Guardian, FT, etc. share their internet encryption keys with many

We have all heard about hackers stealing huge user databases with passwords as they are tempting bounties. FT, Guardian and many others create a new kind of reward – their internet encryption keys via CDNs – services speeding up web traffic.

Headlines about massive password breaches have become a normality. Hackers download an initial user database, extract as much as they can, use the data to find more user details and either sell personal profiles or attack our online accounts. I wrote this when I saw (using our tool KeyChest) how content delivery networks are trying to save money for certificates for even big customers. Read the last section why I don’t think it’s a good idea.

A bit of introduction

How CDN works – they speed up and protect websites against DoS attacks (courtesy of Wikipedia).

What is not so well-known is a similar threat created by increasing use of content delivery network (CDN) services. These services basically cache content of web servers and send it to us when we want to read online news, order weekly groceries, or check the council’s website for election results.

One of the main reasons why big companies, including banks, started using CDN was the danger of massive denial of service (DDoS) attacks. These attacks send a huge number of requests towards web servers, making them unavailable for real customers. CDNs are big server banks with a network connection, which can withstand these attacks.

Re-direction attack – confusing our laptops to connect to a malicious website (HTTP GET), instead to the “Intended Destination”.

The trouble is SSL – encryption of data between servers and our laptops and iPads. This encryption prevents attackers from intercepting data in the middle, but it also prevents CDN to provide its service.

SSL prevents a number of attacks, which confuse our devices with the purpose to steal our passwords and credit card numbers. When we go online shopping, the attack will make your computer go to a malicious website instead of “Intended destination”, which looks exactly as the original one. You may never find out that it happened, but the bad guys will see and collect everything you type into your browser.

OK, so how did CDN services solve the problem? They basically asked their customers to give them their encryption keys (usually the customers give their CDN a permission to create new keys on their behalf). These keys are the core of the SSL protection and if the CDN has the correct key, it can start “pretending” to be their customer and become invisible to us.

The problem

The core of CDN services is speed. And if you ask anyone, speed is not exactly the first thing, which springs to mind when you say “security”. There have been several research papers recently about the risks, but the reality may be even worse.

The CDN traffic is steadily increasing its share of the total internet data. It was 52% in 2016 and CISCO predicts that to increase to 71% in 2021.

At the same time, encrypted traffic formed more than 50% of all web traffic in 2016 according to the Electronic Frontier Foundation (EFF).

So how do CDN networks do that? Well, they obviously go the route of least “resistance”. They create huge lists of encryption keys and distribute them wherever they are needed. Remember that CDNs need vast numbers of servers to handle the traffic. Each of these servers will need a copy of the encryption key for each of your request for a web page. While generating keys is relatively easy, they also need our browsers to trust it.

Cyber “neighbors” of Financial Times

This trust is not for free and “certificates” showing the keys can be trusted by our browsers have to be purchased. In a previous post, I argued that if you go for free CDN service, you get a certificate with a lot of “neighbors” – other websites, which are on the same certificate as yours.

Servers sharing certificate with Guardian

This sharing may be a source of jokes, but it also may have security implications. The reason is that it increases the value of each such key. More value, more incentives. More incentives, the more likely someone will see it as a viable target of attacks.

I was amazed when I tested our certificate tool KeyChest, that such a big website as Guardian (one of the biggest UK newspapers) shares its certificate with Appliances Direct, Asda Good Living, Minted, and many others (click on the picture to see a complete list). Similarly Financial Times, Anheuser Busch, Costa, and many many others.

The threat

If I learnt anything in my 20 years of doing IT security, it was that no system is completely secure. The chances of you being a victim of a cyber-attack increase with use of mainstream applications (e.g., WordPress as an online blog), and being successful (more customers, more data, more value), and having sensitive data in one place.

What I see in the growth of the CDN market and they way these companies operate is the fast growth of their value as a target of cyber-attacks. I don’t mean external threats only, but internal threats as well. It’s more likely someone will try to steal one diamond, rather than tons of silver.

I did not expect much from an SSL service in free-tier CDN services, but sharing a single encryption key among really big websites with tens of thousands visitors a day is pretty outrageous as it shows how little CDN companies think about security.

We need to decrease the bounty. We need to lower the value of each key and there are only two ways to do it:

  1. you use a different key for each website using CDN services; or
  2. you shorten the validity of those keys so they are worthless in minutes after being stolen.

Do you find anything interesting with KeyChest? Share it with us by tweeting with #keychest!

Update – 23rd June

  1. We looked at the chance of an attacker tampering with SNI extensions during TLS handshakes – all looks sound here.
  2. We still have to verify if sharing a certificate and the private key among many random websites may avoid security warning during browser cache attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *