Emerging Security as a service can be a double-edged sword, warns Stefan Certic
BELGRADE, SERBIA, July 20, 2021 /24-7PressRelease/ -- Computer Scientists and Cyber Security Researcher Stefan Certic warns emerging Security as a service can be a double-edged sword.
Modern asymmetric cryptography, in its essence, provides a viable solution ensuring the authenticity of a website while browsing the web and prevention of man in the middle decryption by third parity.
Privacy benefits inspired the Encrypted Web Initiative back in 2014 – when major Search engines announced that encrypted web communication will translate as a positive signal in search engine ranking. Following years, the SEO race made us to a point that the majority, 51.8 percent of websites use SSL.
Most internet traffic is now encrypted in transit using Transport Layer Security (TLS) – hence ISP or "a guy next-door" can't decode your surfing data or even passwords through ethernet or Wifi sniffing. Mission has been accomplished.
So, what could go wrong?
Imposed changes required a bit of technical knowledge by website owners to implement which was a perfect business opportunity adopted by a couple of startups - translated as "Let us do it for you" - Just point your Name Servers to us, and we will handle the rest.
According to public data, SECaaS companies protect at least 12 million websites, adding approximately 20,000 new customers every day. These numbers are getting drastically higher and already occupy around 20% of Global Internet Traffic.
As opposed to the primary idea of Public Key Infrastructure, SECaaS had something different in core concept.
- Ensure you can't reach the origin server directly. Protecting the owner, not the user.
- Ensure encryption takes place at the edge of such service or In other words, re-encryption, a legit "Man in the middle", so you don't need to become a cryptography expert to follow up with Search Engine initiative as website owner.
With all the hats off to Initiative and attempts to make the web a more secure and private place for end users, however, modern Internet ended up with a few fundamental problems.
- Inability to validate the origin server is what is supposed to be.
- Inability to prevent theoretical man in the middle interceptions, putting SECaaS into a privileged position to sniff traffic and execute an attack.
Essentially the whole concept of cryptography got broken the very same moment millions of keys are held at the very same place that also transits the traffic, encrypted using the very same keys.
Does that mean interception of traffic no longer can be executed by a "guy next door", your ISP, or a suspicious car parked across the street, yes! However, single email request for your data towards SECaaS providers theoretically can result in obtaining full set of data no matter where you are in the world – warns Ćertić in recent blog post published on his Information Security Consulting firm - https://www.certic.info
# # #