Blog Post

CloudFlare launches new way to enforce security with Keyless SSL

CloudFlare, a web security and performance startup, detailed Thursday a new technology that makes it possible for companies to not have to share their Secure Sockets Layer (SSL) keys — unique tokens that are used by organizations to ensure that sensitive data is encrypted when passing through a network — when passing information to web browsers.

The new technology, called Keyless SSL, is essentially an extension to the security protocol TLS that makes sure communications between websites and web browsers remain private. When a user visits a secure website like those provided by financial institutions, a lot of actions take place in the backend that the user is not aware of in order to make the network connection safe. In short, a web browser and a website or application need to exchange their unique SSL keys with each other before the network can be secure.

For many financial institutions, however, federal regulations make it difficult for these companies to exchange those SSL keys because of their sensitive nature, explained CloudFlare CEO Matthew Prince. As a result, if users try to access these institutions’ websites in countries far away from their home data centers where SSL keys may be stored, there may be a huge delay in the communication process between the web browser and the organization’s website.

With Keyless SSL, CloudFlare can set up an intermediary server that acts as an SSL key master of sorts. The intermediary server, or key server, can request the necessary information pertaining to the SSL keys located on the host server and transmit that info to the web browsers. By using this method, the SSL keys don’t actually have to leave their location and yet the same security protocol takes place.

CloudFlare figure detailing Keyless SSL
CloudFlare figure detailing Keyless SSL

Prince said he got the idea to develop it from chatting with financial institutions who wanted to use the startup’s services but were hesitant to share their SSL keys. For users to take advantage of certain cloud providers and content delivery networks like CloudFlare, they need to be willing to pass those SSL keys off to the cloud providers. Prince and the CloudFlare team worked for two years to develop Keyless SSL to solve that problem.

As of now, only customers of CloudFlare’s enterprise business plan will be able to use the new technology. But Keyless SSL opens the doors in the future for any institution, not just financial, to keep their SSL keys right where they want them and get faster services in return.

4 Responses to “CloudFlare launches new way to enforce security with Keyless SSL”

  1. So basically CloudFalre started peddling snake oild. SSL keys between a customer’s browser and SSL entry point into website have *nothing* to do with the rest of the encryption keys used by the financial institution

  2. This is great work but I am picking a nit in that it is not really new. For those in the know, Netli (a startup acquired by Akamai) pioneered this approach and in fact used it at SAP, HP and other enterprises. Let me know if you want more details on it