Application security & protocols

In Play Digital Signage, we take security of your data very seriously. This page gives a brief summary of the security procedures at Play Digital Signage

How is my web account secured?

Your passwords are stored in our database encrypted using top of the line Argon2 password hashing algorithm. This way, your passwords are not known to our staff and will not be compromised in the unlikely event of a data breach. Your login sessions are facilitated using Secure HTTPS-only cookies to eliminate the risk of eavesdropper stealing them by intercepting your connections.

When you register (or change password), we will go the extra mile to check your password against a public database of leaked passwords to ensure that you’re not using an insecure password. Your password does not leave our servers during the check, we use K-anonymity protocol to check the password at a trusted service HaveIBeenPwned.

Your web chat is managed by crisp.chat, yet another security conscious company, you can find their practices described in detail.

Additionally:

  • All the communications between your device and browser are protected using SSL and DNSSEC.
  • We backup your data multiple times a day.
  • We use CloudFlare to detect and mitigate hacker attacks.
  • We support Two-Factor Authentication.
  • All the communication between our servers is encrypted and done over private networks.

Read more:

How are my files secured?

Your files are hosted on Amazon S3 service, world’s most used file storage service. While we can not make the files private, because the players need to be able to download the files from the Internet, we generate a unique id for each file, so the URL is virtually impossible to guess. For an example this is the URL of an uploaded file:

https://s3.eu-central-1.amazonaws.com/infoscreen/944e6dab-76a2-4785-b913-c7966ad14ad8/a2cf019b-cb83-4192-b4fe-83827f481be0.png

An attacker has better chances of guessing your password! (so make sure it’s secure)

How secure are communications?

All connections to our servers are HTTPS, that means that the traffic is encrypted, that includes web-socket connections. We have disabled SSLv3 and use TLS exclusively.

The Internet traffic is routed through Cloudflare network, which protects our servers against Denial Of Service (DoS) and brute force attacks.

Read more:

How are players secured?

When a player is linked to a user account, the server generates a unique secret token that is sent to the player once. Every subsequent request made by the player to our servers requires the token to be present in order to prevent malicious attacker from impersonating as the player itself. The weakest link is the physical player security, so make sure it’s out of sight and if possible, then out of reach!

Read more:

Where is my credit card information stored?

We use Stripe as our payment gateway and they take care of storing your information securely. Stripe is PCI Data Security Standard certified company. When you link a credit card with your account, your credit card numbers are sent to Stripe servers directly from your browser, our system does not store or process your credit card information.

Read more:

Which external services the players connect to?

In case the player is behind a corporate firewall, you need to white-list following domains (port 443):

  • playsignage.com
  • We recommend whitelisting all subdomains of *.playsignage.com to be future-proof. If wildcard white-listing is not possible, then the player may also use following sub-domains:
    • stream.playsignage.com (WebSocket connection)
    • release.playsignage.com (only for Windows / OSX / Linux players to auto-update)
    • quotes.playsignage.com (Quote plugin is using this endpoint to fetch quotes)
    • onthisday.playsignage.com (Today In History plugin is using this endpoint to fetch data)
    • proxy.playsignage.com (Weather, Facebook and Instagram plugin use this domain)
    • my.playsignage.com (Location of proxy used to fetch insecure non-HTTPS web resources)
    • logging.playsignage.com (Optional, for us to receive player logs and help us debug issues)
    • analytics.playsignage.com (Optional, if you want to use analytics functionality)
  • s3.eu-central-1.amazonaws.com
  • images.unsplash.com (When using images from the Unsplash plugin)