Ask your own question.

Someone from our team or the Crisp community will answer publicly.

We will ask your email to let you know when an answer is published.

Thanks! We will let you know when an answer is published.

Tell us why you are not satisfied.

Tell us how we can improve, and what is missing.

We will answer if we need more details, and improve this help section.

Thanks! We will get back to you if we need more information.

How is security managed on Crisp services?

Crisp takes your security and the security of your website visitors very seriously. Our team implemented security best-practices at every level.

Ubiquitous Encryption

Encryption has became so cheap and convenient today that it's now possible to enable it everywhere. All public network channels on the Crisp platform are fully encrypted. This comes for both assets loading (Web resources), and realtime chat channels (user messages and user data).

Our encryption techniques implement state-of-the-art practices:

  • Strong TLS keys: RSA, 2048 bits
  • Elliptic-Curve Cryptography
  • Forward-Secrecy with Diffie-Hellman parameters
  • HTTP Strict Transport Security

We dropped legacy encryption methods to alleviate known attacks:

  • The old SSL protocol is completely disabled (TLS replaces it)
  • Legacy ciphers are disabled (eg: RC4)

This allows you and your users to stay safe:

  • Hide the data as it is being transmitted on the network
  • Prevent all modification of data as it is being transmitted on the network
  • Prevent MITM (Man-in-the-middle attacks)
  • Allow the service to work on restricted networks, over strict proxies

Infrastructure Hardening

Server hardening is also critical in ensuring the best security for our users.

Here are some of our practices in terms of infrastructure management:

  • Server authentication using protected SSH keys
  • Abusing IPs get automatically banned or rate-limited (prevents brute-force attacks on accounts)
  • Denial-of-service protections are set everywhere (this ensures service resiliency under attack)
  • All our servers are hosted in the Netherlands, which is a neutral country regarding data

Security Practices In Our Team

Our whole team implements strict security practices regarding how they access their accounts:

  • Two Factor Authentication on third-party services Crisp uses
  • Our SSH keys are all password-protected

Security Enhancements On Our Roadmap

The following advanced security practices will be implemented as soon as they are available in the third-party tools we use:

  • DNSSEC (requires the .im registrar to deploy DNSSEC on its authoritative DNS servers)
  • HTTP Public Key Pinning (requires CloudFlare to add support for it)

If you have questions regarding Crisp security, chat with us!

Valerian Saliou
Was this article helpful?YesNo
Thanks! 👍
Don’t find what you are looking for?

Ask your own question.

Ask Now