SSLMate Security

This page describes the security practices which SSLMate employs to protect your data. If you have any questions, get in touch at security@sslmate.com.

Private keys

Private SSL keys are generated exclusively on your system and are never transmitted to or stored by SSLMate. Private keys are stored on the filesystem using restrictive file permissions (600) by default. The sslmate command line program is open source and can be audited to verify that these assertions are true.

HTTPS configuration

The SSLMate website and the SSLMate API endpoint are accessible over HTTPS only, and SSLMate servers are configured to prefer strong, forward secure ciphers. Strict Transport Security (HSTS) is used to ensure that web browsers use only HTTPS to contact SSLMate, and sslmate.com is included in the HSTS preload list.

The SSLMate client communicates with SSLMate over HTTPS and correctly validates the server's SSL certificate.

Credit card information

SSLMate does not store credit card details. We out source our credit card processing to Stripe, who comply with PCI standards. Credit card details are securely transmitted to Stripe directly from your web browser and never pass through our servers.

Password storage

Account passwords are stored securely using a one-way key derivation algorithm (PBKDF2 with 25,000 rounds of HMAC-SHA256). If you request a password reset, a temporary token will be randomly generated and emailed to you.

Infrastructure

Servers run only stable operating systems with software that receives automatic nightly security updates. Public-facing services are kept to a minimum to reduce the attack surface.

Servers are configured using configuration management to ensure the uniformity of security-sensitive configuration. Our configuration management repositiory is encrypted and signed to protect sensitive credentials and prevent unauthorized configuration changes.

All communication between internal systems, including database traffic, travels over a VPN. All systems used for development and administration use full disk encryption to protect keys and credentials.

Reporting a security issue

SSLMate investigates all reported security issues and credits security researchers who report vulnerabilities to us. If you believe you've found a security vulnerability in any aspect of SSLMate's software or services, please send an email to security@sslmate.com (optionally using our PGP key), with as much information as possible about the potential flaw. You will receive a response as soon as possible, usually within 24 hours.

Please note that the following are not considered security issues:

  • Clickjacking when logged out - Since it is not possible to perform security-sensitive actions when logged out, and there are legitimate uses for framing, SSLMate does not send an X-Frame-Options header when logged out. We do send a restrictive X-Frame-Options header when logged in, as well as on the login, signup, and password reset pages. If you find an actual security vulnerability due to clickjacking, please let us know. However, the mere lack of an X-Frame-Options header on some pages does not constitute a security vulnerability.
  • Lack of Content-Security-Policy header - Since our templating engine does not allow the injection of unescaped HTML, developing a Content Security Policy is a lower priority than other security work. If you find an actual security vulnerability such as XSS, please let us know. However, the mere lack of a Content-Security-Policy header does not constitute a security vulnerability.
  • Lack of CAPTCHAs - Since CAPTCHAs are user-hostile, SSLMate does not use them. We accept that this allows automated submission of forms.

PGP Keys

Acknowledgements

  • Shivam Kumar Agarwal - reported that SSLMate did not invalidate other login sessions when changing an account's password.
  • Evan Ricafort - @evanricafort - reported that SSLMate did not invalidate password reset tokens when changing an account's password.
  • Mubassir Kamdar - reported that the performance of SSLMate's password hashing implementation degraded with long passwords.
  • Gamiel Xavier V. Manbiotan - reported that SSLMate did not invalidate password reset tokens when changing an account's email address.

Get Started with SSLMate Today

Buy a new certificate, or import your existing certs for free.

Click to sign up