Google has released a beta test version of its Chrome browser aimed at preventing quantum computers from cracking encryption. It is testing a new technology called CECPQ1, which will be injected into a few HTTPS sites, offering much stronger protection. Kevin Bocek, Chief Security Strategist at Venafi commented below.
Kevin Bocek, Chief Security Strategist at Venafi:
“Whenever the NSA urges companies to move, or be prepared – as they have with post-quantum crypto – it is a good indicator that something is coming. It would be safe to assume, therefore, that our adversaries are trying to break encryption, our systems of trust and authentication, and may soon be able to do so. So Google is right to step up its efforts and experiment with post-quantum-crypto early.
As with all areas of security, encryption is constantly having to evolve and raise the bar with stronger, longer algorithms. But this is not to say that things always move fast. 10 years ago the NSA and NIST urged the world to move on from SHA-1 because the encryption was so weak it would soon be undermined. Yet the internet is still flooded with SHA-1 certificates, and will remain so – I would bet – until January 2017 when browsers will finally stop trusting SHA-1. People are slow to adapt to change, despite the fact they are leaving themselves at risk.
While Google is looking to the future, we still have today’s challenge. Large portions of the web remain using SHA-1 and customers will be blocked in January. Keys are being reused in the IoT and other networks making it near impossible to know what is unique, trusted, and private. And we see certificate outrages occur regularly. All of this shows that businesses and governments lack the basic automation to secure today’s encryption. They don’t even know what they are using. We must put in place fast, easy automation for web encryption and authentication. This will help protect the foundation of online security today and help us respond to new vulnerabilities and the crypto requirements of the future.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.