How to prepare for vulnerabilities in secure communication channels

SSL/TLS communication channels play a very important role in Internet security. It is the “S” in HTTPS. It is the technology that makes our electronic conversations safe from eavesdropping. In the wake of attacks such as Logjam and DROWN, there are concerns about the strength of the security mechanisms used in TLS channels. In practice, this means that protocols and cipher suites once thought to be secure, can have vulnerabilities, and then become insecure. Systems need software updates to fix the problem. However, the update process is usually slow, and weeks or months can go by before most web servers and clients are protected. Some servers and clients may never be updated. In the meantime, the communications are at risk of interception and tampering by attackers.
In the SafeCloud project, we have been developing more secure alternatives to TLS. One of the secure communication solutions is called Vulnerability-Tolerant Transport Layer Security (vtTLS) (link to secure solution 1 in safe cloud platform). The solution relies on a combination of two cipher suites so that, even if one cipher suites becomes insecure or vulnerable, the remaining cipher suite keeps the communication channel secure. The performance of vtTLS was evaluated and compared with OpenSSL, one of the most widely used implementations of TLS. The results presented in our paper (link to paper in safecloud page) show that vtTLS has just a 20% overhead when compared with TLS from OpenSSL.

To present our technology to the community we have prepared a demonstration. You can follow these instructions ( on a Linux Ubuntu 16.04.3 (Xenial Xerus).

This short video demonstration shows the integration of 2 SafeCloud communication technologies: vtTLS and sKnock.

vtTLS adds two layers of encryption so that the communication is secure even if a vulnerability is found in one of the layers. sKnock, another SafeCloud solution, protects the server from scans and allows authorized clients to open and establish connections.

More about vtTLS, sKnock and the SafeCloud project at:
Let us know what you think about SafeCloud middleware solutions!

Miguel Pardal, INESC-ID