TLS State of the Union
-
Upload
sander-temme -
Category
Technology
-
view
85 -
download
0
Transcript of TLS State of the Union
www.thales-esecurity.com OPEN
TLS State of the Union
ApacheCon NA 2016Sander Temme – [email protected]
2This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
3This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Heartbleed Impact: >60% of sites vulnerable!
4This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
How Many Eyeballs Are There? Really?
5This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
The Linux Foundation Steps In
6This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
The Linux Foundation Steps In
7This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Core Infrastructure Initiative Grant for OpenSSL Development
8This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
So, What Else Happened…
9This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
So, What Else Happened…
www.thales-esecurity.com OPEN
What’s Going On Today?
11This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Pervasive TLS Deployment
▌High Traffic Sites now default to TLSGoogle, YouTube, Yahoo!, Facebook, Twitter, Netflix (soon), …
▌ Increased consciousness
▌ Increased expertiseSecurityPerformance (https://istlsfastyet.com)
▌Going Dark is the new defaultGoogle treats you better when you’re on TLS
12This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Go Dark for Free: Let’s Encrypt!
▌Free, Automated, and Open Certificate tool
▌Supported by all the browsers
▌ It’s easy!Run software agent on serverMust have root on hostCreates SSL vhost for Apache httpd
13This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
The Backdoor Debate
14This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
The Backdoor Debate
15This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
16This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Certificates Ain’t What They Used to Be
17This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Certificates
▌Don’t use self-signedIt’s never been a good ideaNow even less so
▌PKI is HardDon’t set up your own toy PKIDo it right or not at all
▌Buy certs for Intranet sitesFrom cheap commercial CAsProblem solved
www.thales-esecurity.com OPEN
What’s Next?
19This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
More Patches
▌ Increased OpenSSL Development
▌ Increased Adoption
▌ Increased Scrutiny
▌ Which OpenSSL version?
The one that came with your OSyum update etc.
▌ OpenSSL release streams
0.9.x is dead, don’t use it1.0.1t released May 3, 20161.0.2h released May 3, 20161.1.x is in pre-release
Expect more patches, faster
20This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Recommended Key Sizes
▌Currently (May 2016)RSA: 2048bitECC: 256bit
▌Hashes: SHA-256Chrome: certificates with SHA-1 in chain insecureRoot certificates with SHA-1 ok
https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4
21This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Transport Layer Security 1.3
▌Currently in developmenthttps://tlswg.github.io/tls13-spec/
▌Faster
▌More secure
22This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Serverwww.example.com
TLS Static Key Handshake
Root CA Certificate
Server Certificate
Client
Here’s a Secret Scooby Snack
Hello!
Hello, it’s me!
Verify Server Identity
Derive Session Keys
Encrypted Communications
NOM NOM decrypt
NOM
23This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Serverwww.example.com
Handshake with Forward Secrecy
Root CA Certificate
Server Certificate
Client
Hello!
Hello, it’s me!
Verify Server Identity
Derive Session Keys
Encrypted Communications
24This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Content Inspection
Interwebs
Inspection/WAF Origin Server(s)
Switch Origin Server(s)
httpd WAF
httpd
httpd
Inspection/WAF
TLS
TLS
Re-encrypt
Port spanning
TLS
25This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Content Inspection in a Forward Secrecy World
InterwebsApplication
Delivery Controller
Origin Server(s)httpd
Inspection/WAF
plaintext
TLS Re-encrypt
26This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
27This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Strong and Getting Stronger
▌Deeper understanding of the risks
▌ Improved developmentAttentionFunding
▌Pervasive adoption
28This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
What Can You Do?
▌Use the tools wellDon’t make smiley faces
▌ Inform yourselfMuch information on the googlewebs
▌Don’t be a certificate problemGet rid of SHA-1 based certsBrowser vendors don’t like to show errors to your users but they will
▌Deploy patchable infrastructureBetter software is just down the road
29This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Further Reading
▌ TLS 1.3 RFC in developmenthttps://tlswg.github.io/tls13-spec/
▌Blogs, Talks, Presentationshttps://istlsfastyet.com/https://blog.twitter.com/2013/forward-secrecy-at-twitter-0https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/https://t.co/83UYUE7XZP (Chrome browser SSL related warnings)http://arstechnica.com/security/2015/04/it-wasnt-easy-but-netflix-will-soon-use-https-to-secure-video-streams/https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html
30This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Questions and Discussion
▌http://www.slideshare.net/sctemme
▌Follow @keysinthecloud on Twitter