the snowden revelations - lessons and recommendations
TRANSCRIPT
© GMO GlobalSign Group. All Rights Reserved. www.globalsign.com
Achieving compliant security:
Paul van Brouwershaven – Business Development Director
The Snowden revelations: Lessons and Recommendations
Business Development Director
• Business Development Director for GlobalSign
• Previously CTO of a European hosting company
• Over 10 years of experience in the hosting industry
• Expert in digital certificate solutions
• Dedicated to increasing awareness of the requirements for online security
• Thinking out of the box, detecting problems and providing solutions
INTERNATIONAL FOOTPRINT Customers spanning all industries
Identity verification
Digital Certificates in practice
SSL Encryption &
Identity Assurance
Secure Email
Adobe PDF & Microsoft Office
document security
Code Signing
SSL
• A communication protocol that can use several encryption methods to secure the integrity of data between sender and receiver.
• Used to provide a record of identity that is validated by a third party to secure the authenticity of the data.
“The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the
Internet.”
“They're doing it primarily by cheating, not by mathematics”
Bruce Schneier
Is SSL broken?
• SSL is 20 years old and has several known security issues
• TLS is used instead of SSL in the majority of cases
But we keep the door open
• Servers are often configured with a weak configuration by default
• No clear view on compatibility, especially for mobile and embedded devices
TLS support by major browsers
Cipher security – known feasible attacks
“The math is good, but math has no agency. Code has agency, and the code has been
subverted.”
Bruce Schneier
Potential backdoors?
• Dual Elliptic Curve Deterministic Random Bit Generator
• Documents "appear to confirm" that the backdoor was real, and had been deliberately inserted by the National Security Agency (New York Times)
• Would allow NSA to decrypt SSL/TLS encryption
Alexa top 1M has 68 776 sites in Germany
No SSL Certificate
73%
With SSL Certificate
27%
domain.com or subdomain(s)
No SSL Certificate
81%
With SSL Certificate
19%
domain.com / www.domain.com
Requirement for mass SSL deployment
• By 2020 50.000.000.000 ‘Things’ will be connected to the Internet
• Requires a huge number of IP addresses
Slow IPv6 adoption
6.6%
4.83%
0.4%
0.22%
9.18%
1.01%
6.38%
0.08%
1.19%
9.83%
2.2% 1.02%
0.91%
Host multiple SSL certs on a single IP
Visit the GlobalSign stand A07
From the 36992 sites tested in Germany
SSL2; 7945
SSL3; 35943 TLS1; 36663
TLS1.1; 10446 TLS1.2, 12037
0
5000
10000
15000
20000
25000
30000
35000
40000
SITES
Supported SSL/TLS versions
Improving Server Security
• Enable support for TLS 1.0, 1.1 & 1.2, remove SSL
Apache
SSLProtocol All -SSLv2 -SSLv3
Nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
From the 36992 sites tested in Germany
34990 35312
12173
32552
118 139 1
3935
8368 7628
1 1
7095
106
6650
1
5866 7475
808 3806
85 99 8
4896 7553
0
5000
10000
15000
20000
25000
30000
35000
40000
Support Ciphers
From the 17 311 sites tested in Germany
Yes 67%
No 33%
Prefer TLS Forward Security
Yes 84%
No 16%
Support TLS Forward Security
Improving Server Security
• Provide strong Cipher Suites preferences
Apache SSLHonorCipherOrder On
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:...........
Nginx ssl_prefer_server_ciphers on;
ssl_ciphers EDH+CAMELLIA:...........;
Improving Server Security
• Check your Cipher Suites preferences regularly!
From 12 822 SSL sites (www.)domain.comI
Yes 5%
No 95%
OCSP Stapling
Improving Server Security
• Enable OCSP Stapling
Apache SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling_cache(128000)”
Nginx ssl_stapling on;
resolver 192.0.2.1;
From 12 822 SSL sites (www.)domain.com
Yes 1%
[CATEGORY NAME] [PERCENTAGE]
HTTP Strict-Transport-Security
Improving Server Security
• Enable HTTP Strict-Transport-Security
Apache Header add Strict-Transport-Security "max-age=15768000“
Nginx add_header Strict-Transport-Security max-age=15768000;
Check your configuration regularly
sslcheck.globalsign.com
Questions?