Jason Stamper talks to Dr. Taher Elgamal, a world-renowned cryptographer, chief security officer at Axway and the ‘father’ of secure sockets layer (SSL) about recent vulnerabilities in SSL and how to protect against them.
Dr. Taher Elgamal, Axway CSO
Could you start with a summary of Axway’s core capabilities?
Axway is focused on how businesses connect together. There is a huge amount of software for enterprises, and Axway focuses on the connection between enterprises and within the enterprise. It’s an area where all of the security issues come up: a business wants to communicate some interesting things, for example you need to send health records but how do we agree on a policy for that?
We may be subject to regulation but that may be different if we are in different countries. It’s a simple product to describe but actually it’s very complex when you get into it. Do you just FTP it, when will it arrive, what happens when things go wrong? Just the sending of a file can go from the protocol level right up to business priorities.
Is this an area where you have cloud technologies?
Yes, because it very quickly starts to need to look like a community rather than point-to-point. So we have Axway ACM [Axway Community Management] which is a cloud product, a real cloud-based application that sits on the public Internet.
What are the security implications of a cloud approach?
The thing is that you don’t want partners to have to worry about protocols and the like. The data itself doesn’t ever live in the cloud, only the connectivity. We separate the data from the channel. It’s like a directory of partners. The vision is to simplify things so that it is even easier to use PKI [public key infrastructure]. Somebody needs to think about protocols but do you want partners to be expert in X.509? The industry has put too much focus on protocols rather than the security of the data. If we had to design the SWIFT protocol today we would not do it how the SWIFT protocol was designed.
You are considered the father of SSL. There have been some issues around CA’s [certificate Authorities] with SSL and some known issues with SSL itself – is SSL still good enough?
The real message is that every system has to grow over time. Nothing is 100 percent secure and it never will be. You always have to look at new threats and adapt to them. You can’t possibly predict what thieves will come up with next. SSL does not solve all things, but as long as it adapts it will be fine. The idea of replacing it with something else is actually silly, because that something else will suffer from different issues and different exploits.
There has been a lot written about the BEAST exploit but what people forget is that that particular exploit had been known about for some years, but the browser vendors had not – and still haven’t – upgraded their TLS [Transport Layer Security] libraries. They knew there was a weakness but said it wasn’t important enough. Axway has a secure client – it’s not a browser – which protects from that particular vulnerability.
Are organisations and individuals doing enough to ‘beat’ the bad guys – spammers, peddlers of malware and other online fraudsters and phishers? Are the ‘bad guys’ winning?
I am afraid to say that today, I would have to say that the bad guys are winning. And I would say that in the sense that online fraud is much higher now than before the Internet. So on that basis, yes, they [the bad guys] are winning.
If online becomes involved in or plays a part in almost everything we do as a society, then one percent of that being attacked by some sort of fraud is way too much.
What more should be done by governments, organisations or individuals to better fight cybercrime?
It’s got a lot to do with the day-to-day. If every organisation invested in one more person to do day-to-day security management it would pay off dramatically. There is no silver bullet. It’s about investing in the day-to-day. But with the right investment, policy and technology, we can catch a lot of this earlier. As with the medical profession found with diseases, if you catch things earlier there is a dramatically better outcome.
To what extent do you think that the hack of encryption vendor RSA’s defences damaged the industry’s reputation?
I would say it was not a good thing, it’s not what you want to hear [has happened], neither for them nor the industry.