Latest Blog

KeyChest – Getting Rid of Broken Padlocks

We all have seen it – I go to visit an interesting blog, DEFCON website, or pay for your parking on the go. But I can’t – the website or web service has an expired certificate and the “damn security wouldn’t let me do it”.

Read More

Estonia Hits Gemalto Again – Insecure eID cards

When we researched impacts of the ROCA vulnerability, the Estonian government limited the impact with a cut-off date. ROCA only applied after that date. It now appears that Gemalto had another problem before that cut-off date.

Read More

Encryption and Databases Are Actually Similar

We have been building encryption service for a while. I grew up in the world of encryption and many things just came with experience, without being spelled out. Here’s another why I believe in “hardware encryption”.

Read More

JSignPdf Now Supports Remote Signing

A great news – our CloudFoxy is now supported by JSignPdf 1.6.4. You can now sign PDF with eIDAS compliant smart-cards (or OpenPGP dongles) – zero drivers or configuration on user computers.

Read More

Multiparty Encryption – Our Talk at DefCon 25 – August 2017

I just found a video of our presentation at DefCon last year, which I haven’t watched since. The talk included a live demonstration connecting to a bank of smart-cards in Cambridge, UK. Organizers warned us not to do it as the network was pretty locked-down and a lot of …. interesting tr

Read More

PDF Signing With CloudFoxy And Smartcards – Production Notes

We have handed over the first deployment of our CloudFoxy (smart cards over RESTful API) for PDF signing and it is now in live use. Here are a few observations of mine about dependencies, performance, and delivery.

Read More

CyberSec is Janitorial

Point of discussion: “… No matter how much we rapture on about the virtues of Cyber Security, to The Business, we might as well be explaining the function of the U-bend. …”

Read More

Planning TLS certificate renewals – define a process

This text is about creating a process around planning certificate renewals. As part of our KeyChest re-design, we created a sequence of meaningful checks for TLS certificates to get them always renewed before your web services go down.

Read More

KeyChest now runs over 500,000 TLS checks every day

We checked recent statistics of the KeyChest service. While the overall load is gradually increasing, we also increase the number of checks we perform. It’s now over 500,000 a day since March 26. But we should be fine till a major system upgrade coming soon.

Read More

KeyChest becomes part of Radical Prime Limited

As the core technology of Enigma Bridge had been in its cloud encryption platform, there was always a question whether we wanted to keep use-cases of this technology under the same company. This thinking resulted in a decision to create a spin-off. This was executed in January 2018 and resulted in

Read More

Major KeyChest Incident – We Turn It Into Serious Business

KeyChest HTTPS monitoring started small – to help us manage our certificates and its free service grew with interest. It’s the right approach from the business point of view, but it has its dark side. A major incident flashed it out last Saturday.

Read More

ROCA details published – taste of quantum cryptography

If you want to see raised eyebrows, just say “unbreakable crypto”. Yet everyone assumes their use of crypto is “unbreakable”. Security experts know it’s safe to reject “unbreakable systems” out of hand, but they often rely on the unbreakability of security

Read More

ROCA vulnerability impact on Gemalto IDPrime .NET smart cards

We have reasonable grounds to believe that all Gemalto IDPrime .NET smart cards generate weak RSA keys vulnerable to the recently published ROCA vulnerability (CVE-2017-15361, VU#307015). Gemalto stopped selling these cards in September 2017, but there are large numbers of cards still in use in co

Read More

ROCA – Critical vulnerability in Infineon security chips

Looking back, we can find many examples of errors in the algorithms used to create encryption keys. Not very many of them, however, were found in chips designed and sold as high-security devices for email signing, verifying software integrity, VPN access, or citizen e-ID cards.

Read More

Let’s Encrypt certificates with one name on different servers

This is an interesting one. The first impulse is to simply answer NO, you can’t do it, that’s the point of HTTPS. But it’s all about networking and one can do quite some magic with proxies, forwarding, and the SNI extension in TLS protocols.

Read More

Enigma Bridge encryption gets recognition – DEFCON, BlackHat, and ACM CCS

We have had a busy Summer so far. We introduced a new service for SSL certificate monitoring (keychest.net), presented at Black Hat USA, and gave a talk at DEFCON. The latest news was recognition of our cryptographic platform by reviewers of the ACM CCS conference.

Read More

Let’s Encrypt in the spotlight

We have compiled all practical information we could find and written it up at Numbers you need to know. It’s a long list of restrictions, rate limits, and other useful information to keep in mind.  Here’s a few selected points that we found interesting. Big thanks to schoen from Certbo

Read More

Guardian, FT, etc. share their internet encryption keys with many

We have all heard about hackers stealing huge user databases with passwords as they are tempting bounties. FT, Guardian and many others create a new kind of reward – their internet encryption keys via CDNs – services speeding up web traffic.

