Tech

Using HTTPS on your website? We'll see you in court

Firms including Netflix, AT&T and Yahoo are being sued for daring to encrypt their websites.

Written by Charlie Osborne, Contributing Writer Dec. 1, 2015 at 4:30 a.m. PT

If you use HTTPS, you'd better pay us.

At least, that's what CryptoPeak wants to happen, holder of a patent it hopes covers the widely-used elliptic curve cryptographic key.

Encryption is on the rise in a post-Snowden world full to the brim of surveillance-happy governments monitoring everything from your digital communication channels to the streets via CCTV.

It seems no matter what we do, privacy is now a moot point when it comes to over governmental overlords -- but you can at least make the life of spies a little more difficult.

Consumers have called out for better protection against such widespread surveillance and as cyberattacks are also steadily increasing, encryption is a method many online services have chosen to protect not only the data being funnelled to and from visitor to domain, but also as a means of lessening the risk of hacking being successful.

However, websites using the elliptic curve cryptographic key (ECC) are now at risk of being forced to court for using the protocol. As reported by The Register, Texas-based firm CryptoPeak snapped up US Patent 6,202,150 earlier this year, which describes "auto-escrowable and auto-certifiable cryptosystems" -- which the firm argues covers ECC.

The abstract reads:

"A method is provided for an escrow cryptosystem that is overhead-free, does not require a cryptographic tamper-proof hardware implementation, is publicly verifiable, and cannot be used subliminally to enable a shadow public key system [..] an unescrowed public key system that is publicly displayed in a covert fashion.
The key generated by the method are auto-recoverable and auto-certifiable (abbrev. ARC). The ARC Cryptosystem is based on a key generation mechanism that outputs a public/private key pair, and a certificate of proof that the key was generated according to the algorithm. Each generated public/private key pair can be verified efficiently to be escrowed properly by anyone. The verification procedure does not use the private key."

Security

According to CryptoPeak, TLS-secured websites using ECC are under this patent and therefore it wants its financial due.

While CryptoPeak began its patent campaign in July, the company has filed fresh litigation against a number of top brands in the last few weeks -- including AT&T, Groupon, Netflix, Experia, Etsy and Yahoo.

Filed in the Eastern District court of Texas, many of the complaints filed ask for legal costs and damages.

In one case, against Scottrade, CryptoPeak says "irreparable harm and monetary damage" is being caused through running websites which "operate in compliance with the standards of Elliptic Curve Cryptography ("ECC") Cipher Suites for the Transport Layer Security ("TLS") protocol."

While ECC does generate and publish public keys for use in encryption protocols, the patent does not cover every function of ECC, and the wording is vague enough to cause doubt -- especially as use of the key is so widespread, and the use of a "method" and "apparatus" in the patent has been called into question.

You might consider CryptoKey little more than the next patent troll looking to cash in on advances in technology, and perhaps you'd be right -- since the company doesn't seem to have much of a footprint outside of the courtroom.

Netflix, one of almost 70 companies being dragged to court over the patent, appears to agree based on the company's motion for case dismissal (.PDF), which calls CryptoKey's lawsuit "invalid" from the outset.

Either way, it's unlikely such a fragile lawsuit in this day and age is likely to discourage online services from using encryption in a world where consumers demand it to make online purchases.