State of the SSL/ TLS Industry Where Are We Today / Future Trends & Changes By Jay Schiavo © 2016 Entrust Datacard Corporation. All rights reserved. AGENDA • SSL/TLS History • State of the Industry Today • Technologies to Consider • Questions? 2 © 2016 Entrust Datacard Corporation. All rights reserved. SSL/TLS History 3 © 2016 Entrust Datacard Corporation. All rights reserved. SSL MARKET HISTORY 1998 2005 2012 2016 • VeriSign, Entrust, • VeriSign (acquired • Symantec (acquired • Symantec (acquired Thawte, GlobalSign Thawte), Entrust, Thawte and Thawte and GeoTrust, Comodo, GeoTrust), Entrust, GeoTrust), Entrust, • OV SSL GoDaddy Comodo, GoDaddy, Comodo, GoDaddy, Digicert, GlobalSign Digicert, GlobalSign, • E-Commerce • OV SSL, DV SSL Let’s Encrypt, AWS • EV SSL, OV SSL, DV • No governance • E-Commerce and SSL, Multi-Domain • EV SSL, OV SSL, DV protecting sensitive SSL, Cert Mgmt SSL, Multi-Domain data SSL, Cert Mgmt, • E-Commerce and Other Services • CA/Browser Forum protecting sensitive data, Logins, • Encryption Webmail everywhere • EV & SSL Baseline • Browsers enforcing Reqs proper SSL issuance and deployment © Entrust Datacard Corporation. All rights reserved. CHANGING TECHNOLOGIES Endured three certificate-based migrations 1. MD2 and MD5 to SHA-1 2. Small RSA keys to 2048-bit keys or larger 3. SHA-1 to SHA-256 • Additionally: – Encryption levels have changed from 40 bit to 128 bit to 256 bit – SSL protocol to TLS protocol (current version is 1.2) • SSL 2.0 and 3.0 no longer supported in modern browsers • TLS 1.0 and 1.1 are showing some cracks • TLS 1.2 is most secure protocol • TLS 1.3 has not yet been released • What’s next – ECC, RSA 3072, CT for all TLS/SSL © Entrust Datacard Corporation. All rights reserved. 5 RELENTLESS STREAM OF THREATS • Multiple attacks in the news related to SSL/TLS since 2014 – and they keep getting better! – Heartbleed – POODLE – BERserk – Logjam – SuperFish – SMACK – DROWN – SWEET32 Birthday Attack • Visit Feisty Duck for more information – https://www.feistyduck.com/ssl-tls-and-pki-history/ © Entrust Datacard Corporation. All rights reserved. 6 THESE PROBLEMS ARE PERVASIVE 9.5% 55.1% 4.0% 55.1% of sites have 9.5% support inadequate security 4.0% use SHA-1 weak/insecure cipher suites 6.8% 2.5% 21.4% 6.8% vulnerable to 2.5% vulnerable to 21.4% support DROWN attack CRIME attack SSL 3.0 https://www.trustworthyinternet.org/ssl-pulse/ © 2016 Entrust Datacard Corporation. All rights reserved. BROWSERS DISPLAY SSL MORE PROMINENTLY IN UI © Entrust Datacard Corporation. All rights reserved. 8 TOOLS TO HELP Entrust SSL Best Practices: • SSL Server Test • https://www.entrust.com/lp/ssl- best-practices/ – Certificate, protocol, key exchange and cipher strength (https://entrust.ssllabs.com/) • Scan your site at https://observatory.mozilla.org/ Bulletproof SSL • Based on Web security guidelines they and TLS: created at Implementation https://wiki.mozilla.org/Security/Guidelines/ Web_Security issues, attacks, mitigations 9 © 2016 Entrust Datacard Corporation. All rights reserved. State of the Industry Today 10 © 2016 Entrust Datacard Corporation. All rights reserved. STATE OF THE INDUSTRY – SHA-1 UPDATE • SHA-1 has been outlawed for new issuance as of Jan 1, 2016 and SHOULD expire by Jan 1, 2017 (2+ months) • Its not unusual for even large / well funded companies to have SHA-1 certificates to go unnoticed until the certificate expires. Once expired, some SHA-1 certificate can not be replaced with SHA-2 because the systems running them are either old or proprietary. • Please contact us if you have any questions or issues. • Entrust has both detection tools and a set of solutions to address with this transition. 