Monday 29 September 2014

Cloudflare Attempts Lost SSL Key Risk with Keyless SSL

With the increasing number of organizations worrying about and wanting the optimal security protection, San Francisco-based CloudFlare has announced new software which is specifically targeting this requirement.

According to CloudFlare, An SSL key is the data though which the organizations will be able to establish a highly secure connection with the customer they are trying to connect with. This data will enable the organizations to establish their own identity. Here comes the despair. If someone has the organization private SSL key, then they can authenticate as if you were the organization. One can spoof the identity as well as intercept the traffic.

According to Matthew Prince, CEO, what can be considered as a bay day is when a media organization loses an SSL key but a nightmare is reached when a financial institution loses the SSL Key. According to the senior writer at InfoWorld, Serdar Yegulalp, In a conventional SSL system, the private key that is used for login in all sessions is held in the same public-facing server as that of server used for fulfilling Web traffic. The potential risks of this system were depicted by the Heartbleed bug, wherein the private key information can be leaked out easily.

The Key is the Key (SSL): 

CloudFlare announced their new software called Keyless SSL, with the aim of targeting the organizations looking for a defending tool for themselves against the service attacks on their websites without them turning towards their private encryption keys. The organization will be utilizing the 28 data centers of CloudFlare around the world. Through this software companies will be able to use the cloud while controlling and maintaining their SSL. As per Sean Gallagher from Ars Technica, Keyless SSL will be able to break the encryption 'handshake' at the very start of the TLS (Transport Layer Security) web session, through this it will pass part of data to the data center of the company for further encryption.


According to world’s renowned security experts Phil Zimmermann and Jon Callas “To limit the access is the one of the core feature of principles of computer security to restrict the access for cryptographic keys and now Keyless is best to implement this feature”


Davi Ottenheimer, a senior director of EMC Corporation, believes that Keyless SSL will be the fundamental innovation in the world of cyber security and everyone should concern about the risks of handing their private keys, when they give it to service providers.

The CloudFlare team was working on different means through which the banks can hold on to their private keys with the system being in development for years. This started over two years ago, post the call Prince received from Chief Information Security Officer of one of the world's largest banks. According to the CISO, they need assistance from Prince and his team on a certain issue.

According to John Clark, this new software will increase its importance among the banks that are at high risk from cyberattacks. By using the Keyless SSL, CloudFlare will be putting the servers in a completely lees secure data centers, wherein whenever the server is rebooted it leads to complete disappearance of data from the remote data centers. Through this the master encryption keys are never under any risk.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.