Looking back, we can find many examples of errors in the algorithms used to create encryption keys. Not very many of them, however, were found in chips designed and sold as high-security devices for email signing, verifying software integrity, VPN access, or citizen e-ID cards.
This is an interesting one. The first impulse is to simply answer NO, you can’t do it, that’s the point of HTTPS. But it’s all about networking and one can do quite some magic with proxies, forwarding, and the SNI extension in TLS protocols.
We have had a busy Summer so far. We introduced a new service for SSL certificate monitoring (keychest.net), presented at Black Hat USA, and gave a talk at DEFCON. The latest news was recognition of our cryptographic platform by reviewers of the ACM CCS conference. Continue reading Enigma Bridge encryption gets recognition – DEFCON, BlackHat, and ACM CCS
We have compiled all practical information we could find and written it up at Numbers you need to know. It’s a long list of restrictions, rate limits, and other useful information to keep in mind. Here’s a few selected points that we found interesting. Big thanks to schoen from Certbot/EFF for pointing out numerous inaccuracies.
We have all heard about hackers stealing huge user databases with passwords as they are tempting bounties. FT, Guardian and many others create a new kind of reward – their internet encryption keys via CDNs – services speeding up web traffic.
We have started testing our SSL certificate spot checks – KeyChest – and realized that we were conceptually different from SSL Labs. We focus on the server rather than the domain name and it makes a difference.
I have mentioned this multi-party encryption project of ours (Enigma Bridge) and University College London here earlier. If you’re planning to go to BlackHat US or DEFCON-25, come and see our talks about practical “ultra-secure” multi-party encryption for the cloud and some of the technology enabling it (Unchaining the JavaCard Ecosystem).
I still find it interesting that when I mention “hardware security” to someone, my “pitch” is over, done, finished. Like if no-one realized that every cloud needs physical servers to run on. Everything cloud is marketed as “secure”, but are we really in control of our data?
We have been using Letsencrypt certificates for a year now. As it is free, we have been constantly increasing the number of services using it. I personally like the three months validity as it makes renewals a “business as usual” task, rather than incidents. But it doesn’t happen through magic.