Defense in Depth: Why SSL is not Enough

April 10, 2014 / Healthcare, Security / 0 Comments

This week’s revelations of the Heartbleed defect in OpenSSL has been eye opening for the entire Internet. Bruce Schneier labeled it “Catastrophic. On the scale of 1 to 10, this is an 11.”

The Snowden revelations raised our collective concerns for the security and privacy of the internet. Even those who attribute only noble intentions to the NSA realize that if the NSA can crack a code then perhaps less savory actors can as well.

SSL is something we’ve all taken for granted as something that just works to keep internet connections secure. As computers have gotten faster key lengths have increased. The SSL algorithm itself has been replaced by TLS but the old name has stuck around. SSL has been so useful and simple that it has been embedded into every browser, almost every VPN, and now even in thermostats and smart refrigerators. The Internet security community has figuratively put almost all their eggs in one basket. That metaphorical basket has just been dropped on the floor and now we have a cleanup on aisle 4 of epic proportions.

At Cloak Labs we have reviewed our production and development systems to make sure that we are not vulnerable. Our enterprise messaging system does not use the defective version of OpenSSL and was never at risk. We did have to patch one of our WordPress servers but that was about it.

But more importantly, Cloak Labs’ messaging technology provides defense in depth. Even if we had been running a defective version of OpenSSL the RSA and AES layers used to protect your messages would have not been compromised. The security provided by AES is second to none and Cloak Labs’ robust approach to PKI makes compromise of the RSA layer virtually impossible.

At Cloak Labs we enjoy using fortresses as visual metaphors for network security. In that vein, here’s SSL:

Frontier Fort

Frontier Fort (Courtesy PublicDomainPictures)

And here’s Cloak Labs:

Vauban Fortifications

Defense in Depth as Designed by Sébastien Le Prestre de Vauban

Vauban was one of the foremost military engineers of the 17th century. He mastered the concept of fortification in depth. I learned about him studying about the past glories of France in the French expat schools I attended as a child.

Which fortress would you rather be inside of?

Dr. Michel Floyd
Cloak Labs

About the author

Dr. Michel Floyd: Michel has spent his entire career in Silicon Valley in a succession of technology and business leadership roles. Most recently Michel was Global CTO at YouGov Plc, a global opinion research company based in London. In that role he helped integrate a large number of acquisitions in different parts of the world. He built up a world-class development team distributed from Germany to Alaska to Peru. His accomplishments include releasing an interactive, 14 country brand tracker which is both the company's fastest growing and most profitable product. Before YouGov Michel was EVP & CTO at Knowledge Networks (subsequently acquired by GfK). There he focused on technology, operations, and driving business efficiency throughout the company. He had P&L responsibility over $13M in revenues and also served as interim CEO. Michel earned his SB, SM, and ScD degrees in aeronautical and astronautical engineering from MIT. He has participated in two IPOs and numerous acquisitions, primarily on the buy side. He has been awarded 4 patents. Dr. Floyd is also on the board of directors of VLAB, the Silicon Valley chapter of the MIT Enterprise Forum.


Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply