December 23, 2024

Linux Foundation to Host Open Encryption Project

Posted on April 9, 2015 by in Security

Linux Foundation to Host Let’s Encrypt, Project to Bring Free SSL Certs to Websites

An Internet where most websites use security certificates and encrypt data by default is no longer just a dream. A consortium of Internet and technology companies and organizations are banding together to make it easier for website owners to obtain and setup security certificates.

The Let’s Encrypt project is a free and automated security certificate authority which will simplify the process of obtaining a security certificate for websites, the Linux Foundation and the Internet Security Research Group said Thursday. It’s increasingly clear the only way to have reliable security online is to have every website be encrypted, served over Transport Layer Security (TLS), so that people’s information is protected from snoops, the Linux Foundation said. The goal is to make it easier for website owners to apply for and install a security certificate on their domains.

Let's Encrypt Logo“Encryption should be the default for the web,” Josh Aas, executive director of ISRG, told SecurityWeek. Let’s Encrypt will help “increase TLS usage on the Web,” he said.

Data such as login credentials, financial information, browser cookies, and other types of sensitive or personal information travel from user computers to websites, or across multiple websites. All this information can easily be intercepted by eavesdroppers, but not if the Web application encrypts the information before sending it through the network. “A secure Internet benefits everyone,” Jim Zemlin, executive director at The Linux Foundation, told SecurityWeek.

Let’s Encrypt takes the world a step closer to a time when more websites would use a certificate and TLS would be the default across the Web, rather than the present where most sites do not even have a valid certificate, Aas said. The free and simple process should take no longer than a few minutes to complete.

Currently, it is difficult for website owners to obtain the certificate because the process may be too complicated or too expensive. Owners may also be overwhelmed with different types and not know which one to pick, Aas said. Let’s Encrypt automates the process so that certificates are issued automatically. Let’s Encrypt will also manage the certificate, so that if the certificate is nearing its expiration date, the system will handle renewals. There was no reason renewing a certificate had to remain a manual process. Let’s Encrypt will also handle installation and configuration on supported servers, which will likely handle most major server software, so that there will be no misconfigured certificates deployed on servers, Aas said.

Let’s Encrypt will be issuing Domain Validation certificates since this type of certificate can be automatically issued and managed, Aas said. Other types of certificates cannot be issued or managed automatically. Let’s Encrypt will also be focusing on elliptic curve cryptography—ECC—because it is the most effective at protecting online users today, he said.

Let’s Encrypt will be working closely with major hosting providers to offer TLS to all customers, following a model similar to what CloudFlare currently does for its customers, Aas said. Any CloudFlare customer has access to SSL certificates for their domains, for free. Let’s Encrypt will not be working directly with website owners, but act as the back-end for hosting providers interested in offering free DV certificates to their customers, Aas said. While individual will be able to get a certificate directly from Let’s Encrypt, the bulk of certificates will likely be issued through a major hosting provider.

“While the web has been a part of our lives for decades now, the data shared across networks is still at risk,” Zemlin said in a statement.

The Linux Foundation will host the Internet Security Research Group and Let’s Encrypt as a Linux Foundation Collaborative Project, which are independently funded software projects working on innovative programs which will have wide-ranging benefits and impact across industries, Zemlin said. The sponsor companies include Akamai, Cisco, Electronic Frontier Foundation, and Mozilla as founding Platinum members, IndenTrust as a Gold member, and Automattic (maker of WordPress) as the Silver member.

“By hosting this important encryption project in a neutral forum we can accelerate the work towards a free, automated and easy security certification process that benefits millions of people around the world,” Zemlin said in a statement.

Hosting in this context means the Linux Foundation will take on much of the business aspects of running Let’s Encrypt. The Linux Foundation provides the essential collaborative and organizational framework for projects, such as making sure there is money in the bank, hiring and providing benefits to employees, and even setting up a secure data center, so that members of the project can focus on actually building, Zemlin said.

“The Linux Foundation is in the business of supporting brilliant people working on innovative projects,” Zemlin said, noting hundreds of millions of dollars have been invested across various Collaborative Projects.

In this case, ISRG already has made its own arrangements for Let’s Encrypt infrastructure, Aas said, but was careful to note that ISRG is not dismissing the possibility of someday moving to Linux Foundation’s infrastructure.

“We want to build. We don’t want to have to worry about accounting, who is getting paid. I am not good at any of that, but Linux Foundation is,” Aas said, explaining why the relationship works for ISRG.

Let’s Encrypt is not trying to replace traditional certificate authorities. While the project will focus its efforts on getting free certificates out to website owners in a secure and open way, Aas sees the project as something working alongside CAs to get to a world where everyone is using encryption by default.

