1

My question is about CDNs. As I understand it, data flow looks something like this:

browser ==(https)==> CDN ==(https)==> originServer

In theory, this configuration should provide quicker retrieval time for the static .html, .js, .css, and .png files that comprise my app. All of these items are static and non-confidential, by the way. From the user's perspective, they live at https://www.myDomain.com.

But there's also dynamic data that's exchanged via https://ajax-www.myDomain.com. That content actually is confidential and I'd like to protect it from snooping eyes. It occurs to me that any employee working at the CDN could read the confidential 'ajax-www' content if he so desired, seeing as how the whole point of the CDN (as I understand it) is to act as a HTTPS termination point, cache data when possible, and pass it on.

Of course, I could circumvent the CDN entirely for 'ajax-www' calls. After all, the data in question is dynamic and can't be cached anyway. But then I'd be revealing the location of the origin server to the outside world and more importantly, I'd be losing the DDOS protection that the CDN provides.

The discussion here recommends that CDNs should be avoided for session-specific data but is there a viable alternative?

Is this even something worth worrying about? Has there ever been a (known) case of a CDN snooping on client traffic, either of their own volition or as a result of government pressure? Casual searching doesn't turn up anything. CDNs seem to be considered beyond reproach. But I just figured I'd ask -- the specific CDN that's under consideration is based out of Dubai so it's not like we'd have any recourse if snooping were to occur.

Sorry for the basic nature of this question. I'm kind of new to this stuff. Looking forward to hearing your thoughts.

Community
  • 1
Festus Martingale
  • 133
  • 5
  • CDNs are, by design, a MitM, so any CDN you use definitely requires a firm trust relationship. – Xiong Chiamiov Jan 21 '17 at 00:22
  • What you can do to mitigate this is to offload static files to the CDN on a separate domain while keeping your main app served directly by yourself, without any third-party. – André Borie Jan 21 '17 at 02:47

2 Answers2

1

  • If you don't trust the CDN, don't use it.

  • You have absolutely no way to know it the CDN reads your data or not. The CDN probably reads the data, to mitigates attacks.

  • If the data require a high level of protection, use a CDN under your jurisdiction.

  • If the data require a medium level of protection, you could bypass the CDN, and if you are under DDOS attack, switch to the CDN (switch your back-end to another IP too)

  • For static data, you can use a less trusted CDN if you :

    • use SRI to ensure the integrity of your resources

    • mask your referrer to preserve the privacy of your visitor (ex: <meta name="referrer" content="origin"> )

Tom
  • 2,063
  • 12
  • 19
0

browser ==(https)==> CDN ==(https)==> originServer

Right

All of these items are static and non-confidential, by the way.

However, they still need integrity. The CDN shall not replace the original js with one which steals the secret data.

Of course, I could circumvent the CDN entirely for 'ajax-www' calls. After all, the data in question is dynamic and can't be cached anyway.

This is reasonable.

But then I'd be revealing the location of the origin server to the outside world

This could itself be a reverse proxy to another server, and/or you could have some more unlisted origin servers apart of this one.

However, note that it will probably be relatively easy to figure out anyway where your server is.

and more importantly, I'd be losing the DDOS protection that the CDN provides.

Most DDOS would probably attack the main server instead of the backend due to negligence when launching them, but that's the price of enabling this feature.

Maybe you can ask your CDN if they support tunneling encrypted traffic for that domain to your origin server without actually breaking the https session. That would hide your IP and maybe they can still do some (more limited) DDOS protection.

Basically you want two opposite goals at the same time, so you need to reach a compromise that suits your business needs.

CDNs seem to be considered beyond reproach.

A CDN doing this would probably fall out of business quite quickly

the specific CDN that's under consideration is based out of Dubai so it's not like we'd have any recourse if snooping were to occur.

If this is a concern, you should also take into account other providers with local presence.

Ángel
  • 17,578
  • 3
  • 25
  • 60