SSL Explained……

Andrew HorburySenior Product Marketing ManagerSymantec Website Security Solutions

SSL Explained 1

Agenda• What does SSL do?• Why do we need SSL?• How do we use SSL today?• How does SSL Encryption work?• How does Authentication work?• Different types of SSL Certificates• Valid certificates and • Website Security Solutions– Moving beyond SSL

• Resources and more information

2SSL Explained

What does SSL do?• Authentication and Verification– The SSL Certificate contains information about the authenticity of the

business or individual, which it will display in the browser when the padlock or certificate is clicked on in a browser

• Data Encryption– SSL enables encryption, which means that sensitive information

exchanged via a website site cannot be intercepted and read by anyone other than the intended recipient.

3SSL Explained

First of all…

Lets take a look out how people purchasing patterns have changed…. With many of us preferring to buy online versus visiting shops

• GBP91 billion spent online in 2013 in the UK (6% growth from 2012*

• 2013 ‘year of the mobile’: 2x spent via mobile devices in December 2013 compared to December 2012

Yet….in 2012 one percent of all online revenues globally was lost to fraud this equates to GBP2.17BN**

* IMRG.org

** Cyber Source Corp

4SSL Explained

Why do we need SSL?

• Everyone expects web sites to be safe from prying eyes• We need to clearly demonstrate online security• PCI compliance demands the encryption of credit card details• There is a data protection obligation to protect personal data.

• SSL plays a huge part in the worlds of ecommerce, finance, government, manufacturing and much, much more….

5SSL Explained

How do we use SSL?

• To secure online transactions (ecommerce, bill payments etc..)• To secure various online systems (logins, extranets, intranet etc…)• To secure the connection between Outlook (mail client) and MS Exchange

(mail server)• To secure webmail and applications such as Outlook Web Access• To secure cloud based applications• To secure FTP and file transfer services• To secure internal and external data transfers (SharePoint, database

connections, HR apps, pay roll etc..)• To secure remote logins such as SSL VPN• Securing information sent & received by mobile phones, tablets etc..

6SSL Explained

What do all these applications have in common?

• The data needs confidentiality – the user wants to keep credit card details, password, and other personal data from prying eyes

• The data needs to retain integrity – meaning it cannot be intercepted and changed

• You need to demonstrate clearly that you are you and not someone else pretending to be you

• Compliance – meet national, local, international regulations

7SSL Explained

Would you send a postcard to someone through the post with your bank details written on the other side….?

8SSL Explained

Would you send a postcard to someone through the post with your bank details written on the other side….NO

9SSL Explained

How does SSL Encryption work?• In the same way you use a key to unlock

the door on your car. SSL uses keys to lock and unlock your information.

• Unless you have the right key, you will not be able to unlock the information (or car).

• Each SSL sessions consists of two keys:– The Public key is used to encrypt

– The Private key is used to decrypt

• Once the server and browser have conducted the SSL handshake – the server creates a symmetric algorithm to encrypt the traffic.

10

SSL Explained

Moving onto Identity - How Authentication Works…• Making sure that you are talking to

the person or computer that you can trust.

• Who to trust– Company asks a CA (e.g. Symantec for a

Certificate)

– CA creates a certificate and signs it

– Certificate installed on a server

– Browser issued with root certificates

– Browser trusts correctly signed certificates

11

SSL Explained

Different types of SSL Certificates

Some companies, use for authentication, to demonstrate trust, whilst others need only encryption.

The industry has reacted and formulated three types of SSL certificate• Domain Validated (DV) • Organisation Validated (OV) – domain and org validated• Extended Validation (EV) as OV but with :– Verifies the legal, physical and operational status of a company

– Verify that the identity of the entity matches official centrally held documents

– Verifying that the entity has the exclusive right to use the domain specified in the EV certificate

• All certificates issued by Symantec are fully validated at Org level

12

SSL Explained

Website warnings for self signed certificates

Chrome

IE8

Firefox 10

Different types of SSL Certificates

The use of SSL has changed.

Some companies, use for authentication, to demonstrate trust, whilst others need only encryption.