“The only reliable strategy for making sure that everyone’s private data and information is protected while in transit over the web is to encrypt everything, Aas in a statement.

Related: Why “Let’s Encrypt” Won’t Make the Internet More Trustworthy

Subscribe to the SecurityWeek Email Briefing

view counter

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.

Previous Columns by Fahmida Y. Rashid:


SecurityWeek RSS Feed

PCI Security Standards Council Releases Tokenization Product Guidelines

Posted on April 3, 2015 by in Security

The PCI Security Standards Council announced on Thursday the availability of guidelines designed to help organizations develop tokenization products.

Tokenization is the process in which sensitive information, such as payment card data, is replaced with a randomly generated unique token or symbol. Tokenization products, which can be software applications, hardware devices or service offerings, can help merchants reduce the risk of having their customers’ financial information stolen by malicious actors.

“Tokenization is one way organizations can limit the locations of cardholder data (CHD). A smaller subset of systems to protect should improve the focus and overall security of those systems, and better security will lead to simpler compliance efforts,” explained PCI SSC Chief Technology Officer Troy Leach.

There are several challenges to implementing tokenization, but reliable solutions already exist and representatives of the merchant community believe this could be an efficient approach to preventing payment card fraud and identity theft.

The Tokenization Product Security Guidelines released by the PCI Council have been developed in collaboration with a dedicated industry taskforce. The report focuses on the generation of tokens, using and storing tokens, and the implementation of solutions that address potential attack vectors against each component. The document also contains a classification of tokens and their use cases.

The recommendations in the guidelines are addressed to tokenization solution and product vendors, tokenization product evaluators, and organizations that want to develop, acquire or use tokenization products and solutions.

“Minimizing the storage of card data is a critical next step in improving the security of payments. And tokenization does just that,” said PCI SSC General Manager Stephen Orfei. “At the Council, we are excited about the recent advancements in this space. Helping merchants take advantage of tokenization, point-to-point encryption (P2PE) and EMV chip technologies as part of a layered security approach in current and emerging payment channels has been a big focus at this week’s PCI Acquirer Forum.”

The PCI Council has pointed out that the guidelines are supplemental and they don’t supercede or replace any of the requirements detailed in the PCI Data Security Standard (PCI DSS).

PCI DSS 3.0, which focuses on security instead of compliance, went into effect on January 1. Version 3.1 of the PCI DSS, expected to be released this month, targets the SSL (Secure Sockets Layer) protocol. Organizations must ensure that they or their service providers don’t use the old protocol.

Last week, the PCI Council published new guidance to help organizations conduct penetration testing, which is considered a critical component of the PCI DSS.

The Tokenization Product Security Guidelines are available for download in PDF format.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

HyTrust Secures $33 Million to Expand Cloud Security Business

Posted on April 1, 2015 by in Security

HyTrust, a provider of policy management and access control solutions for virtual and cloud environments, today announced that it has secured $ 33 million in new funding, including $ 8 million in venture debt and credit facilities.

According to the company, the new cash will be used to boost marketing, sales and product development initiatives, as well as expansion into international markets.  

HyTrust’s solutions enable the adoption of next-generation architectures through policy-based controls, visibility and data security, which helps enterprises more easily meet compliance mandates, improve application uptime, and securely take advantage of cloud-based capabilities.

HyTrust Raises $ 33 MillionThe new investment is being led by AITV (Accelerate-IT Ventures). New investor Vanedge Capital also participated in the funding, while existing venture investors—Epic Ventures, Granite Ventures and Trident Capital—and strategic investors Cisco, Fortinet, Intel Corp. and VMware, also participated.

In addition to being backed by several venture firms and enterprise technology companies, HyTrust entered into a strategic investment and technology development agreement with In-Q-Tel (IQT), the not-for-profit venture capital arm of the CIA, back in July 2013.

Along with the $ 25 million equity investment from the syndicate, HyTrust expanded its relationship with banking partner City National Bank to fund up to $ 8 million in venture debt and credit facilities.  

“HyTrust is perfectly positioned to meet the needs of a market in which so many organizations are building on cloud-based technologies to increase agility for their business,” said Brian Nugent, founding principal and general partner at AITV.  

Brian Nugent will join HyTrust’s board of directors, while AITV co-founder and general partner, Bill Malloy III, and Moe Kermani, a partner with Vanedge Capital, will join as board observers, the company said.  

“Our goal at HyTrust is to make security automated and policy-based to address the needs of private and hybrid cloud data centers, as well as provide complete visibility into what is happening in cloud environments,” said John De Santis, Chairman and CEO of HyTrust.

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:

Tags:


SecurityWeek RSS Feed