State of the SSL/ TLS Industry Where Are We Today / Future Trends & Changes by Jay Schiavo

State of the SSL/ TLS Industry Where Are We Today / Future Trends & Changes by Jay Schiavo

State of the SSL/ TLS Industry Where Are We Today / Future Trends & Changes By Jay Schiavo © 2016 Entrust Datacard Corporation. All rights reserved. AGENDA • SSL/TLS History • State of the Industry Today • Technologies to Consider • Questions? 2 © 2016 Entrust Datacard Corporation. All rights reserved. SSL/TLS History 3 © 2016 Entrust Datacard Corporation. All rights reserved. SSL MARKET HISTORY 1998 2005 2012 2016 • VeriSign, Entrust, • VeriSign (acquired • Symantec (acquired • Symantec (acquired Thawte, GlobalSign Thawte), Entrust, Thawte and Thawte and GeoTrust, Comodo, GeoTrust), Entrust, GeoTrust), Entrust, • OV SSL GoDaddy Comodo, GoDaddy, Comodo, GoDaddy, Digicert, GlobalSign Digicert, GlobalSign, • E-Commerce • OV SSL, DV SSL Let’s Encrypt, AWS • EV SSL, OV SSL, DV • No governance • E-Commerce and SSL, Multi-Domain • EV SSL, OV SSL, DV protecting sensitive SSL, Cert Mgmt SSL, Multi-Domain data SSL, Cert Mgmt, • E-Commerce and Other Services • CA/Browser Forum protecting sensitive data, Logins, • Encryption Webmail everywhere • EV & SSL Baseline • Browsers enforcing Reqs proper SSL issuance and deployment © Entrust Datacard Corporation. All rights reserved. CHANGING TECHNOLOGIES Endured three certificate-based migrations 1. MD2 and MD5 to SHA-1 2. Small RSA keys to 2048-bit keys or larger 3. SHA-1 to SHA-256 • Additionally: – Encryption levels have changed from 40 bit to 128 bit to 256 bit – SSL protocol to TLS protocol (current version is 1.2) • SSL 2.0 and 3.0 no longer supported in modern browsers • TLS 1.0 and 1.1 are showing some cracks • TLS 1.2 is most secure protocol • TLS 1.3 has not yet been released • What’s next – ECC, RSA 3072, CT for all TLS/SSL © Entrust Datacard Corporation. All rights reserved. 5 RELENTLESS STREAM OF THREATS • Multiple attacks in the news related to SSL/TLS since 2014 – and they keep getting better! – Heartbleed – POODLE – BERserk – Logjam – SuperFish – SMACK – DROWN – SWEET32 Birthday Attack • Visit Feisty Duck for more information – https://www.feistyduck.com/ssl-tls-and-pki-history/ © Entrust Datacard Corporation. All rights reserved. 6 THESE PROBLEMS ARE PERVASIVE 9.5% 55.1% 4.0% 55.1% of sites have 9.5% support inadequate security 4.0% use SHA-1 weak/insecure cipher suites 6.8% 2.5% 21.4% 6.8% vulnerable to 2.5% vulnerable to 21.4% support DROWN attack CRIME attack SSL 3.0 https://www.trustworthyinternet.org/ssl-pulse/ © 2016 Entrust Datacard Corporation. All rights reserved. BROWSERS DISPLAY SSL MORE PROMINENTLY IN UI © Entrust Datacard Corporation. All rights reserved. 8 TOOLS TO HELP Entrust SSL Best Practices: • SSL Server Test • https://www.entrust.com/lp/ssl- best-practices/ – Certificate, protocol, key exchange and cipher strength (https://entrust.ssllabs.com/) • Scan your site at https://observatory.mozilla.org/ Bulletproof SSL • Based on Web security guidelines they and TLS: created at Implementation https://wiki.mozilla.org/Security/Guidelines/ Web_Security issues, attacks, mitigations 9 © 2016 Entrust Datacard Corporation. All rights reserved. State of the Industry Today 10 © 2016 Entrust Datacard Corporation. All rights reserved. STATE OF THE INDUSTRY – SHA-1 UPDATE • SHA-1 has been outlawed for new issuance as of Jan 1, 2016 and SHOULD expire by Jan 1, 2017 (2+ months) • Its not unusual for even large / well funded companies to have SHA-1 certificates to go unnoticed until the certificate expires. Once expired, some SHA-1 certificate can not be replaced with SHA-2 because the systems running them are either old or proprietary. • Please contact us if you have any questions or issues. • Entrust has both detection tools and a set of solutions to address with this transition. 