With the introduction of XL Routes Shield on Heroku and on our Direct Service, we’ve had a few questions about the differences between XL Routes Static, which uses SSL Termination, and XL Routes Shield, which uses SSL Passthrough.
Please use this handy little cheat sheet to learn the differences between the two types of security methods when using our XLRoutes proxies for your traffic.
Only XL Routes Shield does not expose sensitive data or require sharing private certificates with third parties, like other Static IP proxies, when using HTTPS or Secure SOCKS.
Exposing sensitive data and sharing private security keys is not HIPAA / PCI compliant and introduces multiple security vulnerabilities – even if you aren’t subject to any outside security requirements.
XL Routes Shield uses SSL Passthrough – instead of SSL Termination – to route all traffic securely.
You never have to share your private keys with a third party, like XLRoutes. As of 2018, 56% of security incidents stem from 3rd party data compromises.1
You never expose your source/destination hostnames, open ports, and running/accessible services and applications to malicious actors allowing them to map out your corporate network.
You never route any IP Proxy credentials unencrypted for hackers to steal and impersonate your traffic through your trusted Static IP’s.
Secure Socket Layer (SSL), more recently known as TLS (Transport Layer Security), is the most common security protocol for HTTP traffic that is traversing on the Internet.
SSL/TLS encrypts the communications between a client and a server that allows for secure bi-directional message exchanges.
You can see SSL in action when you look at your website address bar and see the closed lock symbol. Also, when the URL of a website address says “HTTPS,” the “S” indicates that SSL is being used to secure the connection and encrypt the data. Google has been pushing website operators to use SSL for all their websites, even websites that are non-financial or have no sensitive material, to make the web more secure for everyone, so you will likely see this lock symbol on most sites today.
Static IPs with HA+LB for Inbound/Outbound (HTTP/SOCKS5) Encrypted Connections
XL Routes Static uses SSL Termination for routing requests between endpoints.
SSL termination (a.k.a. SSL Offloading ) decrypts all HTTPS traffic when it reaches the XLRoutes proxy server. At this point, routing is executed and the data proceeds to the destination server as plain HTTP traffic.
If your XLRoutes implementation uses a HTTPS URL for the forwarding URL (as most customers do), then the data between XLRoutes and the final destination is encrypted as well. However, XLRoutes does have to decrypt the data, using your security keys, to determine the next hop and then re-encrypt the data before it is sent to the next point.
Inbound/Outbound Static IP’s. End-to-End Encryption with ACM - HIPAA Compliant
XL Routes Shield uses SSL Passthrough for routing requests between endpoints.
SSL passthrough passes encrypted HTTPS traffic all the way to the backend server without decrypting the traffic on the proxy.
Therefore, traffic passes through the proxy encrypted and the destination server (web application server, database server, etc.) does the decryption process to read the data.
To get SSL Passthrough to work with XL Routes Shield, do the following :
Note that you do not have to upload your certificates to XLRoutes when using XL Routes Shield.
XL Routes Static uses SSL Termination because it is generally faster and allows for actions to be performed based on the data.
If there are no concerns regarding the compromise of data passing from the proxy to the destination server, SSL Termination is likely a better solution.