Showing posts with label CloudFlare. Show all posts
Showing posts with label CloudFlare. Show all posts

Monday 29 September 2014

Cloudflare Attempts Lost SSL Key Risk with Keyless SSL

With the increasing number of organizations worrying about and wanting the optimal security protection, San Francisco-based CloudFlare has announced new software which is specifically targeting this requirement.

According to CloudFlare, An SSL key is the data though which the organizations will be able to establish a highly secure connection with the customer they are trying to connect with. This data will enable the organizations to establish their own identity. Here comes the despair. If someone has the organization private SSL key, then they can authenticate as if you were the organization. One can spoof the identity as well as intercept the traffic.

According to Matthew Prince, CEO, what can be considered as a bay day is when a media organization loses an SSL key but a nightmare is reached when a financial institution loses the SSL Key. According to the senior writer at InfoWorld, Serdar Yegulalp, In a conventional SSL system, the private key that is used for login in all sessions is held in the same public-facing server as that of server used for fulfilling Web traffic. The potential risks of this system were depicted by the Heartbleed bug, wherein the private key information can be leaked out easily.

The Key is the Key (SSL): 

CloudFlare announced their new software called Keyless SSL, with the aim of targeting the organizations looking for a defending tool for themselves against the service attacks on their websites without them turning towards their private encryption keys. The organization will be utilizing the 28 data centers of CloudFlare around the world. Through this software companies will be able to use the cloud while controlling and maintaining their SSL. As per Sean Gallagher from Ars Technica, Keyless SSL will be able to break the encryption 'handshake' at the very start of the TLS (Transport Layer Security) web session, through this it will pass part of data to the data center of the company for further encryption.


According to world’s renowned security experts Phil Zimmermann and Jon Callas “To limit the access is the one of the core feature of principles of computer security to restrict the access for cryptographic keys and now Keyless is best to implement this feature”


Davi Ottenheimer, a senior director of EMC Corporation, believes that Keyless SSL will be the fundamental innovation in the world of cyber security and everyone should concern about the risks of handing their private keys, when they give it to service providers.

The CloudFlare team was working on different means through which the banks can hold on to their private keys with the system being in development for years. This started over two years ago, post the call Prince received from Chief Information Security Officer of one of the world's largest banks. According to the CISO, they need assistance from Prince and his team on a certain issue.

According to John Clark, this new software will increase its importance among the banks that are at high risk from cyberattacks. By using the Keyless SSL, CloudFlare will be putting the servers in a completely lees secure data centers, wherein whenever the server is rebooted it leads to complete disappearance of data from the remote data centers. Through this the master encryption keys are never under any risk.

Wednesday 12 February 2014

Cloudflare Announces Massive DDoS Attack

The network security provider Cloudflare has reported last night about a massive DDoS attack on one of its customers. That was a NTP Reflection attack, which should be greater than the attack happened in 2013. It was tweeted By Cloudflare CEO Matthew Prince. The attack on one of its customers was carried out with up to 400 gigabits per second on 11th Feb 2014, tweeted Cloudflare CEO Matthew Prince on the night of 11 February 2014.

He was thus greater than that on the Swiss company Spamhaus in March 2013, the Cloudflare, estimated this attack and described this as the most recent attack on the Internet. This time, the attackers did not use a DNS server, but used a so called NTP Reflection attack, which is done via the timer log. Cloudflare is known for its rigid formulations. Prince compared the DDoS attack on Spamhaus with a nuclear attack in his blog, which affected the whole Internet.

At peak times it was run around 2.5 terabits of data through the Internet nodes. The security company Cloudflare does not tell so far which customer is affected by the current attack . However, reported at least one major French provider was the victim of this DDoS attack. OVH - founder and owner Oles tweeted that the attack was carried out with up to 350 Gbps.

The reason behind the DDoS attack is not ascertain so far. A Reflective attack on NTP is a fairly new procedure to bog down networks. Instead of DNS server now a days NTP server is used on the Internet for such attacks. These servers provide detailed time information worldwide. The attackers use fake data packets and put it in the IP address of the victim as a source.

The NTP servers in turn respond automatically and send data back to the real IP address. First, the attacker can successfully hide. Attackers can also send small fake data packets to the server and get them to respond with large packets. This can be achieved with a small bandwidth and in turn the attack use wide bandwidth of the victim.