11 © 2016 Entrust Datacard Corporation. All rights reserved. STATE OF THE INDUSTRY – CERTIFICATE TRANSPARENCY • CT is a family of logs for SSL certificates • Google requires all CAs to publish EV certificates to CT logs • Un-logged certificates will not get the EV indication in Chrome • Some CAs are being forced to publish ALL certificates to CT as of June 1, 2016 due to inappropriate certificate issuance • CT Issues: – Many organization sites are behind the firewall, so not available for inspection – Many site names are ”internal” and have descriptive names such as “US_AP.domain.com” or “research1.domain.com” – Certificates published to CT, can provide a hacker with network topology including server names describing of the server’s function – So CT could be used as a Reconnaissance tool • Can also make customer list public 12 © 2016 Entrust Datacard Corporation. All rights reserved. CURRENT GOOGLE CHROME RE-DESIGN • Chrome 53 has been updated to show security as follows: Bad SSL (badssl.com) No SSL DV/OV SSL EV SSL 13 © 2016 Entrust Datacard Corporation. All rights reserved. MORE BROWSER UI CHANGES ARE COMING • January 2017, Chrome adding in “non secure” for certain HTTP sites • Chrome will expand “non secure” to all HTTP sites • Customers need to prepare by moving to HTTPS For CC & Passwords Future (not too far), for all HTTP sites Google is tacitly saying, EVERYTHING MUST BE ENCRYPTED 14 © 2016 Entrust Datacard Corporation. All rights reserved. Technologies to Consider 15 © 2016 Entrust Datacard Corporation. All rights reserved. HSTS AND OCSP STAPLING HSTS OCSP Stapling • HTTP Strict Transport Security • Alt to CRLs to check cert • Security policy where a Web server revocation directly from server tells a browser to only connect to • The web server caches the the site over HTTPs response from the CA that issued • Protects users even when clicking the certificate on HTTP • Eliminates out-of-band validation • Mitigates HTTP MitM attack that • Decreases browser latency as exploit insecure redirects OCSP response is in TLS • Implemented by including the handshake “Strict-Transport-Security” entry in the HTTP response header • Windows, Apache and Nginx support • Server provides header information to be stored by browser for a period – IIS supports by default of time • https://casecurity.org/2014/06/18/ • Header can apply to subdomains ocsp-must-staple/ • Supported by all major browsers 16 © 2016 Entrust Datacard Corporation. All rights reserved. PINNING HTTP Public Key Pinning • Prevents fraudsters from using mis-issued TLS certs • To enable you return the Public-Key-Pins HTTP header when your site is accessed over HTTPS • Server provides header with public key information to be stored by browser for a period of time • If public key is missing on server then there will be a connection error • https://news.netcraft.com/archives/2016/03/22/secure-websites-shun- http-public-key-pinning.html 17 © 2016 Entrust Datacard Corporation. All rights reserved. EV SSL • Primary objective is to provide identity and assure authorization to issue a certificate • Secondary objective goal is to help mitigate phishing attacks • Highly purchased by banking and retail sites • Over 158,000 active EV certificates • Provide higher levels of identification, authentication and technology leadership • Browsers provide key trust indications – Green lock icon – Green “GO” coloring – Organization name in status bar © 2016 Entrust Datacard Corporation. All rights reserved. ALWAYS-ON SSL 1. Security Benefits – Security to all websites/pages – Mitigate known vulnerabilities: SSLstrip and Firesheep – Browser user privacy – Support HSTS 2. Site Performance Benefits – HTTPS makes load times faster – Support HTTP/2 • higher performance and less latency 3. Marketing Benefits – Search engine optimization (SEO) • https://scotthelme.co.uk/stil – Better Referrer Data l-think-you-dont-need- https/ 4. Browsers and other SW vendors nudging you in that direction • https://casecurity.org/2016/ – Higher trust indication 09/30/always-on-ssl/ • Lock icon • Not secure message – iOS and Android upping the ante pushing mobile apps towards encryption 19 © 2016 Entrust Datacard Corporation. All rights reserved. 5 KEY TAKE-AWAYS 1. TLS/SSL technology, requirements, and threats continue to evolve and change 2. Browsers are pushing all sites to move to HTTPs 3. Browsers will shame sites that do not implement TLS/SSL certificates correctly 4. Implement HSTS, OCSP Stapling, Key Pinning, EV SSL and Always-On SSL to improve the security and performance of your sites 5. There are tools out there to help and reliable CA vendors and their partners will be there as well © 2016 Entrust Datacard Corporation. All rights reserved. Thank You © 2016 Entrust Datacard Corporation. All rights reserved..
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages21 Page
-
File Size-