Read More

SSL testing – servers or domains?

We have started testing our SSL certificate spot checks – KeyChest – and realized that we were conceptually different from SSL Labs. We focus on the server rather than the domain name and it makes a difference.

Read More

First BlackHat, now DEFCON: We talk “Trojan-tolerant hardware security in practice”

I have mentioned this multi-party encryption project of ours (Enigma Bridge) and University College London here earlier. If you’re planning to go to BlackHat US or DEFCON-25, come and see our talks about practical “ultra-secure” multi-party encryption for the cloud and some of the

Read More

Is cloud security all about emotional marketing?

I still find it interesting that when I mention “hardware security” to someone, my “pitch” is over, done, finished. Like if no-one realized that every cloud needs physical servers to run on. Everything cloud is marketed as “secure”, but are we really in contro

Read More

KeyChest – FREE plan and track for 100% HTTPS uptime

We have been using Letsencrypt certificates for a year now. As it is free, we have been constantly increasing the number of services using it. I personally like the three months validity as it makes renewals a “business as usual” task, rather than incidents. But it doesn’t happen

Read More

DEFCON web certificate expires – what’s going on?

I just wanted to check whether the Agenda has been updated … well, I guess it wasn’t. defcon.org uses HSTS so it’s pretty tricky to access the web even with a “red bar”.

Read More

WannaCry – A Stop of A Never-Ending Journey

Ok, everyone seems to be writing about it so here’s my take so far. A professional code of malware extended in a pretty silly way that somehow got into computers of companies. And hackers collected well below $100,000.

Read More

Do you have screenshots of your crypto platform?

We basically gave up on going to startup events for now. I know It’s not good for marketing or when you look for equity investment. We just got tired of trying to explain what a “platform” is good for. Everyone expects a flashy demo or screenshot of your app.

Read More

Does Amazon Want To Control All Encryption Keys?

Public cloud providers have absolute control over our data, applications, everything we do on their cloud platform. Independent key management lowers users’ risk exposure and as such is in the interest of cloud providers. Well, Amazon AWS has different thoughts.

Read More

VPN for Companies – “Bring Your Own Device” Made Easy

We pushed hard to extend our Private Spaces and make them a great choice for companies to connect roaming users (and their own devices, while providing a high-level of security for BYOD policies).

Read More

Unbreakable Encryption with Secure Hardware and Geopolitics

From supercomputers to IoT – processors (or chips) are everywhere. Computer chips protecting our privacy and security would first travel the world to get designed, fabricated, and personalized. Even if we had an unbreakable encryption algorithm, it may be defeated by its manufacturing.

Read More

Think OpenVPN is easy? Think again as it’s worth it

We decided for OpenVPN to build secure connections to our Private Spaces. We braced for difficulties, but that was only the beginning. The point of this post is that integration testing does make a difference. And that OpenVPN is a very nice tool!

Read More

Private Space Gateway launched

The Gateway is our first Private Space – like a VPN (if you know it), but for sharing and co-operation. We have been building Private Spaces for the last three months – a one-click secure cloud space for companies, teams, or home users.

Read More

EV Certificates – Value for Money? Incl. Troy Hunt Q&A

I have come across Troy Hunt’s article yesterday about getting an EV certificate. His initial assumption is that EV certificate actually proves something, unlike many other seals of “security”. But is it really worth spending $80+/year?

Read More

Transaction Security with Slow Clock and Counter – How to Conjure Up Entropy

I love cryptography. It’s an abstract science, where I can define a problem, come up with a solution and prove it (eventually). I also like applying cryptography as it involves real world (users, limitations of computers, …), which messes everything up and turns pure mathematics in

Read More

Self-driving Cyber Security – Step 1: Professional PKI

Many companies drive their computer systems without wearing seatbelts, even though they know and constantly witness they risk being injured by cyber crashes. There are simple economic reasons for this. It is not the unavailability of cyber “seat belts”, but the difficulty of putting them in. Eni

Read More

Do Not Trust Experts – from Brexit to Internet

I was a researcher, I believed that we were independent, un-biased, the true source of knowledge (and I still do). What I didn’t appreciate at the time was that researchers were terrible in defining borders of their expertise and saying “I don’t know”.

