What are the security risks to a CDN?
Like all networks exposed to the Internet, CDNs must guard against on-path attacks, data breaches, and attempts to overwhelm the network of the targeted origin server using DDoS attacks. A CDN can have multiple strategies for mitigating vulnerabilities including proper SSL/TLS encryption and specialized encryption hardware.
What is SSL/TLS encryption?
Transport Layer Security (TLS) is a protocol for encrypting data that is sent over the Internet. TLS grew out of Secure Sockets Layer (SSL), the first widely-adopted web encryption protocol, in order to fix most of the earlier protocol’s security flaws. The industry still uses the terms somewhat interchangeably for historical reasons. Any website that you visit starting with https:// rather than http:// is using TLS/SSL for communication between a browser and a server.
Proper encryption practices are a necessity in order to prevent attackers from accessing important data. Because the Internet is designed in such a way that data is transferred across many locations, it is possible to intercept packets of important information as they move across the globe. Through the utilization of a cryptographic protocol, only the intended recipient is able to decode and read the information and intermediaries are prevented from decoding the contents of the transferred data.
The TLS protocol is designed to provide 3 components:
- Authentication – The ability to verify the validity of the provided identifications
- Encryption – The ability to obfuscate information sent from one host to another
- Integrity – The ability to detect forgery and tampering
What is an SSL certificate?
To enable TLS, a site needs an SSL certificate and a corresponding key. Certificates are files containing information about the owner of a site, and the public half of an asymmetric key pair. A certificate authority (CA) digitally signs the certificate to verify that the information in the certificate is correct. By trusting the certificate, you are trusting that the certificate authority has done its due diligence.