data leaks, ultimately culminating in privacy violations, fraud, and identity theft”, the press statement reads. “Overall, these issues can make it extremely challenging for a company to protect both its users and reputation.”
Google and other search engines are increasingly playing a role in advocating for HTTPS. Google Search now down-ranks web properties that are not using HTTPS and informs users when they visit insecure websites (i.e. those that don’t use the unencrypted HTTP web protocol). Starting in July, Google Chrome began to mark all HTTP sites as “not secure” as part of its move “toward a more secure web by strongly advocating that sites adopt HTTPS encryption”.
How do TLS Certificates Work?
HTTPS encryption works by protecting the channel between the website and the browser to ensure there is no middle man (or bot) in between spying on the interaction or tampering with traffic. When sites lack HTTPS encryption, it means that anyone with access to a company’s ISP or router could potentially intercept information sent to websites or inject malware into otherwise legitimate pages. The secure connection is established via the TLS protocol, which works by guaranteeing encrypted communication between client and server. The service is also designed to reassure users about security as they can authenticate the identity of the certificate holder.
Let’s Encrypt
TLS and SSL certificates that enable HTTPS for websites are delivered by a wide range of third-party vendors, including the popular free certificate authority Let’s Encrypt run by the Linux Foundation. Each digital certificate vendor takes responsibility for validating the security of the certificate holder. Let’s Encrypt does this automatically.
On its site explaining How it Works, the company explains, “The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server”. There are two steps involved in this process: (1) The first involves the agent proving to the certificate authority that the web server controls a specific domain; (2) The second entails the agent requesting, renewing and revoking certificates for that domain.
The main principles behind Let’s Encrypt are that it is free, automatic, secure, transparent, open and cooperative.
Fastly and Let’s Encrypt
Fastly’s Platform TLS further automates the process of certificate management. In its words, “Platform TLS reduces manual processes, improves security, and saves valuable engineering time by accelerating and automating certificate acquisition and deployment, all while enabling global distribution of encrypted transactions to central clouds through Fastly’s edge. By helping companies automate certificate management, it frees up workloads and supports the delivery of hundreds of thousands of certificates”.
Meanwhile, Josh Aas, executive director of the Internet Security Research Group, the organization behind Let’s Encrypt, told IT Web that all sites should be using HTTPS as unencrypted HTTP traffic can easily be modified to contain malicious payloads.
“Encrypting every site on the Web means embracing automation and ease of use for managing HTTPS deployments, and that’s why we created Let’s Encrypt. We’re happy to see Fastly embrace those principles to help more people and organisations secure their sites.”
Fastly Use Case: Adobe
Fastly highlighted a recent use case for its Platform TLS service via its client, Adobe Portfolio, a portfolio website service that comes free with Creative Cloud designed for creative professionals to quickly and easily build websites to showcase their work. Adobe Portfolio’s mission is to enable the elegant, effective promotion of their users’ work and provide a secure and reliable site by default. This meant that when Adobe Portfolio heard about Google’s announcement that all non-HTTPS sites would be marked as “not secure”, the company had to ensure that every one of its Adobe Portfolio sites automatically had HTTPS. Providing this for thousands of sites manually would have involved a huge amount of work for Adobe Portfolio who instead deployed Fastly’s API.
Mike Sherov, Director of Engineering at Adobe said, “Not only is Fastly’s Platform TLS good for our users to build their brands securely, it’s good for the internet as a whole.”
Additional New Fastly Service: Subscriber Provided Prefix (SPP)
The other new service Fastly introduced simultaneously, Subscriber Provided Prefix (SPP), is aimed at “Fastly subscribers who want to remain in control of their IP address space for the long-term”. The SPP service allow its subscribers to “whitelist your address space and future-proof your customer’s brands, while taking advantage of the capacity and ongoing growth of Fastly’s network”.
Instead of using Fastly IP addresses, the Fastly user provides their own IP address to the CDN, which then announces, routes and serves that IP space via Fastly infrastructure for use with the client’s production services. Traffic can be directed to the client’s own IP addresses, reachable via HTTP anycast on Fastly’s infrastructure. It essentially allows customers to control their address space by separating their network layer concerns from their content delivery concerns.
The SPP service can be used in combination with origin peering and Fastly’s DDoS service. When purchased from Fastly, customers also must purchase Fastly’s Enterprise Support package and its IP-to-Service Pinning Setup Service. Pricing is not readily available on the Fastly website.
Fastly describes both products as embodying important elements of its core values: “transparency and trust… Not only do we foster deep relationships with our customers, but we in turn empower our customers to build trust with their end-users”.
Fastly’s Push to Become an Industry Leader in Edge Compute
In June, the next-gen CDN announced three new enterprise services aimed at helping businesses build on their edge cloud investments and free up IT and engineering resources. The three services were:
- Performance Optimization Package – an analysis tool designed to help users identify tuning opportunities “to help your site or service live up to its full potential”;
- WAF Management Package – also aimed at analysis and fine-tuning, but specifically for the Web Application Firewall (WAF);
- Logging Insights Package – a guided customization of four preconfigured dashboards and a set of consultation services.
All its new services are part of Fastly’s push to become an industry leader in the edge computing space and particularly appeal to developers and companies embracing DevOps principles. The company’s approach appears to be paying off: it reached a $100 million revenue run rate last year.