CloudFlare Introduces SSL Without Private Key

Outsmart Malicious Hackers

Handing over your private key to a cloud provider so they can terminate your SSL connections and you can work at scale has always been a fairly contentious issue, a necessary evil you may say.

As if your private key gets compromised, it’s a big deal and without it (previously) there’s no way a cloud provider or load balancing service could terminate your SSL connections and complete the secure handshake with a users browser.

CloudFlare Introduces SSL Without Private Key

Until now, CloudFlare presents a fairly intelligent solution – which has taken them 2 years to develop – but solves most problems with the current situation.

Content delivery network and web security provider CloudFlare has introduced a new feature that allows customers to take advantage of the company’s solutions without ever having to hand over their private SSL keys.

Private SSL keys are highly sensitive because they can be leveraged by a malicious actor to spoof an organization’s identity and intercept traffic. That is why, over the past two years, CloudFlare has been working on introducing keyless SSL.

The idea emerged after CloudFlare had a meeting in the fall of 2012 with representatives of a major bank, which at the time was targeted with distributed denial-of-service (DDoS) attacks by alleged Iranian hackers of the Izz ad-Din al-Qassam Cyber Fighters group.

“The bankers all acknowledged what they needed was a cloud-based solution that could scale to meet the challenges they faced. Unfortunately, since they needed to support encrypted connections, that meant the cloud-based solution needed to terminate SSL connections,” Matthew Prince, the CEO and co-founder of CloudFlare, wrote in a blog post.

Losing an SSL key is considered a critical security event which, as Prince describes it, could turn into a “nightmare,” and financial institutions can’t afford to take such risk. CloudFlare has been working since the 2012 meeting with the bank representatives on finding a practical way of helping organizations benefit from the cloud without the need to take possession of their SSL keys.

I honestly think the whole SSL certificate process is pretty broken, really it needs a major rework – but I’m not exactly sure what the solution is. At least what CloudFlare has come out with is a solution to one part of the problem.

It seems fairly obvious in some ways, run an agent inside the secure infrastructure of the client, have very limited access to the agent to access the key. But it’s always obvious when someone else thought of it, isn’t it?

One of CloudFlare’s engineers came up with a solution by the next day, but it took two years to perfect the solution and make it secure, fast and scalable.

“To make it work, we needed to hold connections open between CloudFlare’s network and agents running on our customers’ infrastructure. Moreover, we needed to share data about crytographic sessions setup for a visitor between all the machines that could serve that visitor,” Prince explained. “Making it work was one thing, making it fast was another. And, today, Keyless SSL clients are experiencing 3x+ faster SSL termination globally using the service than they were when they were relying only on on-premise solutions.”

On Friday, CloudFlare security engineer Nick Sullivan published a blog post providing technical details on how they’ve managed to achieve keyless SSL.

“We’ve seen how private keys can be stolen, and investing in techniques to limit their exposure makes the Internet a safer place. Our review of Keyless SSL indicates the keys themselves do not leave your infrastructure, and a secure channel with CloudFlare both protects the communication and reduces the attack surface for your key,” a spokesperson from NCC Group’s Cryptography Services group commented.

“One of the core principles of computer security is to limit access to cryptographic keys to as few parties as possible, ideally only the endpoints. Application such as PGP, Silent Circle, and now Keyless SSL implement this principle and are correspondingly more secure,” Jon Callas and Phil Zimmermann of encrypted communications firm Silent Circle said in a joint statement.

There’s a nice technical post with details of the implementation here: Keyless SSL: The Nitty Gritty Technical Details

It’s only just been launched, so it’s too early to see if anyone has figured out how to hack it yet. As obviously, if the agent can be discovered and is insecure – it can compromise the client infrastructure and the private key.

Source: SecurityWeek

Posted in: Cryptography, Privacy, Web Hacking


Latest Posts:

GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.
Memcached DDoS Attacks Will Be BIG In 2018 Memcached DDoS Attacks Will Be BIG In 2018
So after the massive DDoS attack trend in 2016 it seems like 2018 is going to the year of the Memcached DDoS amplification attack with so many insecure Memcached servers available on the public Internet.
libsodium - Easy-to-use Software Library For Encryption libsodium – Easy-to-use Software Library For Encryption
Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more. It is a portable, cross-compilable, installable, packageable fork of NaCl, with a compatible API.
XSStrike - Advanced XSS Fuzzer & Exploitation Suite XSStrike – Advanced XSS Fuzzer & Exploitation Suite
XSStrike is an advanced XSS detection suite, which contains a powerful XSS fuzzer and provides zero false positive results using fuzzy matching. XSStrike is the first XSS scanner to generate its own payloads.

Comments are closed.