[lwf]

Early SSL/TLS termination is to reduce latency; the longer-lived connections from PoPs to Dropbox datacenters is over a TLS 1.2 connection with PFS. See an earlier blog post[1]:

> We use TLS 1.2 and a PFS cipher suite at both our origin data centers and proxies. Additionally, we’ve enabled upstream certificate validation and certificate pinning on our proxy servers. This helps ensure that the edge proxy server knows it’s talking to our upstream server, and not someone attempting a man-in-the-middle attack.

(N.B.: I work on security at Dropbox, and consulted on this design)

[1]: https://blogs.dropbox.com/tech/2016/11/infrastructure-update...

[codehusker]

Much appreciated. Lots of great, technical blog posts I need to catch up on.

I have to admit, part of the reason I use Dropbox is that I know I can get answers directly from employees on HN.

[walterbell]

Does this change the legal/geo jurisdiction of the SSL/TLS handshake?

[lwf]

I'm not a lawyer, but I did work on one of the previous Transparency Reports[1]. From our most recent one:

> Between July and December 2016, Dropbox did not comply with any non-US government legal process unless issued by a US court as a result of the Mutual Legal Assistance Treaty process.

... if that helps answer what you're getting at :)

[1]: https://www.dropbox.com/transparency/reports

[audiometry]

Ironically, people are probably more worried about US Court actions these days than those of foreign governments.

[justinjlynn]

One would assume so, since the data is being unwrapped/rewrapped at another jurisdiction - thereby proving/providing the ability to do so there.