Abstract image of a woman sitting on books and studying on a laptop

TLS State of the Union

Sander Temme, profile picture
Sander Temme

This document summarizes the state of TLS and SSL security. It discusses how the Heartbleed vulnerability exposed vulnerabilities in over 60% of websites. It also discusses increased efforts to improve TLS security like the Linux Foundation providing funding to OpenSSL and the rise of free certificate authorities like Let's Encrypt. The document advocates for best practices like enabling forward secrecy, moving to TLS 1.3, and avoiding SHA-1 certificates.

Technology
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
www.thales-esecurity.com OPEN TLS State of the Union ApacheCon NA 2016 Sander Temme – sctemme@apache.org
2 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN
3 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Heartbleed Impact: >60% of sites vulnerable!
4 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN How Many Eyeballs Are There? Really?
5 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN The Linux Foundation Steps In
6 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN The Linux Foundation Steps In
7 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Core Infrastructure Initiative Grant for OpenSSL Development
8 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN So, What Else Happened…
9 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN So, What Else Happened…
www.thales-esecurity.com OPEN What’s Going On Today?
11 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Pervasive TLS Deployment ▌ High Traffic Sites now default to TLS Google, YouTube, Yahoo!, Facebook, Twitter, Netflix (soon), … ▌ Increased consciousness ▌ Increased expertise Security Performance (https://istlsfastyet.com) ▌ Going Dark is the new default Google treats you better when you’re on TLS
12 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Go Dark for Free: Let’s Encrypt! ▌ Free, Automated, and Open Certificate tool ▌ Supported by all the browsers ▌ It’s easy! Run software agent on server Must have root on host Creates SSL vhost for Apache httpd
13 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN The Backdoor Debate
14 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN The Backdoor Debate
15 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN
16 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Certificates Ain’t What They Used to Be
17 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Certificates ▌ Don’t use self-signed It’s never been a good idea Now even less so ▌ PKI is Hard Don’t set up your own toy PKI Do it right or not at all ▌ Buy certs for Intranet sites From cheap commercial CAs Problem solved
www.thales-esecurity.com OPEN What’s Next?
19 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN More Patches ▌ Increased OpenSSL Development ▌ Increased Adoption ▌ Increased Scrutiny ▌ Which OpenSSL version? The one that came with your OS yum update etc. ▌ OpenSSL release streams 0.9.x is dead, don’t use it 1.0.1t released May 3, 2016 1.0.2h released May 3, 2016 1.1.x is in pre-release Expect more patches, faster
20 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Recommended Key Sizes ▌ Currently (May 2016) RSA: 2048bit ECC: 256bit ▌ Hashes: SHA-256 Chrome: certificates with SHA-1 in chain insecure Root certificates with SHA-1 ok https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4
21 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Transport Layer Security 1.3 ▌ Currently in development https://tlswg.github.io/tls13-spec/ ▌ Faster ▌ More secure
22 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Server www.example.com TLS Static Key Handshake Root CA Certificate Server Certificate Client Here’s a Secret Scooby Snack Hello! Hello, it’s me! Verify Server Identity Derive Session Keys EncryptedCommunications NOM NOM decrypt NOM
23 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Server www.example.com Handshake with Forward Secrecy Root CA Certificate Server Certificate Client Hello! Hello, it’s me! Verify Server Identity Derive Session Keys EncryptedCommunications
24 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Content Inspection Interwebs Inspection/WAF Origin Server(s) Switch Origin Server(s) httpd WAF httpd httpd Inspection/WAF TLS TLS Re-encrypt Port spanning TLS
25 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Content Inspection in a Forward Secrecy World Interwebs Application Delivery Controller Origin Server(s)httpd Inspection/WAF plaintext TLS Re-encrypt
26 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN
27 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Strong and Getting Stronger ▌ Deeper understanding of the risks ▌ Improved development Attention Funding ▌ Pervasive adoption
28 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN What Can You Do? ▌ Use the tools well Don’t make smiley faces ▌ Inform yourself Much information on the googlewebs ▌ Don’t be a certificate problem Get rid of SHA-1 based certs Browser vendors don’t like to show errors to your users but they will ▌ Deploy patchable infrastructure Better software is just down the road
29 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Further Reading ▌ TLS 1.3 RFC in development https://tlswg.github.io/tls13-spec/ ▌ Blogs, Talks, Presentations https://istlsfastyet.com/ https://blog.twitter.com/2013/forward-secrecy-at-twitter-0 https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/ https://t.co/83UYUE7XZP (Chrome browser SSL related warnings) http://arstechnica.com/security/2015/04/it-wasnt-easy-but-netflix-will-soon-use- https-to-secure-video-streams/ https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html
30 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Questions and Discussion ▌ http://www.slideshare.net/sctemme ▌ sctemme@apache.org ▌ Follow @keysinthecloud on Twitter

