Creating backdoors in software so that governments can snoop on users is the worst possible thing to do from a security point of view, according to Jeff Hudson, the head of US security firm Venafi.
Hudson, who is in Sydney to speak at the Fraud and Cyber Safety Conference on 8 September, said it was necessary to ensure that governments could not take control and reduce the level of privacy and assurances that people assume are in place in cyberspace.
"Backdoors are a terrible idea. All trust will go away if they are implemented," he told iTWire.
Hudson (below) said he supported the use of encryption company-wide. "Yes, increasing the level of privacy, protection of data and strength of authentication by using more and more encryption for employees is required today to cyber-criminals," he said.
{loadposition sam08}"Businesses also need to decrypt traffic that is their own. And they need to do so free of government interference or attempts to weaken encryption or the protection of keys and certificates."
Venafi sells software that Hudson calls "the immune system for the Internet", an automated system that takes care of all aspects of certificate management.
He said that while the system of encryption, authentication and trust created by cryptographic keys was blindly trusted, there was little to no awareness, control and protection for them.
His customers had become accustomed to finding at least 16,500 previously unknown keys and certificates on systems, Hudson pointed out.
"This means there are at least 16,500+ points of encryption where bad guys can hide: security controls that need to decrypt encrypted traffic don't have these," he said.
Hudson said companies were making three major mistakes in the use of keys and certificates: they had little or no situational awareness, no controls to make things easy and secure, and no automation.
"The average large Australian business (revenue more than $900 million) has at least 18,700 TLS/SSL keys and certificates, 42% more than two years ago. All of these are created manually, most out of the control of any security teams who are supposed to create them. When a breach or vulnerability occurs, it is impossible to remediate."
Hudson said there was a need for education in order that the idea of certificate management was more widely taken up.
Bugs like Heartbleed and and Shellshock have underlined the need to tell the difference between a genuine certificate and a fake one and Venafi has gained from such incidents.
Venafi, a 11-year-old start-up based in Salt Lake City, is a private company that three years back had to reduce a quarter of its staff. Last July, the company had just 250 global customers.
But things seem to be improving now, with 50 of the Fortune top 200 companies having invested in the company's software platform. A year ago, it had also increased its headcount from 100 to 180.