Recent content delivery network (CDN) issues like #CloudBleed have shown that security is not the strongest side in some cases. Just like any other technology, CDN system has weak spots. What are them?
CDN is a type of overlay network that boosts user experience by serving content for visitors faster. It offers a wide range of services, such as edge caching, edge routing and SSL offloading. There are many different CDN providers who offer overlay networks: they allow website developers to implement third party infrastructure to improve speed and security. Instead of creating a local data center, website owner can just rent overlay network infrastructure for a lower price.
Security Issues for overlay CDNs
When thinking over security issues with overlay networks, developers of mobile applications should consider the following points:
- Stateful vs Stateless Overlay Networks (kind of edge service provided by CDN networks, for instance, caching, routing and SSL offload). It’s important to use appropriate services, because storage of content across several edges increases security risks.
- Need for SSL key. If a network requires SSL keys, it can enhance performance but make up for new security vulnerabilities, especially when the content is stored on several edge nodes.
- Shared infrastructure means that other users’ problems can affect you. Isolation boosts security.
Stateful vs Stateless Overlay Networks
The vast majority of CDN solutions are designed to cache content on different geographical locations, while some overlay networks store no sensitive content on edge nodes. Caching of publicly available content creates no risk: videos, public images and fonts can be safely cached in CDN.
However, if security is crucial for you, a public CDN won’t be the right choice: hosting of JavaScript libraries shouldn’t be trusted to third party CDNs. Limitation of the number of data centers can be a good practice.
To address these security issues, there are two types of stateless overlay networks:
- SSL offload: an edge node performs SSL handshake on behalf of the origin server which reduces the level of resource consumption required for supporting SSL connection, but the origin website needs to share its SSL keys.
- Edge routing: an edge node does not require SSL certificates to terminate TCP and optimize routing to the main server.
Is SSL certificate required?
An overlay network executes SSL handshaking via an edge node, but SSL keys are required from the origin website in this case. Although the traffic is encrypted, content stored in cache is usually not encrypted, so it can become an easy target for hackers. Overlay networks boost traffic exchange without requiring SSL certificates: that poses security risks to website and app providers.
Overlay Networks: to share or not to share
The size and success of overlay CDN system providers typically attract hackers, and many PoPs (points of presence) tend to be vulnerable to attacks: the risk is higher, if a website shares SSL certificates with a network provider.
CDN services have one undeniable benefit: they reduce network congestion when serving static content. But there’s a weak side, too: any user with root-like permission in a CDN server can get access to content and replace it. If several websites share the same network infrastructures, another security challenge arises. If a hacker acquires access to one website, he can compromise data on thousands, or even millions of websites. That already happened to CloudFlare’s websites with malformed HTML tags.
Therefore, operation of separate virtual networks on per URL basis or per customer basis is a more secure approach. When websites and users are isolated, various bugs and attacks pose much lower risks for other customers.