Using a Secure CDN to Accelerate Your Content

Security is very important to us here at KeyCDN which is why we have various security features to help not only protect your content but also prevent unauthorized access to your CDN account. In this post we'll go over what makes KeyCDN a secure CDN and which features we provide to increase the security of your content and account.

The importance of security

According to a survey conducted by TeleSign, 40% of users said they had a security incident in the last year, meaning they had an account hacked, password stolen, or were given a notice that their personal information had been compromised.

One of the most common reasons for these incidents occurring is because people are not using a complex enough password. According to NordPass, the top ten most widely used passwords are:

1. password
2. 123456
3. 123456789
4. guest
5. qwerty
6. 12345678
7. 111111
8. 12345
9. col123456
10. 123123

These are definitely not the types of passwords we recommend using! Here is a good guide on how to choose a strong password. We also recommend using a free program like KeePass or KeePassX which allow you to generate secure passwords and store them in a database locally on your computer.

Moreover, here are a few alarming security facts over the past couple of years:

• 21 percent of all files are not protected in any way (Varonis).
• 65 percent of companies have over 500 users who never are never prompted to change their passwords (Varonis).
• In Q1 2022 there was a 25 percent increase in reported system vulnerabilities (Comparitech).
• Half of the vulnerabilities in internal web applications are classified as high risk (Comparitech).

With that in mind, it's important to have secure infrastructure in place at all levels to minimize the threat of data breaches. Therefore, KeyCDN offers three powerful ways to help you protect your account from being compromised.

1. Secure CDN account with two-factor authentication

The first account security feature KeyCDN offers is two-factor authentication that helps improve account security by requiring the user to provide two forms of authentication in order to log in. Any authentication app, such as Google Authenticator or Authy, can be used to generate an authentication code to log in.

2. Secure CDN account by restricting IP addresses

KeyCDN also offers the ability to secure your CDN account by setting up account access rules. This allows you to restrict the access to your account by IP address (e.g. /32) or network (e.g. /24). You can look up your public IP address by using KeyCDN's IP Location Finder tool.

3. Account notifications

Lastly, to keep you notified of any account activity, KeyCDN also offers account notifications that will alert the account owner of a successful login or a change in the Origin URL of any Zones. The login notification sends an email to the account owner with information such as the username, login time, and the IP address of the user that logged in. The origin change notification sends the user an email providing them with the Zone that was modified, the changed Origin URL, and the time that the change took place.

Automated KeyCDN security features

KeyCDN also provides several other security features and upgrades in the background. We do this to offer superior protection while at the same time giving our customers the ability to take advantage of the latest and greatest software improvements. Below are 3 automated features we run in the background to enhance security for all.

1. TLS upgrades

At KeyCDN, we pride ourselves on being ahead of the curve in terms of implementing new, stable technology that is known to make the web faster and more secure.

That's why back in September of 2018, we were happy to announce that we launched TLS 1.3 with 0-RTT support. This newly updated version of TLS offers users both faster performance and improved security. Moreover, 0-RTT support actually negates the need for any round trip on existing connections which are resumed. Below, is a diagram showing the difference between 1-RTT and 0-RTT.

Furthermore, to take our commitment to web security a step further, we deprecated TLS versions 1.0 and 1.1 back in March of 2018. This decision was made due to the fact that these legacy versions of TLS simply don't offer the same level of protection as they once did. Much has changed since these versions of TLS were released and in order to provide the optimal level of security we strive for, these TLS versions were deprecated in favor for TLS 1.2 and 1.3.

2. Automatic DDoS protection

DDoS attacks can be one of the biggest disruptors to a website's infrastructure. The average maximum attack bandwidth increased from 266 gbps in 2021 to 325 gbps in the first half of 2022. In this context, the volume of data packets transmitted also increased from around 277,000 per second to 1.5 million per second in the same period. The key indicators for critical payload are also important for the DDoS attacks that take place today. The decisive factor is how much time elapses after the first bytes are transmitted before the maximum traffic value (the critical payload) is reached. In 2021, the time to peak was 184 seconds. In the first half of 2022, it took only 55 seconds. The consequence of such turbo attacks is that they can paralyze a network before the defensive measures even take effect.

Protecting against a DDoS attack isn't always easy however KeyCDN has implemented various layers of protection to detect and rectify any possible DDoS attacks. In fact, we have built an entirely custom infrastructure just to handle DDoS mitigations. This ensures that if an attack does take place that things are routed accordingly to unaffected POPs/edge servers so that visitors don't incur any downtime.

3. Bad bot protection

There is a multitude of bots who crawl the Internet every day. Some bots such as Googlebot or Bing bot are trying to determine the type of content you have on your site so that it can be properly indexed in their search engines. However, other bots crawl websites with malicious intent which cannot only impose security risks but also uses up bandwidth which costs you money.

To help combat this, KeyCDN offers a bad bot protection feature where we maintain a list of known bad bots and block them automatically from accessing your CDN content. To enable this feature the Block Bad Bots setting needs to be set to enabled.

Once done, bad bots will receive a 451 error when trying to access your content thus protecting both your content and your KeyCDN credits.

Additional security hardening options

In addition to securing your CDN account, KeyCDN has many other security features available.

• CSRF (Cross Site Request Forgery) validation
• Secure Token
• HTTP Strict Transport Security
• CORS (Cross-Origin Resource Sharing)
• Shared and custom SSL/TLS certificates (free custom SSL/TLS certificates also available through our Let's Encrypt integration)

Summary

We highly recommend KeyCDN users take advantage of the security features above to better secure your CDN account. If anything, they will help add peace of mind knowing that your account is safe and it is hardened against unauthorized access in the future.