Application Security
Account passwords are stored securely using a one-way key derivation algorithm (PBKDF2 with 25,000 rounds of HMAC-SHA256). Passwords can be up to 100 characters in length and contain any characters. If you request a password reset, a temporary token will be randomly generated and emailed to you.
Logins are rate limited to frustrate brute force attempts.
You can enable two-factor authentication on your account using WebAuthn. We do not restrict the type of authenticator that you can use.
All important account actions, such as logins and password changes, are logged and can be viewed in your audit log. Log entries are retained for 30 days, with longer retention periods available for an additional charge.
We support SSO. To enable SSO on your account, please contact us. Business plans support role-based access control when using SSO.
Integrations
You may optionally integrate SSLMate with your accounts at other providers, so that SSLMate can automatically publish DNS records or discover domains to monitor. All requests to your third-party account are proxied through a hardened service which verifies and logs the request before sending it to the third-party provider. The main SSLMate backend has no access to your credentials. Read more
Private Keys
Private keys are generated exclusively on your system, and never on the SSLMate servers. Private keys are stored on your filesystem using restrictive file permissions (600) by default.
When you use the sslmate command line program, private keys are never transmitted to or stored by the SSLMate servers.
When you use the web console, private keys are generated by your web browser using WebCrypto and are never transmitted to or stored by the SSLMate servers.
When you use sslmate-agent, private keys are synchronized with other instances of sslmate-agent in your cluster using end-to-end encryption. Only the holder of your secret cluster key can reverse the encryption and recover your private key. Cluster keys are generated exclusively on your system, and are never transmitted to or stored by the SSLMate servers. Therefore, SSLMate can never see your private keys.
Technical details: Keys are generated using a cryptographically-secure pseudo-random number generator (specifically, crypto/rand from Go's standard library). Encryption is performed with the NaCl symmetric secret box construction, which uses XSalsa20 for encryption and Poly1305 for authentication. The 256-bit symmetric secret box key is derived from your 256-bit secret cluster key using HKDF. The 192-bit nonce is randomly generated using a cryptographically-secure pseudo-random number generator and prepended to the encrypted message. We use the NaCl and HKDF implementations from Go's x/crypto library; we don't roll our own crypto.
The SSLMate client software is open source and can be audited to verify that these assertions are true.
Programming Practices
All SQL is executed with prepared statements to eliminate SQL injection. All HTML is generated with context-aware templating engines (either XSLT or Go's html/template library) to eliminate XSS vulnerabilities. Credentials are stored separately from source code. We carefully choose and audit our third-party dependencies, and monitor them for security advisories and new releases.
All developers are trained in secure programming practices. We maintain a set of secure programming guidelines addressing common vulnerabilities. Code that deviates from the guidelines undergoes special security review.
HTTPS Configuration
The SSLMate website and the SSLMate API endpoint are accessible over HTTPS only, and SSLMate servers are configured to prefer strong, forward secure ciphers. Strict Transport Security (HSTS) is used to ensure that web browsers use only HTTPS to contact SSLMate, and sslmate.com is included in the HSTS preload list.
The SSLMate client communicates with SSLMate over HTTPS and correctly validates the server's SSL certificate.
Credit Card Information
SSLMate does not store credit card details. We out source our credit card processing to Stripe, who comply with PCI standards. Credit card details are securely transmitted to Stripe directly from your web browser and never pass through our servers.
Internal Controls
To prevent unauthorized changes to our production environment, all changes are tracked and documented in version control, and require the approval of management before being deployed.
Access to internal systems and data are limited exclusively to staff with a legitimate need. All access requests must be approved by management and recorded. Access grants are periodically reviewed and unnecessary grants are revoked.
For authentication to internal systems and vendors which hold customer data, we use public key authentication with hardware-backed credentials, two-factor authentication, and/or SSO where possible.
Data Handling
Our development and testing environments are segregated from production and have no access to customer data.
All data is encrypted at rest, in transit, and in backups.
We access your data only when strictly necessary to deliver our services or to provide you with customer support. You can view customer support access in your audit log.
We never copy data to external media such as USB drives.
We can immediately delete your data from our production systems upon request, but your data may be retained for up to a year in backups. Backups are not accessed under normal circumstances.
We ensure that any vendor with access to customer data has sufficient security.
