Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

CloudFlare Introduces Keyless SSL

Content delivery network and web security provider CloudFlare has introduced a new feature that allows customers to take advantage of the company’s solutions without ever having to hand over their private SSL keys.

Content delivery network and web security provider CloudFlare has introduced a new feature that allows customers to take advantage of the company’s solutions without ever having to hand over their private SSL keys.

Private SSL keys are highly sensitive because they can be leveraged by a malicious actor to spoof an organization’s identity and intercept traffic. That is why, over the past two years, CloudFlare has been working on introducing keyless SSL.

The idea emerged after CloudFlare had a meeting in the fall of 2012 with representatives of a major bank, which at the time was targeted with distributed denial-of-service (DDoS) attacks by alleged Iranian hackers of the Izz ad-Din al-Qassam Cyber Fighters group.

“The bankers all acknowledged what they needed was a cloud-based solution that could scale to meet the challenges they faced. Unfortunately, since they needed to support encrypted connections, that meant the cloud-based solution needed to terminate SSL connections,” Matthew Prince, the CEO and co-founder of CloudFlare, wrote in a blog post.

Losing an SSL key is considered a critical security event which, as Prince describes it, could turn into a “nightmare,” and financial institutions can’t afford to take such risk. CloudFlare has been working since the 2012 meeting with the bank representatives on finding a practical way of helping organizations benefit from the cloud without the need to take possession of their SSL keys.

One of CloudFlare’s engineers came up with a solution by the next day, but it took two years to perfect the solution and make it secure, fast and scalable.

“To make it work, we needed to hold connections open between CloudFlare’s network and agents running on our customers’ infrastructure. Moreover, we needed to share data about crytographic sessions setup for a visitor between all the machines that could serve that visitor,” Prince explained. “Making it work was one thing, making it fast was another. And, today, Keyless SSL clients are experiencing 3x+ faster SSL termination globally using the service than they were when they were relying only on on-premise solutions.”

On Friday, CloudFlare security engineer Nick Sullivan published a blog post providing technical details on how they’ve managed to achieve keyless SSL.

Advertisement. Scroll to continue reading.

“We’ve seen how private keys can be stolen, and investing in techniques to limit their exposure makes the Internet a safer place. Our review of Keyless SSL indicates the keys themselves do not leave your infrastructure, and a secure channel with CloudFlare both protects the communication and reduces the attack surface for your key,” a spokesperson from NCC Group’s Cryptography Services group commented.

“One of the core principles of computer security is to limit access to cryptographic keys to as few parties as possible, ideally only the endpoints. Application such as PGP, Silent Circle, and now Keyless SSL implement this principle and are correspondingly more secure,” Jon Callas and Phil Zimmermann of encrypted communications firm Silent Circle said in a joint statement.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...