Simple Strong SSL Security

Our users’ data is very important to us. From our perspective, we might store the most valuable information of professional athletes: their routines and the work required to make them exceptional in their field. This information is assembled by expert trainers and coaches using Trayn.

It’s no surprise that privacy and security are usually capitalized in our internal communication (this is not just because a lot of people speak German around us). Being responsible for the technical stuff and inspired by recent announcements of vulnerabilities on the internet, I wanted to present our current thoughts on the technical parts of our security measurements, or, in more detail, the state of SSL security.

Quick summary: We make sure that our users access their data in a secure way, so that nobody else can access that information. We also remove parts of our infrastructure that are not considered secure for today’s standards.

At the end of 2014, SSL Labs improved their grading criteria and we, together with a lot of other companies, updated our servers accordingly. The changes included Forward Secrecy and Strict Transport Security (HSTS). With HSTS enabled, a browser will remember that it was connected to HTTPS and should never go back to a unencrypted communication. This can avoid a lot of security problems. To read more about HSTS, I recommend this interesting discussion and a short tutorial on how to set it up.

The good thing is that all that information is available to everyone today. This does not make it easier to actually do the work, but everything is accessible. A small example of the changes we applied recently (Apache), with some additional comments:

# Disable SSL 2 and SSL 3
SSLProtocol all -SSLv2 -SSLv3

# Ciphers in the correct order, newlines added for readability
SSLHonorCipherOrder on
SSLCipherSuite
    EECDH+ECDSA+AESGCM
    EECDH+aRSA+AESGCM
    EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256
    EECDH+aRSA+SHA384
    EECDH+aRSA+SHA256
    EECDH+aRSA+RC4
    EECDH
    EDH+aRSA
    !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS

# HSTS
Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"

We regularily update our servers based on expert recommendations (e.g. the order of the ciphers above) and as a result of our efforts, you should usually see an A+ in the SSL Labs Test for app.trayn.com. Go check it out now: A+ for app.trayn.com.

This short article was largely inspired by an article on Intercom, a product we use for the communication with our users. We think it’s also important to provide information about how we deal with security implications.