More Related Content

PDF
SSL State of the Union
Sander Temme
 
PPT
Ost ssl lec
Kaustubh Joshi
 
PDF
Introduction To The DANE Protocol (DNSSEC)
Deploy360 Programme (Internet Society)
 
PDF
ION Santiago - DNSSEC and DANE Based Security for TLS
Deploy360 Programme (Internet Society)
 
PDF
Sinn und Unsinn von SSL
Walter Ebert
 
PDF
Deploying DNSSEC: what, how and where ?
Afnic
 
PDF
HTTPS: All you need to know
OVHcloud
 
PDF
Configuring SSL on NGNINX and less tricky servers
Axilis
 
SSL State of the Union
Sander Temme
 
Ost ssl lec
Kaustubh Joshi
 
Introduction To The DANE Protocol (DNSSEC)
Deploy360 Programme (Internet Society)
 
ION Santiago - DNSSEC and DANE Based Security for TLS
Deploy360 Programme (Internet Society)
 
Sinn und Unsinn von SSL
Walter Ebert
 
Deploying DNSSEC: what, how and where ?
Afnic
 
HTTPS: All you need to know
OVHcloud
 
Configuring SSL on NGNINX and less tricky servers
Axilis
 

What's hot (8)

PDF
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
PPTX
Segurança da era do ssl everywhere
rodolfovillordo
 
PDF
HARDENING IN APACHE WEB SERVER
Utah Networxs Consultoria e Treinamento
 
PDF
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
EpicHosts UK
 
PPTX
Demystfying secure certs
Gary Williams
 
PDF
Security and Privacy on the Web in 2016
Francois Marier
 
PDF
Online passwords – understanding "credential stuffing" cyberattack
OVHcloud
 
PDF
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
OpenDNS
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
Segurança da era do ssl everywhere
rodolfovillordo
 
HARDENING IN APACHE WEB SERVER
Utah Networxs Consultoria e Treinamento
 
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
EpicHosts UK
 
Demystfying secure certs
Gary Williams
 
Security and Privacy on the Web in 2016
Francois Marier
 
Online passwords – understanding "credential stuffing" cyberattack
OVHcloud
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
OpenDNS
 
Ad

Viewers also liked (20)

PPTX
Thales e-Security corporate presentation
Thales e-Security
 
PPTX
Virtual Gov Day - Application Delivery Breakout - Northrop Grumman Informatio...
Splunk
 
PDF
Caci 2016 guidance_conference
Edgar Melo Costa
 
PDF
Exploration and Sciences Technologies in Thales Alenia Space towards Horizone...
Leonardo
 
PDF
Mexico trends mx 042116 (003)
Jose G Rivera, MBA, CISSP, CTGA,
 
PPTX
RBMovil Powered by CHARGE Anywhere: MWC
CHARGE Anywhere
 
PPTX
ROTLD DNSSEC Implementation
Deploy360 Programme (Internet Society)
 
PPTX
Protecting application delivery without network security blind spots
Thales e-Security
 
PPTX
Futurex Secure Key Injection Solution
Greg Stone
 
PPTX
Decision criteria and analysis for hardware-based encryption
Thales e-Security
 
PDF
[Application guide] IoT Protocol gateway
Seth Xie
 
PPTX
Cloud payments (HCE): a simpler step with Thales HSMs
Thales e-Security
 
PPT
Innovation Solutions
Railways and Harbours
 
PPTX
Risk Analysis Of Banking Malware Attacks
Marco Morana
 
PPTX
Cloud based payments: the future of mobile payments?
Thales e-Security
 
PDF
thales-corporate-presentation 2015
Sid Atreya | MBA | B.Eng
 
PPTX
Le contrat agile ce n'est pas si simple que ça
Franck Beulé
 
PPS
Thales
cwill
 
PPTX
HSM Basic Training
Md. Budrul Hasan Bhuiyan
 
PPTX
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Knowledge Group
 
Thales e-Security corporate presentation
Thales e-Security
 
Virtual Gov Day - Application Delivery Breakout - Northrop Grumman Informatio...
Splunk
 
