tls certificates on the web – the good, the bad and the ugly
TRANSCRIPT
SESSIONID:
#RSAC
RickAndrews
TLSCer1ficatesontheWeb–TheGood,TheBadandTheUgly
PDAC-R04
SeniorTechnicalDirectorSymantecTrustServices
#RSAC
TLSCer1ficates
2
TLSEcosystemisalmost20yearsold
Recentlyenduredthreecer>ficate-basedmigra>ons:
AwayfromMD2andMD5toSHA-1
AwayfromsmallRSAkeysto2048-bitkeysorlarger
AwayfromSHA-1toSHA-256
#RSAC
What’sDrivingTheseMigra1ons?
3
RelentlessmarchofaNacks(onlygePngbeNer)
CA/BrowserForum
BaselineRequirements
EVGuidelines
Cer>fica>onAuthori>es
Browservendors
#RSAC
What’sSlowingTheseMigra1ons?
4
UseofTLSinnon-browserapplica>ons Mail,XMPPandothernon-webservers
POSandotherdevices
Lackofauto-updatecapabili>es
Ins>tu>onaliner>a Companieswaityearstoperformaserverrefresh
#RSAC
Deployment of SHA-2 Certificates
TLSCer1ficates–theGoodTrajectoryofSHA-2deploymentisencouraging(Netcra_)
6
#RSAC
TLSCer1ficates–theGood
7
99.98%ofcer>ficatescontainRSA2048-bit,ECC224-bitorlargerkeys(Netcra_)
200Kcertswithkeys>=RSA4096bits(Netcra_)
BRCompliance
Responsibleforstandardizingcer>ficateprofiles
10.7%ofsitesuseEV(TIM)
#RSAC
TLSCer1ficates–theBad
9
RemainingSHA-1certswillnotworkinbrowsersa_er2016:
13.3%(Netcra_)
11.6%(TIM)
USDODs>llissuingSHA-1cer>ficates
hNp://news.netcra_.com/archives/2016/01/08/us-military-s>ll-shackled-to-outdated-dod-pki-infrastructure.html
Morethan1,000with<RSA2048-bitorECC224-bit(Netcra_)
Browserscon>nuetoaddcompliancechecks
#RSAC
TLSCer1ficates–theBad
10
EVviola>ons
~6%ofallEVcer>ficates(Netcra_)
Mostdon’thaveavalidSubjectBusinessCategory(unlikelytocauseusabilityproblems)
Thousandsdon’tprovideEVtreatmentinChrome(customerdoesn’tbenefitfromtheextracostofEV)
BRviola>ons
~3%ofallcer>ficatesfound(Netcra_)
Mostarepolicyviola>ons(CNmustappearinSAN,invalidSubjectStateorCountry,etc.)unlikelytocauseusabilityproblems
#RSAC
TLSCer1ficates–theBad
11
Strongkeyssignedbyweakerkeys(adozenorso)don’tprovidethecryptographicprotec>onexpectedbythecer>ficateowner: ECCP-384signedbyECCP-256 ECCP-384signedbyRSA2048 RSA4096and8192signedbyRSA2048
Cer>ficateexpira>onisembarrassing hNp://news.netcra_.com/archives/2015/04/30/instagram-forgets-to-renew-its-ssl-cer>ficate.html
Almost4%ofsitesserveanincompletecer>ficatechain(TIM) Mostbrowsersdon’ttrytofetchmissingsubordinateCA
#RSAC
TLSCer1ficates–theUgly
13
InvalidCer>ficatesabound InNetcra_’ssurvey,approximatelytwothirdsofallTLScer>ficatesseenarevalid,issuedbyatrustedCA.Theremainingone-thirdareeitherself-signed,expired,signedbyanunknownissuerorcontainmismatchednames.
OneMD5,3-yearcertissuedin2013byapublicCA(RSA1024-bitkey)it’sgot6otherBRviola>ons
One512-bitRSAkeyusedbyGovernmentofKorea(South),althoughit’ssignedusingSHA-2it’sgot4otherBRviola>ons
Browsersblockaccesstosuchsites
#RSAC
TLSCer1ficates–theUgly
14
InvalidPublicKeyExponent:onecer>ficatewithanRSAexponentof1 TLSdataissentincleartext
Mul>pleCNsareprohibited,butNetcra_foundcer>ficateswithupto24CNs 2009studydemonstratedaNacksoncertswithmul>pleCNs
EVcertswithfewerthanthecorrectnumberofSCTs
Customerdoesn’tbenefitfromtheextracostofEVinChrome
#RSAC
TLSCer1ficates–theUgly,con1nued
15
OnecertwithRSA15,424-bitkey!(includes72SANvalues!)It’sanApacheserver,butnotawebsite NoharmtotheWeb
Ten-yearend-en>tycer>ficates,issueda_ertheBRsbecameeffec>ve MostbrowsersblockpublicTLScertswithexcessivedates
Cer>ficateswithmorethan50SANs(Netcra_) Nothingillegal,butmightcauseperformanceproblems
#RSAC
Apply
17
2048-bitRSAwithSHA-256isadequatefornow
KeepSANstoaminimum(20orfewer),andonlyoneCN
Replaceallweak,invalid,revokedorsoon-to-expirecer>ficates
Generateanewkeypairevery>meyoureplaceacer>ficate
MakesureyourEVcer>ficateshavethecorrectnumberofSCTs
Testyourcer>ficatewithallmajorbrowsers(don’tforgetmobile)
ConfirmthatyourCAhascorrectlyissuedthecer>ficate
#RSAC
CheckYourWork
18
CheckTLScer>ficatesandconfigura>ononallservers,notjustwebservers
hNps://cryptoreport.websecurity.symantec.com/checker/
hNps://www.ssllabs.com/ssltest/
ConsideradiscoverytoollikeCer>ficateIntelligenceCenter
hNps://www.symantec.com/ssl-cer>ficates/cer>ficate-intelligence-center/
CertlintfromAmazon(opensource)
hNps://github.com/awslabs/certlint
#RSAC
DataSets
19
Netcra_
hNp://www.netcra_.com
ICSI
hNps://notary.icsi.berkeley.edu/
TrustworthyInternetMovement(TIM)SSLPulse
hNps://www.trustworthyinternet.org/ssl-pulse/
Comodo’scer>ficatesearchtool
hNps://crt.sh