CloudFlare launches Keyless SSL, a new kind of encryption tool
San Francisco startup CloudFlare just unveiled a new tool that will change the way companies encrypt information.
The tool is called Keyless SSL, and it helps companies defend against "denial-of-service" attacks that hackers use to prevent legitimate users of the system from accessing it. What's revolutionary about Keyless SSL, however, is that it does so by allowing companies to keep control of the master SSL keys.
SSL, which stands for "secure socket layer," keys allow for secure connections to take place between a web server and a browser. However, third party cloud services, such as CloudFlare, require that companies turn over their SSL keys in order to use the cloud. This would understandably make many corporations cautious to trust these kinds of services to protect their confidential information, especially in light of recent security concerns over cloud software.
But now with Keyless SSL, the IT departments of major companies can breathe a little easier. Keyless SSL allows companies to use cloud services for SSL-encrypted HTTPS traffic without handing over their SSL keys. The private key is used during the first connection, which creates a "session key" that is used to encrypt future traffic. This session key only protects one user's actions and isn't for long-term use like a private key, which helps keep communications secure in the cloud.
A series of attacks against major financial companies two years ago inspired CloudFlare to begin its development of Keyless SSL. In 2012, major U.S. banking institutions, such as Bank of America, JP Morgan Chase and Citigroup, experienced "denial-of-service" attacks that used compromised web servers to inundate their websites with unusually large numbers of traffic.
Another feature that's special to Keyless SSL is that session ticket keys are shared between all the servers and are replicated across all of CloudFlare's data centers, according to Ars Technica. This means a client can return to a session hours or days after disconnecting from anywhere.
Even though CloudFlare already has a "handful of beta customers, which include some of the top 10 financial institutions," the company's CEO Matthew Prince told Ars Technica, many of CloudFlare's smaller customers have said they are fine with CloudFlare keeping track of their SSL Keys. "Smaller customers have said that they trust us more to maintain [their] key than they trust themselves," Prince told Ars Technica.
Right now, Keyless SSL is available to CloudFlare's enterprise customers, but Prince told Wired that he wants to make the service available to all customers in the future.