tls state of the union
TRANSCRIPT
![Page 1: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/1.jpg)
www.thales-esecurity.com OPEN
TLS State of the Union
ApacheCon NA 2016Sander Temme – [email protected]
![Page 2: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/2.jpg)
2This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
![Page 3: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/3.jpg)
3This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Heartbleed Impact: >60% of sites vulnerable!
![Page 4: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/4.jpg)
4This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
How Many Eyeballs Are There? Really?
![Page 5: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/5.jpg)
5This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
The Linux Foundation Steps In
![Page 6: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/6.jpg)
6This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
The Linux Foundation Steps In
![Page 7: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/7.jpg)
7This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Core Infrastructure Initiative Grant for OpenSSL Development
![Page 8: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/8.jpg)
8This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
So, What Else Happened…
![Page 9: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/9.jpg)
9This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
So, What Else Happened…
![Page 10: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/10.jpg)
www.thales-esecurity.com OPEN
What’s Going On Today?
![Page 11: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/11.jpg)
11This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Pervasive TLS Deployment
▌High Traffic Sites now default to TLSGoogle, YouTube, Yahoo!, Facebook, Twitter, Netflix (soon), …
▌ Increased consciousness
▌ Increased expertiseSecurityPerformance (https://istlsfastyet.com)
▌Going Dark is the new defaultGoogle treats you better when you’re on TLS
![Page 12: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/12.jpg)
12This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Go Dark for Free: Let’s Encrypt!
▌Free, Automated, and Open Certificate tool
▌Supported by all the browsers
▌ It’s easy!Run software agent on serverMust have root on hostCreates SSL vhost for Apache httpd
![Page 13: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/13.jpg)
13This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
The Backdoor Debate
![Page 14: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/14.jpg)
14This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
The Backdoor Debate
![Page 15: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/15.jpg)
15This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
![Page 16: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/16.jpg)
16This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Certificates Ain’t What They Used to Be
![Page 17: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/17.jpg)
17This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Certificates
▌Don’t use self-signedIt’s never been a good ideaNow even less so
▌PKI is HardDon’t set up your own toy PKIDo it right or not at all
▌Buy certs for Intranet sitesFrom cheap commercial CAsProblem solved
![Page 18: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/18.jpg)
www.thales-esecurity.com OPEN
What’s Next?
![Page 19: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/19.jpg)
19This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
More Patches
▌ Increased OpenSSL Development
▌ Increased Adoption
▌ Increased Scrutiny
▌ Which OpenSSL version?
The one that came with your OSyum update etc.
▌ OpenSSL release streams
0.9.x is dead, don’t use it1.0.1t released May 3, 20161.0.2h released May 3, 20161.1.x is in pre-release
Expect more patches, faster
![Page 20: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/20.jpg)
20This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Recommended Key Sizes
▌Currently (May 2016)RSA: 2048bitECC: 256bit
▌Hashes: SHA-256Chrome: certificates with SHA-1 in chain insecureRoot certificates with SHA-1 ok
https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4
![Page 21: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/21.jpg)
21This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Transport Layer Security 1.3
▌Currently in developmenthttps://tlswg.github.io/tls13-spec/
▌Faster
▌More secure
![Page 22: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/22.jpg)
22This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Serverwww.example.com
TLS Static Key Handshake
Root CA Certificate
Server Certificate
Client
Here’s a Secret Scooby Snack
Hello!
Hello, it’s me!
Verify Server Identity
Derive Session Keys
Encrypted Communications
NOM NOM decrypt
NOM
![Page 23: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/23.jpg)
23This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Serverwww.example.com
Handshake with Forward Secrecy
Root CA Certificate
Server Certificate
Client
Hello!
Hello, it’s me!
Verify Server Identity
Derive Session Keys
Encrypted Communications
![Page 24: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/24.jpg)
24This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Content Inspection
Interwebs
Inspection/WAF Origin Server(s)
Switch Origin Server(s)
httpd WAF
httpd
httpd
Inspection/WAF
TLS
TLS
Re-encrypt
Port spanning
TLS
![Page 25: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/25.jpg)
25This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Content Inspection in a Forward Secrecy World
InterwebsApplication
Delivery Controller
Origin Server(s)httpd
Inspection/WAF
plaintext
TLS Re-encrypt
![Page 26: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/26.jpg)
26This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
![Page 27: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/27.jpg)
27This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Strong and Getting Stronger
▌Deeper understanding of the risks
▌ Improved developmentAttentionFunding
▌Pervasive adoption
![Page 28: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/28.jpg)
28This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
What Can You Do?
▌Use the tools wellDon’t make smiley faces
▌ Inform yourselfMuch information on the googlewebs
▌Don’t be a certificate problemGet rid of SHA-1 based certsBrowser vendors don’t like to show errors to your users but they will
▌Deploy patchable infrastructureBetter software is just down the road
![Page 29: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/29.jpg)
29This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Further Reading
▌ TLS 1.3 RFC in developmenthttps://tlswg.github.io/tls13-spec/
▌Blogs, Talks, Presentationshttps://istlsfastyet.com/https://blog.twitter.com/2013/forward-secrecy-at-twitter-0https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/https://t.co/83UYUE7XZP (Chrome browser SSL related warnings)http://arstechnica.com/security/2015/04/it-wasnt-easy-but-netflix-will-soon-use-https-to-secure-video-streams/https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html
![Page 30: TLS State of the Union](https://reader033.vdocuments.mx/reader033/viewer/2022042908/58ebbadc1a28ab90248b45a7/html5/thumbnails/30.jpg)
30This document may not be reproduced, modified , adapted, published, translated, in any way , in whole or in part or disclosed to a third party without prior written consent of Thales - Thales © 2016 All rights reserved.
OPEN
Questions and Discussion
▌http://www.slideshare.net/sctemme
▌Follow @keysinthecloud on Twitter