What is Heartbleed?
Nothing big, it is just the biggest vulnerability in the last two years that could compromise all your passwords and sensitive data. Heartbleed has been the latest buzz over the internet and you should have received emails from big reputable corporation recommending that you change your passwords on their websites.
Heartbleed is a vulnerability in the very popular OpenSSL. OpenSSL is a commonly used implementation of SSL that is used to secure internet communication between your device and a server. With heartbleed, not only is communication between the client and the server insecure, but the attack can be initiated remotely and attack activity isn’t logged anywhere. A malicious client can essentially send bad packets to an OpenSSL server to extract sensitive data from the server’s working memory. This is some very scary stuff, as a hacker can use the heartbleed vulnerability steal all your sensitive data and you wouldn’t even detect it’s occurrence.
Since so much of the infrastructure we use relies on OpenSSL, it will take a large amount of resources to patch all of it. And much of it will even go unpatched. For those companies using Cryperon’s security solutions, there is no need to worry about this vulnerability. You are already protected! The best part? Crypteron’s engineering design makes it future-proof against any such vulnerabilities that could compromise SSL itself. One must remember, although researchers shone light on Heartbleed just recently, it’s been operating in the dark for almost 2 years. It’s very likely the ‘next Heartbleed’ is already out there.
Why are companies that use Crypteron are not impacted by Heartbleed?
At Crypteron, we utilize a defense in depth, multi-layer cryptographic approach across our security solutions. This means that there are multiple layers of security that protect your data. Our security solutions are very similar to a bank, where there are outer walls of the building, a safe inside the building, then a cage inside that safe, and a lockbox inside the cage. An intruder has to penetrate multiple layers to get to your data, making it extremely difficult and impossible in our case.
To illustrate, let’s assume a hacker exploits the Heartbleed vulnerability and hacks into the SSL layer. Once inside the SSL tunnel, in almost every case, the application data is visible in clear view. In all such cases, it’s game over for your sensitive data since an attacker can now easily get to it in the clear. However at Crypteron, we protect your sensitive data even inside that SSL pipe with multiple and fully independent layers of encryption. Not only are the inner encryption keys completely separate from the outer layers but the inner layer is AES256 protected. So even if one encounters sub-optimal SSL settings, Crypteron can still maintain a high level of overall informational assurance. In fact, there are two examples showing this isn’t just a fanciful thought experiment – it’s real. One involves TLS (SSL’s successor) and SSL, where if a server were forced to use RC4 (an aging backwards compatible cryptographic algorithm) the data within the SSL pipe can be compromised (source: The Register). Another example involves AES, where enabling compression on an SSL connection that’s using AES128 can still compromise the encryption keys and your SSL protected data (source: ePrint Archive). In short, while SSL is good, it can’t be blindly trusted.
Crypteron’s multi-layer security and cryptography is also useful to protect against yet unknown vulnerabilities because it is near nonexistent to have bugs or vulnerabilities in multiple layers, all at the same point in time. So even if a weakness is detected in one layer (example: zero-day vulnerability) and it is going to take a vendor or your team two weeks to fix it, your core data (at-rest or in-transit) is never at risk and you’re not under the gun to deliver a solution ‘right now!’.
Please feel free to ask us any questions or comments in the box below. Our engineers are closely watching the security implications of Heartbleed and would be happy to discuss it.