How we protect our most sensitive secrets from the most determined attackers 🔒🛡️

Afternoon Community :wave:

We’ve just published an article written by the talented @glcy who is a Security Infrastructure Engineer here at Monzo. The article details some of the security controls we use at Monzo to protect our most important and sensitive secrets.

Lucy appreciated that there’s a lot of information in there so she’s kindly offered to answer any questions that people may have.

Let’s make her feel welcome by picking her brains :brain:


Great write-up Lucy @glcy

Public certificate authorities are pretty secure

I wonder if the Solar Winds attacks of late, while not the exact same thing, changes perceptions around that. There the infiltrating party put their malware into the actual product and so it was then properly signed and distributed through the otherwise legitimate channels

Can you pick which authority you use for traffic to or is there a fixed/mandated set for a region/country/industry? If the former, is there anything Monzo can do more than try to pick the company/authority that seems least like a bunch of cowboys?

COEN is a particularly interesting choice. Why did you choose it over other live systems? Certainly wouldn’t be my first choice if the core precept was security.

There isn’t a fixed/mandated set, it’s up to us at Monzo to pick a Certificate Authority and get a certificate from them that your computer trusts. Right now we use mostly Amazon and LetsEncrypt (A lot of stuff at Monzo is hosted on AWS after all)

There are a lot of initiatives in PKI right now to try and shore up against rogue certificate authorities, because it has happened, most notably when DigiNotar issued a rogue certificate for

There’s DNS CAA which allows us to restrict which Certificate Authorities can issue certificates for Monzo even when they would normally be allowed to by default, our CAA records only let Comodo, DigiCert, BuyPass, LetsEncrypt and Amazon issue certificates for

There’s also Certificate Transparency, which means that certificate authorities have to publish any new certificates they issue to a public ledger, this means that rogue certificates can be spotted as soon as they’re issued and action can be taken faster if a Certificate Authority gets compromised.

EDIT: Just going to add you can search Certificate Transparency ledgers using handy sites like, for example


It’s been battle tested inside ICANN/IANA and we have similar needs (manipulating lots of super important private keys for trusted roots). We also had a pretty easy time getting coen up to speed with the stuff we need as part of our key ceremonies.

We considered the security differences between coen and other live systems such as TAILS in our threat model minimal since in our system we’d expect you to be either entirely shut out or you’ve managed to get your code onto the OS CD (at which point if you control the content of the OS CD you can make yourself root). The most important part IMO is that the build is reproducible and auditable by as many people as possible (hence why everyone at Monzo can see our source code regardless of job).


If you liked this, listen to the Ceremony about the key ceremony for ZCash :slight_smile: The Ceremony | Radiolab | WNYC Studios

1 Like