ION Santiago: Lock It Up: TLS for Network Operators

Lock It Up: TLS for Network Operators
Chris Grundemann
Director, Deployment & Operationalization
Internet Society
www.internetsociety.org

TLS vs SSL
Secure Sockets Layer (SSL) originally developed by
Netscape in the mid-1990s
"Transport Layer Security (TLS)" evolved from SSL 3.0,
although "SSL" remains commonly used term
TLS version 1.3 in active development:
• https://tools.ietf.org/html/draft-ietf-tls-tls13
• https://github.com/tlswg/tls13-spec
10/28/14
1996 SSL 3.0 RFC 6101
1999 TLS 1.0 RFC 2246
2006 TLS 1.1 RFC 4346
2008 TLS 1.2 RFC 5246
2014/15? TLS 1.3 draft-ietf-tls-tls13

TLS – Not Just For Web Sites
TLS / SSL originally developed for web sites
Now widely used for many other services, including:
• Email
• Instant messaging
• File transfer
• Virtual Private Networks (VPNs)
• Voice over IP (VoIP)
• Custom applications

Snowden Revelations
Revelations by Edward Snowden
in 2013 revealed massive amount
of surveillance and monitoring.
Prompted global concerns about the
security and privacy of our data
and of our communication sessions
over the Internet.
Increased desire to see TLS used
more widely across all applications
and services.

Response by larger Internet community
10/28/14

RFC 7258 – IETF/IAB Response
http://tools.ietf.org/html/rfc7258
"Pervasive Monitoring Is An Attack"
Pervasive monitoring is a technical attack that should be
mitigated in the design of IETF protocols, where possible.
Has prompted a security/privacy review across all areas of
IETF. Expect to see changes over time across all the
protocols used for communication on the Internet.
10/28/14

IETF Activity - UTA
New Working Group: UTA – Using TLS in Applications
• http://tools.ietf.org/wg/uta/
• Goals
• Update the definitions for using TLS over a set of representative
application protocols. This includes communication with proxies,
between servers, and between peers, where appropriate, in addition to
client/server communication.
• Specify a set of best practices for TLS clients and servers, including but
not limited to recommended versions of TLS, using forward secrecy, and
one or more ciphersuites and extensions that are mandatory to
implement.
• Consider, and possibly define, a standard way for an application client
and server to use unauthenticated encryption through TLS when server
and/or client authentication cannot be achieved.
• Create a document that helps application protocol developers use TLS
in future application definitions.

IETF – Increased Activity Across Groups
Two examples:
TLS Working Group now defining TLS 1.3 and exploring
other ways to secure TLS
• http://tools.ietf.org/wg/tls/
HTTPBIS Working Group defining more secure HTTP 2.0
• http://tools.ietf.org/wg/httpbis/
• will only work with https URLs

Other Reasons Customers May Request TLS
Ability to use SPDY protocol (requires TLS)
• https://en.wikipedia.org/wiki/SPDY
Improved Google search result ranking
• Deploy360 post: http://wp.me/p4eijv-5eJ

Other Efforts
On Sept 29, 2014, CloudFlare
announced they would be giving
TLS certificates to all customers
for free.
Calling it "Universal SSL", this made
2+ million web sites TLS-encrypted
in one action.
Similar actions to make TLS more accessible are being
seen by other groups and organizations

Heartbleed and Poodle
Recent attacks have increased desire to strengthen TLS
security
Heartbleed (April 2014) vulnerability in
OpenSSL highlighted need for security
reviews of common libraries – and also
need for diversity in library usage
• http://heartbleed.com/
Poodle (September 2014) demonstrated need to
completely deprecate usage of SSL v3.0
• https://www.openssl.org/~bodo/ssl-poodle.pdf

Outcome Of Activity By IETF And Other Groups
You WILL see increased usage of TLS across all
applications
Example – Encrypt The Web report from EFF
• https://www.eff.org/encrypt-the-web-report

How Do You Help Your Customers?
If your customers are using more TLS for their applications,
either by their own choice or because the service they are
using is now using TLS, how do you help them make
their connections over the Internet more secure?
1. Use TLS for your own services and systems
2. Allow TLS-encrypted sessions to flow through your
network (i.e. don't block them or try to force them to
downgrade to unencrypted connections)
3. Educate your customers about how they can move
their own servers and services to support TLS

But what about….?
"Wait! If application developers run everything over TLS, all
we will see are TLS-encrypted streams. We won't be able
to see into the traffic and manage our network
appropriately."
"We can't use wireshark!"
Unfortunately, the same monitoring capability used by
network operators was abused by intelligence agencies
and other attackers.
Momentum now is to close all these holes.
Network management must now assume TLS will be there.

Resources – Deploy360 Programme
http://www.internetsociety.org/deploy360/tls/
Providing:
• Resources to learn more about TLS
• Links to libraries and other tools
• Ongoing coverage on Deploy360 blog
of TLS-related issues and news

Resources – BetterCrypto.org
https://bettercrypto.org/
"This whitepaper arose out of the need for system
administrators to have an updated, solid, well researched
and thought-through guide for configuring SSL, PGP, SSH
and other cryptographic tools in the post-Snowden age.
Triggered by the NSA leaks in the summer of 2013, many
system administrators and IT security specialists saw the
need to strengthen their encryption settings. This guide is
specifically written for these system administrators."
"This project aims at creating a simple, copy & paste-able
HOWTO for secure crypto settings of the most common
services (webservers, mail, ssh, etc.)."

Resources – Mozilla Server Side TLS Doc
https://wiki.mozilla.org/Security/Server_Side_TLS
Great document – and not just for Mozilla
"The goal of this document is to help operational teams with
the configuration of TLS on servers. All Mozilla sites and
deployment should follow the recommendations below."
"The Operations Security (OpSec) team maintains this
document as a reference guide to navigate the TLS
landscape. It contains information on TLS protocols,
known issues and vulnerabilities, configuration examples
and testing tools."

Resources - NIST SP800-52r1
http://dx.doi.org/10.6028/NIST.SP.800-52r1
"Guidelines for the Selection,
Configuration, and Use of Transport
Layer Security (TLS) Implementations
Document from U.S. National Institute of
Standards and Technologies (NIST)
revised in April 2014 (post-Snowden)
Aimed at US government agencies but
provides a useful tutorial and set of
guidelines for other organizations

One Challenge With TLS
How do you ensure that the TLS certificate the client is
receiving is the correct TLS certificate that the server
operator wants the client to receive?
This brings us to our next talk here at ION Santiago
about DANE…

But Before That…
Questions?
How can we help you with deploying TLS within your
network and with your customers?
What additional assistance do you need?
Thank you for helping make the Internet more secure!

Chris Grundemann
Director, Deployment & Operationalization
Internet Society
grundemann@isoc.org
http://www.internetsociety.org/deploy360/
Thank You!
www.isoc.org/do

ION Santiago: Lock It Up: TLS for Network Operators

More Related Content

What's hot (10)

Similar to ION Santiago: Lock It Up: TLS for Network Operators (20)

More from Deploy360 Programme (Internet Society) (20)

Recently uploaded (20)

ION Santiago: Lock It Up: TLS for Network Operators