Blog

Bear with us! 🐻 # The latest release of a popular note-taking app Bear contains a new feature — end-to-end encryption of user notes. Cossack Labs team worked closely with the amazing Bear team to help deliver this feature. We are rarely allowed to disclose the details of our custom engineering work, but Bear team was awesome enough to let us highlight some important aspects of work done for them.

Intro # More and more data is outsourced to remote (cloud) storage providers fuelled by “software as a service” trends in enterprise computing. Data owners want to be certain that their data is safe against thefts by outsiders, internal threats, and untrusted service providers alike. To safeguard the data, encryption is used. Modern encryption is much more than enabling “data at rest encryption” checkbox on AWS S3 or using TLS connection between database and backend.

Cossack Labs has recently joined the DigitalOcean Marketplace family following our mission to make high-end security tools available to the general developer audience in a convenient fashion. Acra encryption suite is one of the first data security and encryption tools on DigitalOcean Marketplace and it is now available as 1-Click App running in DigitalOcean Droplet . Acra provides selective encryption, multi-layered access control, SQL firewall (SQL injection prevention), database leakage prevention, and intrusion detection capabilities as server deployed in your infrastructure (on prem or in cloud).

We always strive to make high-end security tools available to general developer audience in a convenient fashion. Only by making data security accessible, we can ensure real security of sensitive data everywhere. As another step towards our mission, we are proud to announce that Acra encryption suite is now available as 1-Click App running in a Droplet on DigitalOcean Marketplace . DigitalOcean is known for its caring attitude towards development teams of any size.

Intro # Any set of security controls deployed in your infrastructure may fail. Given enough pressure, some controls will certainly fail. No surprises here, but the question is – how to build our systems to make security incidents less damaging in case of a failure of some components? How to prevent data leaks even in case of a successful data breach? Building security tools , we strive towards defense in depth approach.

New Themis is greatly improved and sparkly with additions. We are proud to introduce Rust-Themis – full support of Themis for Rust. Rust-Themis works with all four crypto-systems: Secure Cell for storing data securely, Secure Message for encrypting and signing envelopes, Secure Session for encrypting session communications and Secure Comparator for zero-knowledge authentication. All Rust-Themis components can be installed from crates.io . Jump to the Rust How-To guide to learn more.

New Acra 0.85.0 brings the expanded functionality we’ve announced during the release of Acra 0.84.0. We’ve added server-side encryption mode which allows integrating Acra without altering the client application code. It’s called AcraServer’s Transparent proxy mode and allows you to configure AcraServer to parse SQL queries and to encrypt values designated for specific database columns. Transparent encryption mode is useful for large distributed applications where updating the source code of each client app separately would be complicated.

Building AcraCensor transparent SQL firewall There are two main ways to mitigate SQL injections: inside the app (using prepared statements, stored procedures, escaping) and outside the app (using Web Application Firewalls or SQL firewalls). WAFs analyse web and HTML traffic using rule sets based on regexs and are good for covering the known vulnerabilities. SQL firewalls sit closer to the database, analyse SQL statements for potentially malicious content, which makes them more flexible in SQL injections prevention.

Can WAF prevent SQL injection? What is the biggest threat to a tool that prevents unauthorised database access? Requests from the application side that trigger data leakage. Namely, SQL injections and other application attacks that allow attackers to craft custom SQL queries. How can we prevent that? The standard industry response is obvious — input sanitization, web application firewalls (WAFs), and prepared statements are typically used for addressing these concerns.

On blockchain and GDPR As cryptographers who develop data security tools that heavily involve cryptography (surprise surprise), we get asked a lot of questions about “crypto”. Unfortunately, not “cryptozoology”* crypto, but neither it is cryptography. Very often it is about blockchain. More and more tools claim to have “unprecedented levels of security” or “GDPR compliance & security by design” when using security designs based on blockchain and distributed consensus systems.