[Cryptography] CloudFlare reinvents crypto offload
Alan Braggins
alan.braggins at gmail.com
Fri Sep 19 08:02:00 EDT 2014
On 19/09/14 06:09, Peter Gutmann wrote:
> Someone recently pointed me to CloudFlare's Keyless SSL:
>
> http://arstechnica.com/information-technology/2014/09/in-depth-how-cloudflares-new-web-service-promises-security-without-the-key/
>
> I can't see what the innovation is here. They say that instead of doing the
> SSL premaster secret processing directly on the web server, the magic is to do
> it on a secure external system/device. I guess they could call this external
> device a Helper for SSL Mechanisms or "HSM". I wonder why no-one's ever
> thought of this before.
>
> Oh, wait...
>
> Where's the magic?
Their proof of concept story seems even more trivial -
http://blog.cloudflare.com/announcing-keyless-ssl-all-the-benefits-of-cloudflare-without-having-to-turn-over-your-private-ssl-keys/
"I've proven it's possible," he said. "It's crude. It won't scale.
It probably has security vulnerabilities galore, but I've proved we
can terminate SSL connections even if we don't have physical access
to the private SSL key."
I'm sure there is engineering work involved in then making sure it
scales to a cloud with lots of servers which have keys that should be
under the control of different remote users, and you have to make sure
your communications with the HSM-equivalent are suitably secured in a
way that doesn't just give you a target equivalent to the server keys,
but none of that seems like fundamental innovation.
More information about the cryptography
mailing list