Information
Security is hard. There are countless ways to attack a system, and a single oversight can have drastic consequences. In addition to domain expertise, building a secure product requires a certain mindset. It takes a combination of creativity, paranoia, and attention to detail.
We have big incentives to get security right. We use Floobits to develop Floobits, so your code is just as secure as ours.
Share what's neccessary, but no more
Most of our tools involve sharing code and terminals with others, but certain things should not be shared.
When using Flootty to share terminals, we do our best to avoid leaking information. When the owner of a terminal types, keystroke data is not sent to our servers. All the server knows is that a user has typed within the past couple of seconds. This avoids leaking passwords (or even the length of passwords) to others. For those who join a terminal, keystrokes are only sent to the terminal's owner.
Similarly, files containing sensitive information can be ignored by adding their names to .flooignore
files.
Transport Encryption
Our site is only available over HTTPS. Any requests to http://floobits.com
are redirected to HTTPS. We also use HTTP Strict Transport Security, which reduces the risk of man in the middle attacks.
Also, we prefer ciphers that support perfect forward secrecy. In the incredibly unlikely event that an attacker passively intercepts your traffic and steals our private key, decrypting your past communications will still be computationally infeasible. The latest versions of Chrome, Firefox, and Safari support these ciphers.
Our editor plugins also connect over SSL.
XSS Protection
In addition to standard sanitization methods, we use the Content-Security-Policy
HTTP header. The CSP header restricts which domains JavaScript can be loaded from. This increases the difficulty of cross-site scripting attacks.
Hashed, Salted Passwords
We never store your password. Passwords are hashed using 10,000 iterations of PBKDF2-SHA256. This is 10 times the number of iterations recommended by RFC 2898. Also, each hash uses a different salt, making rainbow tables ineffective.
Encrypted Backups
Backups of production data are encrypted using AES-256.
Encrypted Development Machines
We sometimes work with copies of production data on our development machines, so we all use full-disk encryption. Our backups are also encrypted. If our computers are stolen, your data (and ours) stays safe.
Multi-factor Authentication
We require a cryptographic token to access our internal administration tools. Even if someone managed to steal an administrator’s password, they would need the same admin’s Yubikey to access sensitive tools.
Reporting Security Issues
If you think you’ve found a security issue with Floobits, please email us. If the information is particularly sensitive, please encrypt it with this public key.