Security overview#
Security in Fangout software is continually reviewed by developers, IT administrators, and security researchers accountable for deploying the software in their organizations.
Multiple rounds of penetration testing and security analysis, in addition to internal reviews, have produced a long list of safeguards, processes, policies, and compliance features.
Security features#
Fangout offers a host of features to help keep your private cloud communications secure.
Private Cloud deployment#
Fangout messaging app can run entirely behind your firewall as a single Linux binary, as a Docker container, or on your Kubernetes cluster with a PostgreSQL database. Remote access can be enabled through the use of VPN clients on PC so that Fangout can be used outside your private network.
User sessions across web, PC can be remotely revoked through profile settings, or via the System Console by deactivating accounts.
Fangout warp speed file server can also run on-premise behind your firewall as a single binary on Linux, Mac or Windows Harnessing the local block storage, or run on instances of your public cloud with S3 compatible object storage.
The messaging app communicates with the file server via a TLS secured connection so long as the file server has network access to the app.
For private-to-private scenario, if both ends of the file servers are on-premise, files can be transferred between each other end-to-end as long as both ends are reachable to each other either within the same network phisically or via VPN.
Whereas for private-to-public scenario, transfers are always initiated from the private side to make request to the public hosted server, including uploading files from the laptop/desktop.
Centralized security and administration#
Manage users, studios, access control, and system settings in a web-based System Console user interface.
Mount and manage fangout file servers and storages within each studio. Studios can deploy fangout file servers with your own storages for the whole studio to create channels with.
Editors can also deploy fangout file servers in your home lab and mount to Fangout app as personal storage with which channels can be created to share or invite people to access your personal portfolio.
Transmission security#
Fangout supports TLS encryption using AES-256 with 2048-bit RSA between Fangout client applications and the Fangout server across both LAN and internet.
File servers transfer files with DTLS v1.2 and uses TLS_ED25519_X25519_WITH_AES_256_GCM_SHA256.
Encryption-at-rest is available for messages via hardware and software disk encryption solutions applied to the Fangout database, which resides on its own server within your infrastructure. To enable end user search and compliance reporting of message histories, Fangout does not offer encryption within the database.
Encryption-at-rest is available for files stored via hardware and software disk encryption solutions applied to the server used for local storage or storage via MinIO.
Encryption-at-rest is available for files stored in Amazon’s proprietary S3 system using server-side encryption with Amazon S3-managed keys (Fangout Enterprise) when users choose not to use open source options.
Integrity and audit controls#
By default, Fangout stores a complete history of messages, including edits and deletes. User interface actions for “deleting” messages and channels remove the data only from the user interface; the data is retained within your database. If your compliance guidelines require it, you can turn off users’ ability to edit and delete their messages after they are posted.
Fangout file server is operated directly from users actions, deleting files or folders will cause the files or folders removed permanently, whereas trashing files or folder moves to the system trash folder.
There is no retention policy for fangout files except for the free trial and expired subscription studios. Users can message sync operation to backup periodically or delete operation with search filters to remove old files or with combination of different criteria.
The output and archives of server logs can be saved to a directory of your choice. Fangout server logs plus logs from your web proxy can provide an end-to-end history of system usage.
The file server logs and databases can be backed up periodically by simply copy and paste live to the backup location without integrity issues even the server is running.
Authentication safeguards#
To protect against brute force attacks, you can set rate limiting on APIs, varied by query frequency, memory store size, remote address, and headers.
Session length, session cache, and idle timeout can be configured according to your internal policies, automatically forcing a user to re-login after a specified period of time.
Remotely revoke user sessions across web, mobile devices, and native desktop apps. User sessions can also be revoked remotely by a system admin in System Console > Users.
Session fixation, where an attacker can trick the user to authenticate with a known session cookie, does not affect Fangout users as a new session cookie is set at each login.
File server employs JWT token with private-public key pair signature system for authentiation, and for each operation a short expiring token is issued by the Fangout app to authenticate the file server.
*DISCLAIMER: FANGOUT DOES NOT POSITION ITS PRODUCTS AS “GUARANTEED COMPLIANCE SOLUTIONS”. WE MAKE NO GUARANTEE THAT YOU WILL ACHIEVE REGULATORY COMPLIANCE USING FANGOUT PRODUCTS. YOUR LEVEL OF SUCCESS IN ACHIEVING REGULATORY COMPLIANCE DEPENDS ON YOUR INTERPRETATION OF THE APPLICABLE REGULATION, AND THE ACTIONS YOU TAKE TO COMPLY WITH THEIR REQUIREMENTS. SINCE THESE FACTORS DIFFER ACCORDING TO INDIVIDUALS AND BUSINESSES, WE CANNOT GUARANTEE YOUR SUCCESS, NOR ARE WE RESPONSIBLE FOR ANY OF YOUR ACTIONS. NO GUARANTEES ARE MADE THAT YOU WILL ACHIEVE ANY SPECIFIC COMPLIANCE RESULTS FROM THE USE OF FANGOUT OR FROM ANY RECOMMENDATIONS CONTAINED ON OUR WEBSITES, AND AS SUCH, THIS SHOULD NOT BE A SUBSTITUTE TO CONSULTING WITH YOUR OWN LEGAL AND COMPLIANCE REPRESENTATIVES ON THESE MATTERS.