At Flowmingo we put a lot of effort into trying to make the site as secure as possible. Web security is not something that you can bolt on. You have to consider it throughout the site. It encompasses how you authenticate users, store their passwords & files, as well as how you encrypt the web session. It also is not something you can do once, it is constantly changing as new exploits are discovered and better techniques are invented. In this article I will focus particularly on SSL and how we utilize it at Flowmingo.
HTTPS
Firstly we force all session to use HTTPS for all traffic. This keeps your session secure from prying eyes especially those that would like to intercept your login credentials. Firesheep helped to expose the weakness in unencrypted web sessions by providing an easy method to hijack session cookies on open networks like public wifi networks.
HTTP Strict Transport Security
HSTS provides a means to inform browsers to use a secure connection every time a connection is made to our site in the future. This prevents a man-in-the-middle attacks that leverage the initial insecure connection that is formed when you initially access the site without SSL.
Perfect Forward Secrecy
After Edward Snowden let the world in on the fact that the NSA is actively sucking up Internet communications and forcing providers to hand over SSL keys it became clear that we needed PFS. We deployed Ciphers using Elliptic curve cryptography and Diffie Hellman Key Exchange to deliver our users forward secrecy. If you are interested in learning more about ECDHE you should check out this blog post. We regularly test our site at SSL Labs. This helps us ensure that we are keeping up with changes in cryptography, new exploits, and browser innovations.