Moving secrets from a war zone: Keyless SSL

The invasion of Ukraine is so sad and takes us back to an old world. Most had thought that a war in Europe could never happen again…

Moving secrets from a war zone: Keyless SSL

The invasion of Ukraine is so sad and takes us back to an old world. Most had thought that a war in Europe could never happen again, especially as there is nothing to gain, and so much to lose.

And so, our world has changed so much, and where at one time a defender would destroy their secrets so that they did not get into the hands of an invader. But, these days our secrets are protected with cryptography, and within data centres. For the invaders, these data centres will hold sensitive data and which could reveal key information around finance, government records, and so much more. Web content too hold important information for citizens. So while the likelihood of an invasion is extremely low in most countries, global companies need to have a playbook that involves protecting the secrets of citizens.

And, so, we see Cloudflare acting quickly on this, and removing cryptographic material from their servers in Ukraine. The CEO of Cloudflare posted:

This takes the secret information and related encryption keys, moves the data to a safe haven, and still allow Ukranian customers the opportunity to still access their encrypted content and make secure connections. Cloudflare currently has a data centre in Kyiv and which is currently still online [here]:

Keyless SSL

With Keyless SSL, customers can use the SSL servers for tunnelled traffic, but where customers are the only ones to have access to their site’s SSL key. Normally this key could be shared with Cloudflare. In most cases, a company’s private key is shared with Cloudflare, but if the data centre was taken over, there is a chance that these private keys could be accessed. The Cloudflare service supports mitigation against a range of threats, such as DDoS, and botnet attacks.

This involves Bob connecting to a Cloudflare node, and then sending a secret key to the node using his public key. This node sends the encrypted secret key to a key server, which decrypts it. The key server then sends back the decrypted secret using an encryption tunnel, and then create a secret connection using the shared secret key. The key server can thus be stored in a place that is not in Ukraine:

Conclusions

There is so much sadness in moving back to an old world, but we seea new world of cyber protection moving into force, and where protecting data is just one element of defensive barriers that are put up against attackers. No child in our world should ever be faced with fear. And the lives lost from a senseless act of aggression, nothing can ever justify that!

Well done, Cloudflare.