TL;DR; We strive to provide the best possible security. Enable Two Factor Authentication for your account at https://account.clanofthecloud.com/
Security has many facets, and none of them is less important than others, because a chain is only as secure as its weakest link. Let’s explore a few of them.
WHAT SSL PROVIDES
ClanOfTheCloud makes use of SSL/TLS exclusively.
The benefits are:
every communication is encrypted, which means only the recipient of a message can decrypt it, and the origin of the message is guaranteed too
TLS makes it impossible to eavesdrop, modify or replay messages (it’s a stream protocol… sending the same message twice does not send the same bytes)
The only real drawback of TLS is the cost for the initial protocol negotiation round trips. This is largely amortized with keep-alive connections which are always used by ClanOfTheCloud.
SSL/TLS is not a fixed standard, it’s more a framework. The security that SSL provides is only as good as that of its ingredients, ciphers and protocol versions. Some ciphers have proven too weak, some SSL versions buggy…
To assess the quality of the security provided by SSL, we’re using Qualys SSL Labs tests. Our configuration is rated A+, the best grade. Check your bank’s website, and you’ll understand why it’s such an achievement…
We’re disclosing the full reports for our API servers, Frontoffice and Backoffice servers.
How did we achieve such a good result? Our servers are configured to avoid SSL protocol versions that are insecure, and ciphers that are not secure enough.
All our servers are configured to redirect HTTP traffic to the HTTPS protocol. There’s no unencrypted traffic at all.
TWO FACTOR AUTHENTICATION
When you create an account, your credentials can be used to access all your data, in sandbox and production environments. So securing your credentials is essential.
A username/password couple is not enough. Note that we don’t store passwords, only SHA-1 hashes (and SSL protects from eavesdropping !).
The best protection you can get is with Two Factor Authentication, aka. 2FA. The idea is to authenticate your request with « one thing you know, and one thing you own »… We’ve chosen the widely used Google Authenticator system. Download the App for iOS or Android, then open https://account.clanofthecloud.com/, log in, and follow the procedure in the Account tab to enable 2FA.
After setting up 2FA, you’ll need Google Authenticator to log into the Frontoffice or Backoffice applications.
When looking for a payment gateway, we wanted one where we do NOT store credit card details. Stripe.com allows just that. When you enter your credit card information in ClanOfTheCloud’s frontoffice application, it’s sent to Stripe.com. We only store a token in our servers… And communication is encrypted of course.
We take your security very seriously. If you have any question, don’t hesitate a single second: contact us.