The industry has reacted and formulated three types of SSL certificate• Domain Validated (DV) • Organisation Validated (OV) – domain and org validated• Extended Validation (EV) as OV but with :– Verifies the legal, physical and operational status of a company

– Verify that the identity of the entity matches official centrally held documents

– Verifying that the entity has the exclusive right to use the domain specified in the EV certificate

• All certificates issued by Symantec are fully validated at Org level

14

SSL Explained

Different Certificate Technologies• Individual certificates

– Standard use for an SSL certificate. Used to secure data between website and webserver (can be used for multiple servers)

• Wildcard SSL Certificates– A Wildcard certificate – use one certificate to secure multiple subdomains

under one domain.

• Multiple domain Certificates

– Subject Alternative Names. Similar to a Wildcard certificate, but more versatile, the SAN (Subject Alternative Name) SSL certificate allows for more than one domain to be added to a single SSL certificate. These are particularly useful for Unified Communications – for use with Microsoft Exchange/Office Service

15

SSL Explained

The value of Symantec Website Security Solutions

SGC Premium SSL

Extended Validation

Seal In Search Norton Secured Seal

Daily Malware Scanning (All certs)

Weekly Vulnerability Assessment (Pro and EV)

Domain1.comDomain2.comDomain3.com

SANs (all certs bar Wildcard)

Algorithm AgilityRSA/ECC/DSA (ECC available for Pro and Pro EV)

16

SSL Explained

Our Websites are Being Used Against Us

61%of web sites serving

malware are legitimate sites 25%

have critical vulnerabilities unpatched

53%of legitimate websites have unpatched vulnerabilities

17

SSL Explained

• Elliptic Curve Cryptography (ECC) Algorithm• 12 times faster than RSA– 256 bit ECC key provides the same level of security

as 3,072 RSA key

• 7-10% faster using less CPU power– Directorz Co. Ltd - 46 percent lower CPU burden and a 7 percent

reduction in response time, enabling more total simultaneous connections to a single site.

• Available with:– Symantec Secure Site Pro

– Symantec Secure Site Pro with EV

Symantec SSL Algorithm Agility

18

SSL Explained

SSL Explained

19

SSL Explained

SSL Explained

20

SSL Explained

SSL Explained

21

SSL Explained

SSL Explained

22

SSL Explained

SSL and Trust• Certificate authorities such as Symantec undergo extremely

rigorous audits in order to be recognised as a trusted issuer of digital certificates

• All certificates that Symantec issue are vetted prior to issuing. We do not let partners or third parties do this verification on our behalf.

• Certificate Authorities need to ensure that its certificates have root ubiquity. The Symantec certificate root is recognised in most browsers and devices.

• Choosing a CA is key – you need to know that its root is trusted in browsers and that it has reputation that will enhance your trust to the wider world. If the root is not include in IE6 (10% of the market) what do you do?

23

SSL Explained

SSL Explained• UK English– http://bit.ly/LAbN4R

• German– http://bit.ly/1aHoNw1

• France– http://bit.ly/1e9DEjq

• Italy– http://bit.ly/1dLTB4r

• Spain– http://bit.ly/KxsIFd

• PCI Security Standards Council’s ecommerce– http://bit.ly/1einKWU

24

SSL Explained

More information• Monthly Website Security Threat Update – https://www.brighttalk.com/channel/6331

– 13 Feb 2014, 9.30 GMT/10.30 CET

• Follow us– @nortonsecured

– https://www.facebook.com/SymantecWebsiteSecuritySolutions

25

SSL Explained

Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Andrew Horburyandy_horbury@symantec.com@andyhorburywww.symantec.co.uk/ssl

26

SSL Explained

Appendix

27

SSL Explained

Key Data at a Glance

SSL Explained 28

Ecommerce Turnover and Growth in EMEA in 2012

• UK, Germany, France are still the top 3 performers in regards to ecommerce turnover

• However good opportunity exists in markets like Spain, Russia, Holland and Italy.

• The countries with the highest growth percentage in 2012 were Turkey, Greece and Ukraine – overall Eastern European countries show the most growth

SSL Explained 29