Read More

How Certbot and Letsencrypt Work (DNS and SNI-TLS automation)

We introduce an integration plugin for Let’s Encrypt. It provides integration for a variety of mechanisms that enable and simplify verification of domain control and certificate installation. We already tested it with Dehydrated (former letsencrypt.py) . It supports all existing verificatio

Read More

Your HTTPS Certificate Shows Where Its Key Comes From

We have extended the original research and can now use information from public keys (HTTPS, TLS, SSH, SSL) to audit cyber security management and compliance with internal standards.

Read More

Letsencrypt’s Vulnerability Or Feature – Eternal Account Key

  The growth of Let’s Encrypt is phenomenal – 7 million certificates in last four months. The remaining hurdle for automation is verification of domain ownership. Well, actually it is NOT true. We were doing syntax testing – hoping to get the right kind of verification err

Read More

Why Enigma Bridge is the best option available for cloud security

The main reason we want to use cloud technologies is because they simplify cost management and allow us spend only as much as we need at any given time. The question is how secure it is and what risks are acceptable.

Read More

Re: Investigating the Origins of RSA Public Keys

This post is about a research done by one of our co-founders. Petr showed that it is possible to find which tool or hardware device generated RSA keys from just a few public keys. I’m thinking it’s an attack, unexpected data leakage channel, but also an excellent source for audit-relate

Read More

“Progress and research in cybersecurity” by The Royal Society

“Encryption is a key technology that underpins trustworthy computing. As digital technologies become ever more central to our lives, encryption becomes more important, and any weaknesses in its implementation become greater risks. Governments must commit to preserving the robustness of end- to

Read More

Hacking WiFi passwords – a randomness problem

Dusan, one of us @EnigmaBridge was curious about how are default WiFi router passwords generated and very quickly came up with an algorithm producing right passwords. And this “bootstrapping” problem is much bigger …

Read More

EnigmaLink on ProductHunt

I have mentioned EnigmaLink in my previous blog as our first application built on our cloud encryption platform (an easy to use alternative to CloudHSM from Amazon). Today, we posted it to the ProductHunt website.

Read More

“We created a cloud security platform.” – “so what?”

We have been working on a cloud security platform Enigma Bridge for the last couple of years. It was a great fun  and … we built it. However, when we started talking to potential customers, we often had a hard time. We heard it was really interesting but what did it actually do?

Read More

Software Reliability

It seems I have to deal with a question of who to trust – our new product or an established software package – way too often. Answers make me question what is the level of testing in open-source software and what is the reliability of software in general.

Read More

Life at Enigma Bridge

We had another Enigma Bridge workshop / away days. We organise it every four to six weeks and it always surprises me how it energises everyone. True, we usually need a couple of days to recover so it’s good to finish on Friday.

Read More

Lessons From The Past

I have finally managed to finish reading “The Hut Six Story”. Not the first book about Bletchley in WW2, but still amazed by some details. Not least the importance of “random letters”.

Read More

A Long Dark Tea-Time of The Soul

You may know the mood when all seems to be done but new tiny issues keep cropping up every day … until they eventually disappear without you realizing it. The title has kind of sprung to my mind. A lot has happened since my previous post and I indeed lived and breathed Enigma Bridge.  Wh

Read More

Too Small To Be Attacked? Think Again!

Computers today are attacked and get hacked in not because of WHO we are but WHAT software and systems we are using. There is little difference whether you run a small company with 1 computer or a multinational enterprise.

Read More

Password Attacks – A Small Server Experiment

This short post looks at passwords attacks that were launched during 5 months’ period against a small web server of ours in 2013. There are a lot of statistics about what is the most prolific passwords we use to login to our online accounts. What we were interested in was what passwords are be

Read More

Password Attack Taxonomy

This attack taxonomy includes most common attacks on passwords. The table below shows attack categories split into online and offline attacks. Offline attacks require access to a database of scrambled or encrypted passwords, while online attacks would use normal user interface to test or obtain user

Read More

Looking for Adversary

Experts like to say that we are responsible for our security on internet. I disagree as we are not born as security experts. Neither does common sense always makes sense as users can’t see what is going on behind flashy images on their monitors. Who is the real bad boy?

Read More

Online and Mobile Banking Fusion

Tags : 

Banks simplify access to our bank accounts. They keep relaxing security while hoping to replicate the boiling frog story. The trouble is that no-one dies and someone will figure out – sooner rather than later. I touch on a few things: using online banking to find valid card numbers, and da

Read More

BBC’s Edward Snowden was not really that

Tags : 

I watched BBC Panorama documentary with and about Snowden yesterday. Actually, I watched it twice as I was disappointed the first time round. I wanted to find out why.

Read More