Caci 2016 guidance_conference
Edgar Melo Costa
 
Exploration and Sciences Technologies in Thales Alenia Space towards Horizone...
Leonardo
 
Mexico trends mx 042116 (003)
Jose G Rivera, MBA, CISSP, CTGA,
 
RBMovil Powered by CHARGE Anywhere: MWC
CHARGE Anywhere
 
ROTLD DNSSEC Implementation
Deploy360 Programme (Internet Society)
 
Protecting application delivery without network security blind spots
Thales e-Security
 
Futurex Secure Key Injection Solution
Greg Stone
 
Decision criteria and analysis for hardware-based encryption
Thales e-Security
 
[Application guide] IoT Protocol gateway
Seth Xie
 
Cloud payments (HCE): a simpler step with Thales HSMs
Thales e-Security
 
Innovation Solutions
Railways and Harbours
 
Risk Analysis Of Banking Malware Attacks
Marco Morana
 
Cloud based payments: the future of mobile payments?
Thales e-Security
 
thales-corporate-presentation 2015
Sid Atreya | MBA | B.Eng
 
Le contrat agile ce n'est pas si simple que ça
Franck Beulé
 
Thales
cwill
 
HSM Basic Training
Md. Budrul Hasan Bhuiyan
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Knowledge Group
 
Ad

Similar to TLS State of the Union (20)

PPTX
ION Sri Lanka - TLS for Network Operators
Deploy360 Programme (Internet Society)
 
PDF
ION Santiago: Lock It Up: TLS for Network Operators
Deploy360 Programme (Internet Society)
 
PPTX
[Cluj] Turn SSL ON
OWASP EEE
 
PDF
How (un)secure is SSL/TLS?
Microsoft
 
PDF
Sử dụng TLS đúng cách - Phạm Tùng Dương
Security Bootcamp
 
PDF
HTTPS, Here and Now
Philippe De Ryck
 
PDF
020618 Why Do we Need HTTPS
Jackio Kwok
 
PDF
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
PDF
Getting started with HTTPS | LumoSpark webinar
LumoSpark
 
PPTX
[Wroclaw #8] TLS all the things!
OWASP
 
PPTX
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Heroku
 
PPTX
Let's Encrypt + DANE
Deploy360 Programme (Internet Society)
 
PDF
Webinar SSL English
SSL247®
 
PDF
Are we security yet
Cristian Vat
 
PDF
SSL and TLS Theory and Practice 3rd Edition Rolf Oppliger
aribonkathy
 
PPTX
Certificate pinning in android applications
Arash Ramez
 
PDF
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
PDF
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
PDF
SSL: Past, Present and Future
Tiago Mendo
 
PDF
SSL: Past, Present and Future
Luis Grangeia
 
ION Sri Lanka - TLS for Network Operators
Deploy360 Programme (Internet Society)
 
ION Santiago: Lock It Up: TLS for Network Operators
Deploy360 Programme (Internet Society)
 
[Cluj] Turn SSL ON
OWASP EEE
 
How (un)secure is SSL/TLS?
Microsoft
 
Sử dụng TLS đúng cách - Phạm Tùng Dương
Security Bootcamp
 
HTTPS, Here and Now
Philippe De Ryck
 
020618 Why Do we Need HTTPS
Jackio Kwok
 
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
Getting started with HTTPS | LumoSpark webinar
LumoSpark
 
[Wroclaw #8] TLS all the things!
OWASP
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Heroku
 
Let's Encrypt + DANE
Deploy360 Programme (Internet Society)
 
Webinar SSL English
SSL247®
 
Are we security yet
Cristian Vat
 
SSL and TLS Theory and Practice 3rd Edition Rolf Oppliger
aribonkathy
 
Certificate pinning in android applications
Arash Ramez
 
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
SSL: Past, Present and Future
Tiago Mendo
 
SSL: Past, Present and Future
Luis Grangeia
 

Recently uploaded (20)

PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PDF
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PDF
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 

