Are you Using HTTPS on your Website to securely encrypt traffic?

Well, we'll see you in the court.

At least, that's what CryptoPeak is saying to all big brands that utilize HTTPS on their web servers.

BIG Brands Sued for Using HTTPS: 'Patent Troll'

Texas-based company CryptoPeak Solutions LLC has filed 66 lawsuits against many big businesses in the US, claiming they have illegally used its patented encryption method – Elliptic Curve Cryptography (ECC) – on their HTTPS websites.

Elliptic Curve Cryptography (ECC) is a key exchange algorithm that is most widely used on websites secured with Transport Layer Security (TLS) to determine what symmetric keys are used during a session.

Encryption is on the rise after Edward Snowden made the world aware of government's global surveillance programs. Today, many big tech and online services are using encryption to:
  • Protect the data transmitted to/from visitor to domain
  • Lessen the risk of hacking
However, websites using the ECC key are now at risk of being forced to court for using the protocol. As CryptoPeak snapped up the Patent (US Patent 6,202,150) that describes "Auto-Escrowable and Auto-Certifiable Cryptosystems," which the firm argues covers elliptic curve cryptography (ECC).

Either Pay or Don't Use HTTPS

The abstract of the US Patent 6,202,150 describes the invention, which was granted in 2001:

Companies Targeted by CryptoPeak

Some of the biggest names CryptoPeak Solutions sued include:
  • Yahoo
  • Netflix
  • Pinterest
  • AT&T
  • Sony
  • Groupon
  • GoPro
  • Etsy
  • Petco
  • Target
  • Costco
  • Home Depot
  • Expedia
  • Barnes & Noble
  • Multiple financial institutions and hotel chains
You can see the full list of lawsuits, which is available online here.
"Defendant has committed direct infringement by its actions that comprise using one or more sites that utilize Elliptic Curve Cryptography Cipher Suites for the Transport Layer Security (TLS) protocol (the Accused Instrumentalities)," according to the lawsuits.
CryptoPeak can easily be categorized as a "Patent Troll," as it is still unclear if the cases will be successful or not. Since the patent describes some of the key tenets of ECC, which includes generating and publishing of public keys, not obvious corresponds directly to its implementation in HTTPS connections.

Some companies targeted by the firm are fighting the lawsuit that seeks damages and royalties, and other like Scottrade are doing out of court settlements, saying "all matters in controversy between CryptoPeak and Scottrade have been settled, in principle."

Netflix, one of over 60 companies being dragged to court, called CryptoKey's lawsuit "invalid" from the outset and filed a case to be dismissed under FED. R. CIV. P. 12(B)(6).

"The defect in these claims is so glaring that CryptoPeak's only choice is to request that the court overlooks the express words of the claims, construe the claims to read out certain language, or even correct the claims," Netflix said (PDF) in a court filing.

Now, let's see what happens next.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.