Download - Edge 2014: The Evolution of TLS/SSL - Improving the Foundations of Internet Security

The Evolution of TLS & SSL Brian Sniffen

©2014 AKAMAI | FASTER FORWARDTM

TLS Timeline

1990Web

1995SSL 2

SSL 31996

2006TLS 1.1

TLS 1.22008

2015TLS 1.3

1999TLS 1.0

TimeNow


Akamai Security Research & Architecture

•  Crypto engineering expertise •  Technical backstop •  Product review •  Akamai Architecture Group seat •  Safety engineering •  Incident management


How much SSL?

Industry standard: 30%

Akamai sees: 37%

50% by 2016?


How much traffic is SSL?

36-38% 32–36%


24–26% 35–37%

Bad App


85–90% 80-85% WinXP EOL


TLS 1.3

Adoption goal: Everyone runs this by 2017

Big Site Operators speed

1-RTT setup 0-RTT resume

Crypto Warriors forward secrecy

encrypt handshake non-NIST ciphers

Pragmatists remove CBC remove RC4

remove compression fewer HTTP integrations


TLS 1.3 Speed Features

ClientHelloClientKeyExchange

ServerHelloServerKeyExchange[ChangeCipherSpec]EncryptedExtensions

CertificateCertificateRequestCertificateVerify

Finished

[ChangeCipherSpec]Certificate

CertificateVerifyFinished

Application Data Application Data


TLS 1.3 Speed Features

ServerHelloServerKeyExchange[ChangeCipherSpec]

Finished

ClientHelloClientKeyExchange

[ChangeCipherSpec]Finished

Application Data Application Data


TLS 1.3 Pragmatic features

Q: “What would happen if we remove everything we know is bad?” A: Simpler code runs blazingly fast A: Fewer protocol bugs A: New protocol bugs


TLS 1.3 Crypto War features

•  RSA Key Exchange is out •  Custom DHE groups are out •  DSA with random nonces may be out •  Extensions are encrypted •  DJB ciphers are in


TLS Private Innovations: A history

•  Delegated “Keyless” SSL •  National cipher suites (Camellia, SEED, etc.) •  SPDY / HTTP 2 requires TLS •  TLS False Start •  Eternal Chrome sessions •  Post-CA trust models


Implementation bugs

•  Gotofail •  Heartbleed •  NSS Signature Verification

Any device running year-old TLS software is insecure.


Let’s see the future: Optimistic

•  We all have TLS 1.3 in 2015 •  New devices, fast-cycle browsers have TLS 1.3 in 2015 •  Possible to operate an e-commerce site on TLS 1.3-only in 2015

•  Plausible to drop TLS 1.2 in 2018


Let’s see the future: Grim

•  Crash off of TLS 1.2 in 2016

•  No crypto software older than six months is trustworthy

•  Typical leaf cert lifespan < 3 months


Wild Guesses about Akamai SSL Support

New features: 2014: SCSV 2015: SNI, TLS 1.3, PFS, OCSP Stapling, SHA-2, Certificate Transparency 2016: post-DSA EC (Ed25519?) Walking the plank: 3DES, RC4, SSL3, SSL2


Advice

•  Pin an Edge-Origin Cert (or run your own CA) •  Test clients with EC-DHE now •  Turn on TLS 1.2 •  Turn off SSL 3 (and check that SSL 2 is off!) •  Don’t hard-code client-Edge elements