11 © 2016 Entrust Datacard Corporation. All rights reserved. STATE OF THE INDUSTRY – CERTIFICATE TRANSPARENCY • CT is a family of logs for SSL certificates • Google requires all CAs to publish EV certificates to CT logs • Un-logged certificates will not get the EV indication in Chrome • Some CAs are being forced to publish ALL certificates to CT as of June 1, 2016 due to inappropriate certificate issuance • CT Issues: – Many organization sites are behind the firewall, so not available for inspection – Many site names are ”internal” and have descriptive names such as “US_AP.domain.com” or “research1.domain.com” – Certificates published to CT, can provide a hacker with network topology including server names describing of the server’s function – So CT could be used as a Reconnaissance tool • Can also make customer list public 12 © 2016 Entrust Datacard Corporation. All rights reserved. CURRENT GOOGLE CHROME RE-DESIGN • Chrome 53 has been updated to show security as follows: Bad SSL (badssl.com) No SSL DV/OV SSL EV SSL 13 © 2016 Entrust Datacard Corporation. All rights reserved. MORE BROWSER UI CHANGES ARE COMING • January 2017, Chrome adding in “non secure” for certain HTTP sites • Chrome will expand “non secure” to all HTTP sites • Customers need to prepare by moving to HTTPS For CC & Passwords Future (not too far), for all HTTP sites Google is tacitly saying, EVERYTHING MUST BE ENCRYPTED 14 © 2016 Entrust Datacard Corporation. All rights reserved. Technologies to Consider 15 © 2016 Entrust Datacard Corporation. All rights reserved. HSTS AND OCSP STAPLING HSTS OCSP Stapling • HTTP Strict Transport Security • Alt to CRLs to check cert • Security policy where a Web server revocation directly from server tells a browser to only connect to • The web server caches the the site over HTTPs response from the CA that issued • Protects users even when clicking the certificate on HTTP • Eliminates out-of-band validation • Mitigates HTTP MitM attack that • Decreases browser latency as exploit insecure redirects OCSP response is in TLS • Implemented by including the handshake “Strict-Transport-Security” entry in the HTTP response header • Windows, Apache and Nginx support • Server provides header information to be stored by browser for a period – IIS supports by default of time • https://casecurity.org/2014/06/18/ • Header can apply to subdomains ocsp-must-staple/ • Supported by all major browsers 16 © 2016 Entrust Datacard Corporation. All rights reserved. PINNING HTTP Public Key Pinning • Prevents fraudsters from using mis-issued TLS certs • To enable you return the Public-Key-Pins HTTP header when your site is accessed over HTTPS • Server provides header with public key information to be stored by browser for a period of time • If public key is missing on server then there will be a connection error • https://news.netcraft.com/archives/2016/03/22/secure-websites-shun- http-public-key-pinning.html 17 © 2016 Entrust Datacard Corporation. All rights reserved. EV SSL • Primary objective is to provide identity and assure authorization to issue a certificate • Secondary objective goal is to help mitigate phishing attacks • Highly purchased by banking and retail sites • Over 158,000 active EV certificates • Provide higher levels of identification, authentication and technology leadership • Browsers provide key trust indications – Green lock icon – Green “GO” coloring – Organization name in status bar © 2016 Entrust Datacard Corporation. All rights reserved. ALWAYS-ON SSL 1. Security Benefits – Security to all websites/pages – Mitigate known vulnerabilities: SSLstrip and Firesheep – Browser user privacy – Support HSTS 2. Site Performance Benefits – HTTPS makes load times faster – Support HTTP/2 • higher performance and less latency 3. Marketing Benefits – Search engine optimization (SEO) • https://scotthelme.co.uk/stil – Better Referrer Data l-think-you-dont-need- https/ 4. Browsers and other SW vendors nudging you in that direction • https://casecurity.org/2016/ – Higher trust indication 09/30/always-on-ssl/ • Lock icon • Not secure message – iOS and Android upping the ante pushing mobile apps towards encryption 19 © 2016 Entrust Datacard Corporation. All rights reserved. 5 KEY TAKE-AWAYS 1. TLS/SSL technology, requirements, and threats continue to evolve and change 2. Browsers are pushing all sites to move to HTTPs 3. Browsers will shame sites that do not implement TLS/SSL certificates correctly 4. Implement HSTS, OCSP Stapling, Key Pinning, EV SSL and Always-On SSL to improve the security and performance of your sites 5. There are tools out there to help and reliable CA vendors and their partners will be there as well © 2016 Entrust Datacard Corporation. All rights reserved. Thank You © 2016 Entrust Datacard Corporation. All rights reserved..

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    21 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us