Squarespace SslQuadratic space Ssl
For many years, Squarespace has been supporting TLS on all Squarespace sub-domains by using our Wildcard certification. At the core of any TLS-based communications is a public-key certification - it attests property to a private secret through the stated object of the certification and can be used as a means of authentification.
In the past, the application procedure for a certification was child's play, to say the least. In our opinion, website publishers do not have to make additional payments or struggle with complicated technological problems to create a certification that provides their users with essential safety. We had to create TLS accounts for million of domain names on our customers' account to be able to support TLS for all user-defined domain names, but we had no way to do this automatically.
The Automatic Certificate Management Environment (ACME) is a protocoll introduced in autumn 2015 that automatically issues domain-validated (DV) certifications. For Squarespace, ACME was a critical factor as it enabled us to create IT certifications for each of our customers' customized Domains. Let's Encrypt is a free, open and automatic certification body (CA) running for the general interest, founded in April 2016, that provides free TLS certification through the ACME processes.
A proud sponsorship of a silver layer, Squarespace is pleased to announce its partnership with Let's ENTRY and continues to support technology advancements that help make the Web more secure and visible. Let's ENTRY is currently the second biggest certification body in the globe and covers more than 10 million domain names. Soon Squarespace will account for more than 30% of Let's Encrypt's entire certificates traffic.
To get Let's Encrypt certification, we had to select an ACME clients deployment. After all, we knew from all ACME challenges that tls-sni was the best choice for us and we needed a lot of customer help. So we started with our own Squarespace ACME clients implementing the RFC.
Once we had completed the ACME clients deployment, we started building a system that would allow us to create certifications for all user-defined domain names on our platforms. Designed by our Core Services staff, the certification system comprises four new micro-services plus data bases, data stores, queuing devices and an administrative interface.
Certification proxies are the point of access to the certification system. Certificateproxy Services communicate with the Certification subscriber services - it takes care of the certification life cycle, which includes DNS validations, primary generations, renewal and revoke. Certification subscriber can call the Certification gateway server to start communicating with Let's Encrypt through the Squarespace ACME clients.
An Echo code-named reversal proxies developed by our Edge Infrastructure staff is in charge of stopping all the TLS access; it is Java based and operated by Netty. No SAN certification for your SANs; each SAN has its own SAN certification. The Echo calls end-points in the allowance servers merit via reciprocal TTLS links to 1) get the self-signed allowances necessary to finalize the tls-sni ACME challenge, 2) get the allowance and privacy keys necessary to end productive TTLS trafficking for user-defined estates.
Certificates servers use a large level of data storage to prevent looking up the data in the cache. In order for a document to be issuable, multiple interaction between the document gatewayservice and Let's Encrypt is necessary. In order to enable delay and repetition, the certificate Gateway Services implement an asynchrone process using 3 messaging queue.
In order to manage the speed at which queries are sent to Let's Encrypt and to prevent tariff restriction failures, all new queries entering the daemon are queued. On queuing a request, we make an authorization call and set up our Reverse-Proxy to respond to a tls-sni request for the domains.
Because the resulting certification may not be available immediately, we plan to perform another health checking for this queuing and the same request/timeout logics. When we request a current certification, the Company will notify the certification subscriber services to save the information in our database and in our data storage layer. Due to the large number of domain names, the experiments to generate certificates and the large number of different stages that had to be taken, a certificates management interface was created.
With the user interface, we can more simply track the life cycle of the requirement to generate certifications for a particular Domain. In the lead of our certification creation processes for legacy sites, the CA Services sent about 100 queries per second to Let's Encrypt. Spreading DNA needs and the system should confirm this and repeat automatic certification creation at periodic intervalls.
A further way in which Squarespace is taking the step towards a more advanced and safer web is the PFS. For this purpose, we have carefully selected the encryption suite we support and our Reverse-Proxy has not enabled resume sessions. EACH user-defined domainname on our site has been certified by Squarespace Domains or by any other Registry, whether it has been acquired.
Within seconds, new added addresses are provided with a unique SSL-tertificate. For TLS to work, make sure that the DNS entries for your customized domain are correctly configured. An additional advantage is that your Squarespace hosting can increase your ranking. Enforcing TLS on Squarespace is currently an opt-in.
Ultimately, we' ve managed to secure tens of thousands more domain names on the web through TLS, and we will have assisted the web to take a big leap forward and make the standard safety mission a reality. Squarespace is further transforming the face of the web with these end-to-end improvements in end-to-end protection by bringing the latest technology in the field of digital network protection to all our clients at no extra charge.