Here at BrickFTP, we spend a lot of time thinking about security. If you are security geeks like us, you probably heard about the recent announcement from Google that the widely used SHA1 algorithm for security is unsafe.
If you hadn’t heard about that, it’s major news. SHA1 is used to protect a lot of secure communications online, and we use it for our SFTP service on port 22. I’ll talk more about SHA1 later in this email, but first I’d like to speak more generally.
I realized that we don’t talk about our opinions and values regarding security a lot on our email list or on our marketing website, and decided to make an effort to change that.
Here are BrickFTP’s Core Values Regarding Security:
We believe that the need for information security is greater now than it ever has been. Cyberattacks have become more frequent and it is our position that they will continue to increase in the coming years.
We believe that if a service is advertised as secure, it better be secure against all known attacks, even if that security means that we break backwards compatibility for some of our customers running older software.
Other companies are more than happy to continue distributing software that includes security features that are known to be broken and cryptographic ciphers that are known to be defeated in practice. You know who these companies are. They’re the big guys who will have sales guys breathing down the necks of the engineers if the engineers dare do anything that stirs the pot. One of the advantages of our relatively small size is that we feel no such pressure.
We commit to only distributing products that we believe are secure.
We resolve to keep our customers secure against evolving threats, even if it means they might have to do some work on their end to keep up with a changing security landscape.
The reality of information security today is that best practices always change. An encryption technology that used to be best-in-class might get broken. Flaws are discovered. Technology evolves.
The reason we sell a monthly subscription is because we want you to have a product that will protect you against the threats seen today, not the threats envisioned 3 years ago.
In practice this means that we expect our customers to have to install updates to their FTP and SFTP clients on a regular basis. It also means that our customers will need to use modern web browsers.
We also believe that it’s careless not to be upgrading those things anyway.
For customers that require backwards compatibility, we will maintain insecure options, but only if it is clear that they are insecure and disabled by default for new customers.
We will allow unencrypted FTP and unencrypted HTTP if you enable it. What we won’t do is allow FTPS, SFTP, or HTTPS via ciphers or protocols that are known to be broken.
I hope that reading these core values makes you feel a little better about BrickFTP.
Sadly, I do know that this policy causes us to lose customers. We have some customers that want us to advertise security but not break compatibility with old and broken systems. They want us to offer HTTPS via ciphers that have been known for years and years to be insecure. They want us to support IE6 and Windows XP.
In the past, we tried to strike a balance between compatibility and absolute security. We are not going to do this going forward. We’d rather plant a flag in the ground and stake a claim as the company that cares about your security. We want to force our customers to upgrade their software if that’s what it takes to protect them.
That’s why we stopped supporting Windows XP last year due to its lack of support for secure cryptography. And that’s why we are going to take some aggressive actions to remove SHA1 from our infrastructure in the wake of the recent news about SHA1.
Specifically, we intend to take the following actions regarding cryptography in our infrastructure:
On April 1, 2017, we will remove our support for TLSv1.0, which is an insecure implementation of HTTPS used by Internet Explorer versions less than IE11. This will cause our site to stop working on IE9 and IE10. Removing TLSv1.0 is also required by the PCI standard.
On April 1, 2017, we will remove our support for SHA1 as a supported message digest algorithm for SFTP.
Effective immediately, we are removing legacy ciphers that we used to support on SFTP port 22, including RC4, Blowfish, 3DES, and AES in CBC mode.
We believe that this is an appropriate response to recent security news. Going forward, we believe that our suite of encryption offered is best-of-breed and safe.
The last bullet point in that list deserves some explanation, both because it doesn’t seem related to SHA1 and because it has an immediate effective date. Here’s what happened. While auditing our SFTP server for SHA1 support, we discovered a configuration problem that was causing us to support some outdated ciphers via SFTP, despite the fact that we disabled them for FTPS and HTTPS a long time ago. Our engineers made a decision to correct this configuration immediately so that we treat cipher selection consistently between FTP and SFTP.
We will continue to closely monitor the security landscape and want to offer our absolute commitment to our customers that we will prioritize their safety over making another sale.
As a result of these efforts, we are one of very few websites that earns an “A+” grade on the Qualys Labs SSL Grader, an automated audit of our implementation of SSL encryption for HTTPS.
Our engineers have also been working toward completion of 3rd party audits of our security controls and hope to be able to share the results of those audits with our customers later this year.
The only action you need to take as a result of this email is to make sure that you aren’t using Internet Explorer versions less than IE11 or using versions of FTP or SFTP clients that are outdated. Alternatively, you can disable SSL security on your BrickFTP site via the Configuration tab.
If you require assistance with either of these things, we’re here for you! Just email email@example.com.