Cambridge, United Kingdom, November 04, 2016 --(PR.com
)-- We are used to the fact that addresses of data-sensitive websites, such as those for internet banking, start with “https” instead of “http.” We trust that these sites are secure and our data is safe. However, new evidence by Cambridge security company Enigma Bridge, reveals that https websites leak information about cyber security management - information that could facilitate exploitation of sensitive data by hackers or government agencies.
The main purpose of https – ‘s’ denoting ‘secure’ - is to create a trusted connection for sending sensitive data between your browser and a web service. This is achieved by providing a secure digital ID of the web service. Until now, it has been widely accepted that such a digital ID didn’t contain any sensitive information that would endanger the security of the web service. No one expected that it could leak internal information about security management – information about methods, tools, and processes were supposed to be completely hidden from users as well as attackers.
The worrying discovery, made by Enigma Bridge co-founder Petr Svenda PhD, was awarded the best paper at the USENIX Security Symposium. It shows that sensitive information behind “https” can be extracted with sophisticated analysis using only information that every web service presents to anyone accessing it. Svenda and his team applied novel techniques to analyse millions of https keys and revealed how the keys were generated.
“I am puzzled with peeps are not all over this - enormous implications,” tweeted Daniel Bilar, Information Security Specialist at Visa.
“It is striking that despite 30 years of cryptographic research, no-one has noticed this problem before. It has been hiding in plain sight all along,” Commented Professor of Security Engineering, Ross Anderson, after Svenda’s presentation at the University of Cambridge.
Dan Cvrcek, CEO and co-founder of Enigma Bridge adds, “We have progressed the scanning methods to pinpoint how organisations, including blue chip companies, government departments or other companies, which are part of critical infrastructures manage their encryption keys using only publicly available information and identify potential weaknesses in their defences.”
Dan also names several main problems they detected: “You can easily see whether companies think about the quality of their encryption keys or let their administrators use any tool at hand – instead of using secure hardware key generators. Sharing keys between different applications is another aspect that suggests insufficient controls or enforcement of cyber security processes,” says Dan.
Whilst this vulnerability doesn’t compromise any web site directly, it demonstrates that even public information can leak security details and lead attackers to the most vulnerable targets. Use of validated secure hardware for key generation is the best approach to protect against many attacks. To help solve this serious issue, Enigma Bridge is proud to have developed a cost-effective, ground-breaking hardware security service which is based in the cloud.
Notes for editors:
For further information, contact:
Enigma Bridge Ltd
About Enigma Bridge
Enigma Bridge is a security company, founded by cryptography and payments experts, specialising in making security simple and ubiquitous. Enigma Bridge has developed its own hardware security cloud service platform, enabling companies to both secure their systems and/or move to the cloud with simple integration interface (APIs). Enigma Bridge has offices in Cambridge, UK, and Brno, Czech Republic. For more information, please visit https://www.enigmabridge.com
Petr Svenda et al’s findings were first presented at the USENIX Security Symposium in August 2016. The paper was awarded the best paper out of 460 submissions. See https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/svenda
This document online:
· PDF: https://enigmabridge.com/pr_nov_2016/EnigmaBridge_PressRelease_November2016.pdf
· MS Word https://enigmabridge.com/pr_nov_2016/EnigmaBridge_PressRelease_November2016.docx
Dr Dan Cvrcek, CEO of Enigma Bridge
Example of classification from a major UK bank – two different cybersecurity management processes identified
Classification groups ordered by an initial estimated level of security