Hacker News new | ask | show | jobs
by codehusker 3202 days ago
From the last link, in 2016 "Proxy-Stack deployed at our edge PoPs to terminate SSL connections closer to our users".

Reminds me of the infamous "SSL added and removed here! :^)".

Does anyone know if there are any additional protections from snooping on their internal network?

edit: phrasing
2 comments
lwf 3202 days ago
Early SSL/TLS termination is to reduce latency; the longer-lived connections from PoPs to Dropbox datacenters is over a TLS 1.2 connection with PFS. See an earlier blog post[1]:

> We use TLS 1.2 and a PFS cipher suite at both our origin data centers and proxies. Additionally, we’ve enabled upstream certificate validation and certificate pinning on our proxy servers. This helps ensure that the edge proxy server knows it’s talking to our upstream server, and not someone attempting a man-in-the-middle attack.

(N.B.: I work on security at Dropbox, and consulted on this design)

[1]: https://blogs.dropbox.com/tech/2016/11/infrastructure-update...

link
codehusker 3202 days ago
Much appreciated. Lots of great, technical blog posts I need to catch up on.

I have to admit, part of the reason I use Dropbox is that I know I can get answers directly from employees on HN.

link
walterbell 3202 days ago
Does this change the legal/geo jurisdiction of the SSL/TLS handshake?
link
lwf 3201 days ago
I'm not a lawyer, but I did work on one of the previous Transparency Reports[1]. From our most recent one:

> Between July and December 2016, Dropbox did not comply with any non-US government legal process unless issued by a US court as a result of the Mutual Legal Assistance Treaty process.

... if that helps answer what you're getting at :)

[1]: https://www.dropbox.com/transparency/reports

link
audiometry 3200 days ago
Ironically, people are probably more worried about US Court actions these days than those of foreign governments.
link
justinjlynn 3202 days ago
One would assume so, since the data is being unwrapped/rewrapped at another jurisdiction - thereby proving/providing the ability to do so there.
link
antoncohen 3202 days ago
I believe they mean bringing the SSL/TLS handshake closer to the user is beneficial, it doesn't mean the proxy doesn't use SSL/TLS to its upstreams.

In this post they say specifically it is about the handshake:

https://blogs.dropbox.com/tech/2017/06/evolution-of-dropboxs...

I don't know if they use SSL/TLS to their upstreams, I'm just saying terminating in at the edge doesn't mean that is the end of all SSL/TLS. It is totally normal to terminate SSL/TLS at the edge, pretty much anyone using an HTTPS load balancer or CDN does it, but the LB or CDN can still use SSL/TLS to the upstreams and verify certificates of upstreams.

link