Cloud solutions provider, CloudFlare, today released a blog about a new feature that they would be allowing their customers to deploy in order to prevent or thwart any sort of man-in-the-middle attacks. Basically, this solution is almost entirely designed to prevent the snooping by governments or hackers (or completely interception) of your data. More importantly, CloudFlare’s Strict SSL via TLS enables companies to properly secure their networks against man-in-the-middle attacks which could see governments or hackers diverting traffic to themselves, much like the NSA did in order to monitor various traffic passing between Google, Microsoft, Facebook and other companies’ servers.
They explain the differences between no SSL encryption, some SSL encryption (what most providers offer) and strict SSL encryption. Essentially, Strict SSL encryption is what’s necessary in order to prevent such attacks from occuring the future, according to them. The client, or user, must also have certain plugins enabled like HTTPSEverywhere which vastly improve the security of a user’s browser session and prevents any holes that could exist in the communication.
Based on the revelations of what the NSA is capable of (shown as a little red dude in the diagrams) CloudFlare is able to show certain devices that could be potentially compromised and how to avoid issues. As you can see in the image above, if no SSL is present whatsoever, there are at least 5 places where the NSA (or others) could seemingly launch a man-in-the-middle attack (they cleverly used a Malcolm in the middle image for this in their blog). Since we know that the NSA can be embedded in your router, modem, with your ISP or anywhere between CloudFlare and the server’s origin on the internet, there are a lot of opportunities to be attacked without SSL.
Now, if you deploy a solution like CloudFlare’s flexible SSL through a front-end over TLS solution you resolve the issue between CloudFlare and the client device, but you still leave the backend vulnerable (the main problem that most big tech companies had with the NSA when they were discovered to be mining their data). By adding back-end SSL encryption, you allow for a more secure solution, which is essentially what CloudFlare is trying to sell to their current and possibly future customers who care about security. This isn’t necessarily a crazy or new idea (without validation), but they are helping improve awareness of the issue that the NSA’s snooping/hacking has presented. The best part, however, comes in their diagram where their strict SSL encryption through TLS is shown.
By adding that last layer of SSL over TLS, they are able to create a solution that they can validate as TLS across the entire process from start to finish. And thwart the NSA’s monitoring of traffic going between the companies’ servers and the ISP or other servers or even CloudFlare’s servers. Overall, this is a pretty good looking solution and should encourage others to offer such a solution in order to reduce an organization’s exposure to man-in-the-middle attacks like the ones the NSA (and others) have engaged in. I think the countries most spied upon are likely going to be the first to implement such a solution.