undefined | Better HN

0 pointslwf8y ago0 comments

Early SSL/TLS termination is to reduce latency; the longer-lived connections from PoPs to Dropbox datacenters is over a TLS 1.2 connection with PFS. See an earlier blog post[1]:

> We use TLS 1.2 and a PFS cipher suite at both our origin data centers and proxies. Additionally, we’ve enabled upstream certificate validation and certificate pinning on our proxy servers. This helps ensure that the edge proxy server knows it’s talking to our upstream server, and not someone attempting a man-in-the-middle attack.

(N.B.: I work on security at Dropbox, and consulted on this design)

[1]: https://blogs.dropbox.com/tech/2016/11/infrastructure-update...

0 comments

codehusker8y ago

Much appreciated. Lots of great, technical blog posts I need to catch up on.

I have to admit, part of the reason I use Dropbox is that I know I can get answers directly from employees on HN.

walterbell8y ago

Does this change the legal/geo jurisdiction of the SSL/TLS handshake?

lwfOP8y ago

I'm not a lawyer, but I did work on one of the previous Transparency Reports[1]. From our most recent one:

> Between July and December 2016, Dropbox did not comply with any non-US government legal process unless issued by a US court as a result of the Mutual Legal Assistance Treaty process.

... if that helps answer what you're getting at :)

[1]: https://www.dropbox.com/transparency/reports

audiometry8y ago

Ironically, people are probably more worried about US Court actions these days than those of foreign governments.

justinjlynn8y ago

One would assume so, since the data is being unwrapped/rewrapped at another jurisdiction - thereby proving/providing the ability to do so there.

j / k navigate · click thread line to collapse