Using Ably's Node.js SDK to implement Push Notifications in my app. Are messages sent to and received from Ably sent securely using TLS?
(disclaimer: I am a developer advocate for Ably, and posting and self-answering a commonly asked support question here on Stack Overflow so our users can find this more easily)
Yes, by default all of Ably's client libraries use TLS when communicating with Ably over REST or via our Realtime transports such as Websockets. Users are not charged for using TLS and are in face actively encouraged to use TLS as it provides a secure transport for communication with Ably.
If however, you want to disable TLS (typically to reduce communication overhead for public data streams), you can specify tls: false in your client options when instancing a Realtime or REST library, see the ClientOptions documentation. Please note that unencrypted communication with Ably is disallowed if any of the following conditions are met:
You attempt to use Basic Authentication and thus transmit a private API key over an unencrypted connection - You are only permitted to use unencrypted connections with Token Authentication as tokens expire thus limiting the impact of the token being intercepted by a third party.
You have specified that TLS is required in your app settings - A client using an unencrypted connection attempts to attach to a channel that is configured to be used with TLS only.
Additional encryption
Whilst TLS encryption ensures that messages in transit to and from Ably cannot be intercepted, inspected, or tampered with, it does not ensure that the Ably service itself is unable to (in theory) inspect your messages and their content. If you want to ensure that all messages are encrypted and inaccessible to even Ably, please consider using our private key symmetric encryption included in our client libraries.