Last week, Google announced Chrome 54 beta, which includes new advances in encryption. Google’s efforts result in part from NSA warnings last year that quantum computers will eventually be able to crack current encryption algorithms. While Google is to be lauded for advancing encryption technology used in browsers, the move comes at a time when many organizations still do not take full advantage of current encryption safeguards.
How real is the quantum computer threat?
Before we lament the less-than-stellar state of current encryption, let’s examine the future risks that quantum computers represent to encryption in general. Quantum computers process alarming amounts of data which allows them to make extraordinary calculations that would render current encryption ineffectual. CNET serves up a quick explanation of how quantum computers crack encryption technology.
Venafi Chief Security Strategist, Kevin Bocek, takes the NSA’s advisory and Google’s reaction very seriously. He feels that it’s safe to assume that “adversaries are trying to break encryption, our systems of trust and authentication, and may soon be able to do so.” As a result, he applauds Google for stepping up its efforts and experimenting with post-quantum-cryptography early on.
What is the real threat today?
Back to reality. Sadly, Encryption Everywhere is still more of a goal than it is a reality. So while Google is actively developing technologies that would stop quantum computers from cracking current encryption, many companies are still vulnerable to current attacks against encryption.
Even if they have implemented encryption for publicly facing websites, many do not even know how many keys and certificates they have or how they are being used (and potentially misused) in their environments. Cybercriminals can circumvent this encryption by misusing untracked keys and certificates to hide in encrypted traffic, eavesdrop on communications, deploy malware, and spoof websites.
How are companies making vulnerable encryption even worse?
Vulnerabilities, such as Heartbleed and the more recent DROWN, have proven how easy it is for certificates to be exploited. Yet many companies simply did not take remediation of these vulnerabilities seriously—many rotated certificates, but did not replace keys. A year after Heartbleed, almost ¾ of the Global 2000 still had not completely remediated, leaving them exposed.
Another weak cryptography practice is the continued use of vulnerable SHA-1 certificates, on which many businesses still rely. Despite warnings from the NSA and NIST over 10 years ago, SHA-1 certificates are still widely used by organizations. According to Bocek, “People are slow to adapt to change, despite the fact they are leaving themselves at risk.” He estimates that “the internet is still flooded with SHA-1 certificates, and will remain so—I would bet—until January 2017 when browsers will finally stop trusting SHA-1.”
Bocek sums it up, “We must put in place fast, easy automation for web encryption and authentication. This will help protect the foundation of online security today and help us respond to new vulnerabilities and the crypto requirements of the future.”
His counsel to organizations everywhere is to start now. Invest in adaptable systems that can support encryption changes as we move toward more secure alternatives.