Apple recently made waves within their developer community by introducing App Transport Security support, or ATS, a set of security best practices that are enforced by default when compiling apps for iOS 9 and OSX El Capitan.
The decision to make these policies opt-out rather than opt-in has not been without controversy since it has set the bar for delivery high enough that some infrastructure providers are as of yet unable to comply.
There are several requirements implemented by ATS that, while laudable, were not yet necessarily adopted as industry standards across CDNs. Notable among these are TLS 1.2 or greater, SHA256 or better signature certificates and a cipher providing perfect forward secrecy.
If a connection attempt is made by an ATS app and those criteria are not met then the result is a hard failure and no connection.
For developers who control their own apps there is a relatively easy workaround — disable the ATS requirements that your delivery provider cannot meet or disable ATS altogether in your application’s settings.
Resolving the issue in this way is a perfectly acceptable solution if you’re aware of the security you’re sacrificing, and it has been proposed by several high profile companies including Google and Brightcove.
Requiring that ATS be turned down or disabled doesn’t work, however, for those companies for whom delivery into third parties is critical. This includes those publishers whose content is consumed via API in third party apps, and ad networks and ad tech companies who need to function seamlessly across a wide variety of apps.
It’s not always feasible to ask that your partners disable security within their owned and operated apps.
It’s for this reason that Highwinds is proud to announce that we rolled out full ATS capability in time for the iOS 9 launch. We believe that Apple’s new paradigm of best-practices in their developers and users’ interactions was a bold move in the vein we have come to expect from the technology leader, and have evidenced the flexibility and nimbleness of our engineering stack by tackling these requirements on behalf of our customers.
Highwinds supports TLS 1.2+, SHA256 and Perfect Forward Secrecy.
In addition to implementing this set of capabilities we are further cementing our commitment to security by establishing a forward looking security compliance and best practices task force and making compliance one of our key target metrics.
We foresee the future of the web as 100% SSL and will continue to support those trailblazing companies that put security and their customers’ interests first.
By Julio Seijo, Vice President, CDN Software Engineering