Security is hard. There are countless ways to attack a system, and a single oversight can have drastic consequences. In addition to domain expertise, building a secure product requires a certain mindset. It takes a combination of creativity, paranoia, and attention to detail.

We have big incentives to get security right. We use Floobits to develop Floobits, so your code is just as secure as ours.


Share what's neccessary, but no more

Most of our tools involve sharing code and terminals with others, but certain things should not be shared.

When using Flootty to share terminals, we do our best to avoid leaking information. When the owner of a terminal types, keystroke data is not sent to our servers. All the server knows is that a user has typed within the past couple of seconds. This avoids leaking passwords (or even the length of passwords) to others. For those who join a terminal, keystrokes are only sent to the terminal's owner.

Similarly, files containing sensitive information can be ignored by adding their names to .flooignore files.


Transport Encryption

Our site is only available over HTTPS. Any requests to http://floobits.com are redirected to HTTPS. We also use HTTP Strict Transport Security, which reduces the risk of man in the middle attacks.

Also, we prefer ciphers that support perfect forward secrecy. In the incredibly unlikely event that an attacker passively intercepts your traffic and steals our private key, decrypting your past communications will still be computationally infeasible. The latest versions of Chrome, Firefox, and Safari support these ciphers.

Our editor plugins also connect over SSL.


XSS Protection

In addition to standard sanitization methods, we use the Content-Security-Policy HTTP header. The CSP header restricts which domains JavaScript can be loaded from. This increases the difficulty of cross-site scripting attacks.


Hashed, Salted Passwords

We never store your password. Passwords are hashed using 10,000 iterations of PBKDF2-SHA256. This is 10 times the number of iterations recommended by RFC 2898. Also, each hash uses a different salt, making rainbow tables ineffective.


Encrypted Backups

Backups of production data are encrypted using AES-256.


Encrypted Development Machines

We sometimes work with copies of production data on our development machines, so we all use full-disk encryption. Our backups are also encrypted. If our computers are stolen, your data (and ours) stays safe.


Multi-factor Authentication

We require a cryptographic token to access our internal administration tools. Even if someone managed to steal an administrator’s password, they would need the same admin’s Yubikey to access sensitive tools.


Reporting Security Issues

If you think you’ve found a security issue with Floobits, please email us. If the information is particularly sensitive, please encrypt it with this public key.