Network, Domains, SSL
Network Security
If needed, additional security settings can be set for customer, that include:
IP restrictions (access from selected subnet)
Integration with one or more LDAP, SAML or ADFS server
VPN, IPSec and others.
Connectivity between SaaS service and end users requires SSL (see SSL Certificates)
Network Bandwidth
The minimum network speed connection that is recommended and gives acceptable performance is a 3G mobile network.
4G Mobile network or cable connection of at least 10 Mbps is recommended.
How is the application optimized for network use?
The application itself is cached by the browser and advanced cache management techniques are used to load individual application components.
Application components are "lazy loaded" to optimize initial application load time
Application exchanges required information using efficient JSON format and utilities XHR browser requests.
Large format / scale / resolution images are pre-processed by the server to optimal JPEG or PNG formats to save bandwidth and optimize browser performance.
Data transmitted between browser and server is compressed using the “gzip” method. This often helps to reduce the size of transmitted data by half or even more.
Firewalls
Network access is protected by dedicated hardware firewalls. Firewalls and network switching are configured in N+1 redundancy and support automatic fail-over.
User, Storage and system traffic is using a separated vLAN networks or dedicated network.
Connectivity between Data Centers
Connectivity between data centers is established using a dedicated fiber network.
Available domain names
Customer can access their application via SSL connection under selected address:
<customerName>.hyperhouse.se
<customerName>.hdc.cloud
<customerName>.bim.cloud
Custom domains or certificates can be used as part of individual agreement.
SSL Certificates
Each hosting plan includes an SSL certificate issued by Internet Security Research Group (ISRG). An end user can only connect and authenticate via secured connection encrypted with SSL Certificate.
Downgrade no non secure connection is not allowed. A custom certificate of any level can be used based on individual agreement.
Base service setup is enough to get an A+ security rating based on Qualys SSL Labs assessment.
Certificate details:
RSA 2048 bits (SHA256withRSA)
Protocols: TLS 1.3 TLS 1.2
Other SSL characteristics:
Secure Renegotiation | Supported |
Secure Client-Initiated Renegotiation | No |
Insecure Client-Initiated Renegotiation | No |
BEAST attack | Mitigated server-side |
POODLE (SSLv3) | No, SSL 3 not supported |
POODLE (TLS) | No |
Zombie POODLE | No TLS 1.2 : |
GOLDENDOODLE | No TLS 1.2 : |
OpenSSL 0-Length | No TLS 1.2 : |
Sleeping POODLE | No TLS 1.2 : |
Downgrade attack prevention | Yes, TLS_FALLBACK_SCSV supported |
SSL/TLS compression | No |
RC4 | No |
Heartbeat (extension) | No |
Heartbleed (vulnerability) | No |
Ticketbleed (vulnerability) | No |
OpenSSL CCS vuln. (CVE-2014-0224) | No |
OpenSSL Padding Oracle vuln. | No |
ROBOT (vulnerability) | No |
Forward Secrecy | Yes (with most browsers) ROBUST |
ALPN | Yes h2 http/1.1 |
NPN | Yes h2 http/1.1 |
Session resumption (caching) | Yes |
Session resumption (tickets) | Yes |
OCSP stapling | No |
Strict Transport Security (HSTS) | Yes |
HSTS Preloading | Not in: Chrome Edge Firefox IE |
Public Key Pinning (HPKP) | No |
Public Key Pinning Report-Only | No |
Public Key Pinning (Static) | No |
Long handshake intolerance | No |
TLS extension intolerance | No |
TLS version intolerance | No |
Incorrect SNI alerts | No |
Uses common DH primes | No |
DH public server param (Ys) reuse | No |
ECDH public server param reuse | No |
Supported Named Groups | x25519, secp256r1, x448, secp521r1, secp384r1 (server preferred order) |
SSL 2 handshake compatibility | Yes |
0-RTT enabled | No |