Crypteron Negates OpenSSL Heartbleed Vulnerability

What is Heartbleed?

Nothing big, it is just the biggest vulnerability in the last two years that could compromise all your passwords and sensitive data. Heartbleed has been the latest buzz over the internet and you should have received emails from big reputable corporation recommending that you change your passwords on their websites.

Heartbleed is a vulnerability in the very popular OpenSSL. OpenSSL is a commonly used implementation of SSL that is used to secure internet communication between your device and a server. With heartbleed, not only is communication between the client and the server insecure, but the attack can be initiated remotely and attack activity isn’t logged anywhere. A malicious client can essentially send bad packets to an OpenSSL server to extract sensitive data from the server’s working memory. This is some very scary stuff, as a hacker can use the heartbleed vulnerability steal all your sensitive data and you wouldn’t even detect it’s occurrence.

Since so much of the infrastructure we use relies on OpenSSL, it will take a large amount of resources to patch all of it. And much of it will even go unpatched. For those companies using Cryperon’s security solutions, there is no need to worry about this vulnerability. You are already protected! The best part? Crypteron’s engineering design makes it future-proof against any such vulnerabilities that could compromise SSL itself. One must remember, although researchers shone light on Heartbleed just recently, it’s been operating in the dark for almost 2 years. It’s very likely the ‘next Heartbleed’ is already out there.

Why are companies that use Crypteron are not impacted by Heartbleed?

At Crypteron, we utilize a defense in depth, multi-layer cryptographic approach across our security solutions. This means that there are multiple layers of security that protect your data. Our security solutions are very similar to a bank, where there are outer walls of the building, a safe inside the building, then a cage inside that safe, and a lockbox inside the cage. An intruder has to penetrate multiple layers to get to your data, making it extremely difficult and impossible in our case.

To illustrate, let’s assume a hacker exploits the Heartbleed vulnerability and hacks into the SSL layer. Once inside the SSL tunnel, in almost every case, the application data is visible in clear view. In all such cases, it’s game over for your sensitive data since an attacker can now easily get to it in the clear. However at Crypteron, we protect your sensitive data even inside that SSL pipe with multiple and fully independent layers of encryption. Not only are the inner encryption keys completely separate from the outer layers but the inner layer is AES256 protected. So even if one encounters sub-optimal SSL settings, Crypteron can still maintain a high level of overall informational assurance. In fact, there are two examples showing this isn’t just a fanciful thought experiment – it’s real. One involves TLS (SSL’s successor) and SSL, where if a server were forced to use RC4 (an aging backwards compatible cryptographic algorithm) the data within the SSL pipe can be compromised (source: The Register). Another example involves AES, where enabling compression on an SSL connection that’s using AES128 can still compromise the encryption keys and your SSL protected data (source: ePrint Archive). In short, while SSL is good, it can’t be blindly trusted.

Crypteron’s multi-layer security and cryptography is also useful to protect against yet unknown vulnerabilities because it is near nonexistent to have bugs or vulnerabilities in multiple layers, all at the same point in time. So even if a weakness is detected in one layer (example: zero-day vulnerability) and it is going to take a vendor or your team two weeks to fix it, your core data (at-rest or in-transit) is never at risk and you’re not under the gun to deliver a solution ‘right now!’.

Please feel free to ask us any questions or comments in the box below. Our engineers are closely watching the security implications of Heartbleed and would be happy to discuss it.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Recent blog posts

Migrating existing live data into Crypteron

You’re already live in production. And you have sensitive in the clear. Read this article to see how Crypteron can help.

Encryption, Entity Framework and Projections

Projections in Entity Framework live outside the entity lifecycle. Read more to learn how your can use Crypteron to secure such data.

PCI DSS and key rotations simplified

PCI compliance requires data encryption keys to be changed frequently. Here is how you can do it easily.

Your data-center is not secure and what you can do about it

There is no secure perimeter anymore. Neither in your corporate network nor in your data center. Fight a winning battle armed with self-protecting data rather than a losing one trying to protecting the infrastructure.

Introducing the Crypteron Startup Innovators Program

Qualifying startups get up to 50% off all plans. Tell us how you’re changing the world and the our Startup Innovators Program will support your journey.

6 encryption mistakes that lead to data breaches

If encryption is so unbreakable, why do businesses and governments keep getting hacked? Six common encryption mistakes that lead to data breaches.

Announcing the new Crypteron Community Edition

Starting today you can now sign up for the Crypteron Community Edition for free with no performance limitations.

Data breach response – One click to save your business

Get breathing room – when you need it the most. Respond to a data breach with a single click.

Why We Need Proper Data-At-Rest Encryption: 191M U.S. Voters’ Data Exposed

Adding security at the application level is a large step forward in protecting data from the constant threat of data breaches

How to encrypt large files

CipherStor is blazingly fast! Here we show how to use it within your data-flow pipeline to maintain high performance when encrypting large files.

Crypteron Negates OpenSSL Heartbleed Vulnerability

by Yaron Guez time to read: 3 min
0