TLS State of the Union

  • 1. www.thales-esecurity.com OPEN TLS State of the Union ApacheCon NA 2016 Sander Temme – sctemme@apache.org
  • 2. 2 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN
  • 3. 3 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Heartbleed Impact: >60% of sites vulnerable!
  • 4. 4 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN How Many Eyeballs Are There? Really?
  • 5. 5 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN The Linux Foundation Steps In
  • 6. 6 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN The Linux Foundation Steps In
  • 7. 7 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Core Infrastructure Initiative Grant for OpenSSL Development
  • 8. 8 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN So, What Else Happened…
  • 9. 9 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN So, What Else Happened…
  • 11. 11 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Pervasive TLS Deployment ▌ High Traffic Sites now default to TLS Google, YouTube, Yahoo!, Facebook, Twitter, Netflix (soon), … ▌ Increased consciousness ▌ Increased expertise Security Performance (https://istlsfastyet.com) ▌ Going Dark is the new default Google treats you better when you’re on TLS
  • 12. 12 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Go Dark for Free: Let’s Encrypt! ▌ Free, Automated, and Open Certificate tool ▌ Supported by all the browsers ▌ It’s easy! Run software agent on server Must have root on host Creates SSL vhost for Apache httpd
  • 13. 13 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN The Backdoor Debate
  • 14. 14 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN The Backdoor Debate
  • 15. 15 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN
  • 16. 16 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Certificates Ain’t What They Used to Be
  • 17. 17 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Certificates ▌ Don’t use self-signed It’s never been a good idea Now even less so ▌ PKI is Hard Don’t set up your own toy PKI Do it right or not at all ▌ Buy certs for Intranet sites From cheap commercial CAs Problem solved
  • 19. 19 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN More Patches ▌ Increased OpenSSL Development ▌ Increased Adoption ▌ Increased Scrutiny ▌ Which OpenSSL version? The one that came with your OS yum update etc. ▌ OpenSSL release streams 0.9.x is dead, don’t use it 1.0.1t released May 3, 2016 1.0.2h released May 3, 2016 1.1.x is in pre-release Expect more patches, faster
  • 20. 20 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Recommended Key Sizes ▌ Currently (May 2016) RSA: 2048bit ECC: 256bit ▌ Hashes: SHA-256 Chrome: certificates with SHA-1 in chain insecure Root certificates with SHA-1 ok https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4
  • 21. 21 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Transport Layer Security 1.3 ▌ Currently in development https://tlswg.github.io/tls13-spec/ ▌ Faster ▌ More secure
  • 22. 22 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Server www.example.com TLS Static Key Handshake Root CA Certificate Server Certificate Client Here’s a Secret Scooby Snack Hello! Hello, it’s me! Verify Server Identity Derive Session Keys EncryptedCommunications NOM NOM decrypt NOM
  • 23. 23 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Server www.example.com Handshake with Forward Secrecy Root CA Certificate Server Certificate Client Hello! Hello, it’s me! Verify Server Identity Derive Session Keys EncryptedCommunications
  • 24. 24 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Content Inspection Interwebs Inspection/WAF Origin Server(s) Switch Origin Server(s) httpd WAF httpd httpd Inspection/WAF TLS TLS Re-encrypt Port spanning TLS
  • 25. 25 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Content Inspection in a Forward Secrecy World Interwebs Application Delivery Controller Origin Server(s)httpd Inspection/WAF plaintext TLS Re-encrypt
  • 26. 26 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN
  • 27. 27 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Strong and Getting Stronger ▌ Deeper understanding of the risks ▌ Improved development Attention Funding ▌ Pervasive adoption
  • 28. 28 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN What Can You Do? ▌ Use the tools well Don’t make smiley faces ▌ Inform yourself Much information on the googlewebs ▌ Don’t be a certificate problem Get rid of SHA-1 based certs Browser vendors don’t like to show errors to your users but they will ▌ Deploy patchable infrastructure Better software is just down the road
  • 29. 29 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Further Reading ▌ TLS 1.3 RFC in development https://tlswg.github.io/tls13-spec/ ▌ Blogs, Talks, Presentations https://istlsfastyet.com/ https://blog.twitter.com/2013/forward-secrecy-at-twitter-0 https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/ https://t.co/83UYUE7XZP (Chrome browser SSL related warnings) http://arstechnica.com/security/2015/04/it-wasnt-easy-but-netflix-will-soon-use- https-to-secure-video-streams/ https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html
  • 30. 30 This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved. OPEN Questions and Discussion ▌ http://www.slideshare.net/sctemme ▌ sctemme@apache.org ▌ Follow @keysinthecloud on Twitter