Click to view list of vendors with access to customer data
| Vendor | Compliance documentation | Notes |
|---|---|---|
| Amazon Web Services | https://aws.amazon.com/compliance/ | |
| Stripe | https://docs.stripe.com/security | Payment information only |
| Backblaze | https://www.backblaze.com/cloud-storage/compliance | Data is end-to-end encrypted and Backblaze does not have access to the decryption key |
Infrastructure
All production servers, and client endpoints used for development and administration, run stable operating systems that receive security support. Security updates are automatically applied daily. Software and services are kept to a minimum to reduce the attack surface.
All systems are configured using configuration management to ensure the uniformity of security-sensitive configuration. Our configuration management repository is encrypted and signed to protect sensitive configuration and prevent unauthorized configuration changes.
All systems use full disk encryption, and all communication between internal systems, such as database traffic, travels over a VPN, TLS, or SSH.
All systems are protected by firewalls with default-deny policies.
All systems log to a centralized log server. Sensitive data, such as passwords, are not logged.
We don't operate our own data centers, but we work with vendors who are able to provide strong physical security guarantees.
Disaster Recovery
We back up our data automatically to multiple offsite locations and providers, with recovery point objectives ranging from 5 minutes to 6 hours. Backups are encrypted to prevent unauthorized access. We continuously monitor backup health and investigate and fix failures immediately. We've documented our recovery plan and test it annually.
Reporting a Security Issue
SSLMate investigates all reported security issues and credits security researchers who report vulnerabilities to us. If you believe you've found a security vulnerability in any aspect of SSLMate's software or services, please send an email to security@sslmate.com (optionally using our PGP key), with as much information as possible about the potential flaw. You will receive a response as soon as possible, usually within 24 hours.
We will not bring legal action against you for engaging in Good Faith Security Research. Good Faith Security Research is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
Please note that the following are not considered security issues:
-
Clickjacking when logged out - Since it is not possible to perform security-sensitive actions when logged out, and there are legitimate uses for framing, SSLMate does not send an
X-Frame-Optionsheader when logged out. We do send a restrictiveX-Frame-Optionsheader when logged in, as well as on the login, signup, and password reset pages. If you find an actual security vulnerability due to clickjacking, please let us know. However, the mere lack of anX-Frame-Optionsheader on some pages does not constitute a security vulnerability. -
Disabled XSS filter/auditor - Since the XSS filter/auditor can introduce new vulnerabilities, and since our templating engine does not allow the injection of unescaped HTML, we disable the XSS filter/auditor by sending the
X-XSS-Protection: 0header. If you find an actual XSS vulnerability, please let us know. However, the mere disabling of the XSS filter/auditor does not constitute a security vulnerability. -
p=noneDMARC Policy - Many SSLMate customers use a mailing list as the contact address for their SSLMate account, and a restrictive DMARC policy would prevent them from receiving vital notifications, including alerts about security-critical certificate problems. Althoughp=nonemight make it easier for phishers to spoof email fromsslmate.com, phishing is better prevented with phishing-proof security keys, which SSLMate supports. - Lack of CAPTCHAs - Since CAPTCHAs are user-hostile, SSLMate does not use them. We accept that this allows automated submission of forms.
Customer Testing
With authorization, you may test the security of our application using industry-standard practices, as long as they do not result in disruption to our production environment. To request authorization, please send an email to security@sslmate.com which details the purpose, scope, methodology, and duration of the proposed security testing.
PGP Keys
- 0462 D7AE 9C2D 5919 269D 2559 3F5F 56F0 7DDA D2F8 — for encrypting/signing correspondence and certifying other keys
- 3EC7 49BE 801F DAF1 3A0C 2883 426F 7E4D B60B BFB8 — for signing individual software releases
- E26A C6CD 4817 CB4F 2F68 9493 CAC6 645E 0790 C4BB — for signing software repository indexes (e.g. APT)
Acknowledgments
- Shivam Kumar Agarwal - reported that SSLMate did not invalidate other login sessions when changing an account's password.
- Evan Ricafort - @evanricafort - reported that SSLMate did not invalidate password reset tokens when changing an account's password.
- Mubassir Kamdar - reported that the performance of SSLMate's password hashing implementation degraded with long passwords.
- Gamiel Xavier V. Manbiotan - reported that SSLMate did not invalidate password reset tokens when changing an account's email address.
- Anonymous and Suyog Palav - reported that the password reset page was not rate-limited.