Is it really possible to design an encryption system, which is as strong as its strongest link? There is never a straight “yes” answer to this question, but we are now as close as one can get.
We have all heard about hackers stealing huge user databases with passwords as they are tempting bounties. FT, Guardian and many others create a new kind of reward – their internet encryption keys via CDNs – services speeding up web traffic.
We have started testing our SSL certificate spot checks – KeyChest – and realized that we were conceptually different from SSL Labs. We focus on the server rather than the domain name and it makes a difference.
While implementing features of the certificate planner, we have added a few handy features to the KeyChest spot checker as well. It is now much more than just a tool to check when a website certificate expires.
I have mentioned this multi-party encryption project of ours (Enigma Bridge) and University College London here earlier. If you’re planning to go to BlackHat US or DEFCON-25, come and see our talks about practical “ultra-secure” multi-party encryption for the cloud and some of the technology enabling it (Unchaining the JavaCard Ecosystem).
You may think I’m pulling your leg, when I say that you share encryption keys with an adult content website, road sweepers West Sussex, or hackers trying to impersonate Apple. But that’s exactly what happens when you use a free (CDN) service with HTTPS.
I still find it interesting that when I mention “hardware security” to someone, my “pitch” is over, done, finished. Like if no-one realized that every cloud needs physical servers to run on. Everything cloud is marketed as “secure”, but are we really in control of our data?
We have been using Letsencrypt certificates for a year now. As it is free, we have been constantly increasing the number of services using it. I personally like the three months validity as it makes renewals a “business as usual” task, rather than incidents. But it doesn’t happen through magic.
I just wanted to check whether the Agenda has been updated … well, I guess it wasn’t. defcon.org uses HSTS so it’s pretty tricky to access the web even with a “red bar”.
We have been working with University College London (UCL) for a while and one of the results is an easy to use implementation of cryptographic functions for JavaCards. We will be briefing on this at Black Hat 2017 USA.