Cloudflare launches open source keyless SSL

Cloudflare today announced it has made available a keyless SSL solution that enables the content delivery network to provide data transfers that are both authenticated and encrypted, without requiring customers' private digital keys.

Cloudflare cryptographer Nick Sullivan/Supplied.

Cloudflare security engineering lead Nick Sullivan told iTnews that the company has been looking for a way to avoid having access to customers' private Secure Sockets Layer (SSL) digital keys when it acts as a reverse proxy for websites.

The only way security-focused organisations could fully enjoy the benefits of moving to the cloud was if their SSL keys weren't given to the CDN provider.

If an SSL key is captured, anyone can fake identities and intercept traffic, making it critical for an organisation to keep them secure. This often makes it impossible for financial organisations, for example, to use content delivery networks or proxies that sit between them and their clients.

Cloudflare's solution works as follows: when isitors request access to a website, the web browser obtains public key-encrypted premaster secrets from Cloudflare to the web host's key servers to authenticate the communication.

The credentials received from the key servers return decrypted premaster secrets, which are combined with entropy from visitors and Cloudflare to derive identical sessions keys for encrypted content requests from the reverse proxy provider. In other words, they enable Cloudflare and the site visitor to set up an encrypted communications channel.

The keyless SSL code has been audited by independent third-parties, Sullivan said.

"We had iSEC Partners and Matasano Security check the code, two well-regarded organisations when it comes to cryptography, and they've shown it not to raise the risk " Sullivan said.

Sullivan said the Keyless SSL code will be open sourced, so that it can be used by the wider community and reviewed. Parts of Keyless SSL are already open source, he said.

Click for an enlarged picture; source: Cloudflare

Keyless SSL is available to Cloudlfare enterprise customers worldwide from this week, Sullivan said. He declined to reveal the pricing, which will depend on the size of the customer.

Expert sceptical

While the full technical details of Cloudlfare's Keyless SSL solution won't be published until the weekend, Auckland University computer scientist and cryptographer Peter Gutmann, PhD, told iTnews that there was a product called TriStrata with similar promises in the late 1990s.

TriStrata was given a scathing review by noted security researcher Bruce Schneier who ended up having a public row with the company over his findings.

Gutmann also questioned if Cloudflare's Keyless SSL was novel.

 It's very hard to see what distinguishes this from standard SSL offload in which the crypto is done in an external device or system," he said. "This has been industry-standard practice for pretty much as long as SSL has been around.

"From the diagrams that CloudFlare have published, it looks like they've reinvented SSL offloading, doing the SSL crypto in an external device or system."