ssl state of the union
DESCRIPTION
This deck was delivered at ApacheCon North America 2014.TRANSCRIPT
![Page 1: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/1.jpg)
SSL State of the Union Sander Temme – Senior Product Line Manager
Thales e-Security – [email protected]
![Page 2: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/2.jpg)
2
![Page 3: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/3.jpg)
3 Everybody’s Going SSL
https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what
![Page 4: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/4.jpg)
4 Agenda
The SSL Protocol
Recent Security Developments
How Open Source Has Stumbled
Setting up a Test PKI
Questions?
![Page 5: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/5.jpg)
SSL Protocol Considerations
![Page 6: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/6.jpg)
6 What Does SSL Do For Us?
![Page 7: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/7.jpg)
7
Server www.example.com
Protocol Overview
Root CA Certificate
Server Certificate
Client
Here’s a Secret Scooby Snack
Hello!
Hello, it’s me!
Verify Server Identity
Derive Session Keys
Encrypted Communications
NOM NOM decrypt
NOM
![Page 8: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/8.jpg)
8 Limitations
Only in transit
Must do Certificates Well
Blind Trust in Certificate Authorities
![Page 9: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/9.jpg)
9 Limitations: Certificate Issues
![Page 10: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/10.jpg)
10 Security Triad
![Page 11: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/11.jpg)
11 Trust in Certificate Authorities?
![Page 12: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/12.jpg)
Recent Security Developments
![Page 13: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/13.jpg)
13 Protocol Attacks
BEAST, CRIME, TIME, Oh My!
We Are Not Cryptographers u We consume crypto u Sift through the headlines u Most attacks Responsibly Disclosed
![Page 14: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/14.jpg)
14 Attacks are Good
Daylight as a Disinfectant
Flaws get fixed
Everyone benefits
But painful u Need a plan
![Page 15: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/15.jpg)
15 This Week’s Joy: Heartbleed
Bug in heartbeat in OpenSSL
Fixed in 1.0.1g; 1.0.0, 0.9.8 not affected
Exploits virtually undetectable
Unpleasant surprise u Became public April 7, 2014 u No advance warning u Vendors are scrambling u We all get to update!
To wit u New keys, get certificates reissued u Old certificates revoked u Assess and respond to possible intrusion
https://access.redhat.com/security/cve/CVE-2014-0160 http://heartbleed.com
![Page 16: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/16.jpg)
16 Increase Trust in Certificates
DANE
Certificate Transparency
![Page 17: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/17.jpg)
17 DANE: DNS-based Authentication of Named Entities
Associate Server Hostname with Certificate
TLS Association Records in DNS
Secured by DNSSEC
http://csrc.nist.gov/groups/ST/ca-workshop-2013/presentations/Barnes_ca-workshop2013.pdf
![Page 18: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/18.jpg)
18 Certificate Transparency
Central registry of valid certificates
Domain owners publish, check
Client computers “gossip” worldwide
http://csrc.nist.gov/groups/ST/ca-workshop-2013/presentations/Kasper_ca-workshop2013.pdf
https://www.certificate-transparency.org
![Page 19: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/19.jpg)
19 “New” Protocol Developments
Session Tickets
OCSP Stapling
Perfect Forward Secrecy
![Page 20: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/20.jpg)
20 Session Tickets
Server encrypts session state
Hands to client
Resume: client hands back encrypted session
httpd 2.4 can do this
![Page 21: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/21.jpg)
21 OCSP Stapling
Online Certificate Status Protocol
Usually checked by client
Server obtains OCSP Response
Hands to client
httpd 2.4 can do this
https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
![Page 22: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/22.jpg)
22 Perfect Forward Secrecy
No more Secret Scooby Snack
Diffie-Hellman key agreement
Server private key signs DH key
https://blog.twitter.com/2013/forward-secrecy-at-twitter
![Page 23: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/23.jpg)
How Open Source has Stumbled
![Page 24: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/24.jpg)
24
![Page 25: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/25.jpg)
25 Apache Projects Implicated
Axis
Axis2
HttpClient 3.x
LibCloud
ActiveMQ
CXF
![Page 26: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/26.jpg)
26 But Mostly Fixed
Axis – EOL
Axis2 – Workaround
HttpClient 3.x – EOL
LibCloud – Fixed
ActiveMQ – Fixed?
CXF – Fixed
![Page 27: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/27.jpg)
Setting Up a PKI-let Test Your Deployment with Real Certificates
![Page 28: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/28.jpg)
28
Server www.example.
com
Certificate Hierarchy
Root CA Certificate
Issuing CA Certificate
Leaf node Certificate
Client
![Page 29: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/29.jpg)
29 OpenSSL CA
https://github.com/sctemme/pkilet
Simple script + config
Quick CA hierarchy for testing
![Page 30: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/30.jpg)
30 Usage
./pkilet.sh -newroot
./pkilet.sh -newissuing
./pkilet.sh -newleaf localhost
openssl s_server -accept 4433 \ -key leaves/localhost_key.pem \ -cert leaves/localhost_cert.pem \ -CAfile issuingCA/cacert.pem -www
curl --cacert rootCA/cacert.pem https://localhost:4433/
![Page 31: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/31.jpg)
31 Conclusion
The State of our Union is Strong
Continued Vigilance is needed
Supporting SSL is table stakes now
Embrace and Test your SSL Support
![Page 32: SSL State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022061113/545825d4b1af9f39378b54e0/html5/thumbnails/32.jpg)
32 Questions and Discussion
http://www.slideshare.net/sctemme
Follow @keysinthecloud on Twitter