best practices and applications of tls-ssl

WH

ITE P

AP

ER

:B

ES

T PR

AC

TICES

AN

D

AP

PLIC

ATIO

NS

OF TLS

/SS

L

Best Practices and Applications of TLS/SSL

White Paper

The most well-known example of the use of public key infrastructure has proven flexible enough to assist in authentication, encryption and data integrity in numerous applications throughout the enterprise.

By Larry SeltzerSecurity Analyst and Writer

White Paper: Best Practices and Applications of TLS/SSL

2

Best Practices and Applications of TLS/SSLThe most well-known example of the use of public key infrastructure has proven flexible enough to assist in authentication, encryption and data integrity in numerous applications throughout the enterprise.

CONTENTS

Executive Summary 3

Introduction 3

What is TLS/SSL? 4

DigitalCertificates 4

AuthenticationandVerification 5

Key Security 5

Encryption 5

WhereTLSWorksIntheStack 6

TLS vs SSL 6

Networks Are Insecure By Default 7

Authentication 7

PrivacyandIntegrity 8

Solutions 8

Trusted Certificate Authorities 8

TrustedRoots 8

Self-SignedCertificates 9

AuthenticationDoesNotProveTrust 9

Extended Validation (EV) SSL 9

Not Just For Web Browsers 10

Client Security with TLS/SSL 10

Wireless 11

SSLVPN 11

Server-to-Server Security with TLS 12

Web and Intranet Servers 13

CommonTLSMistakes 13

Hosted Service Security with TLS 14

Certificate Expiration 15

Certificate Revocation 15

Self-Signed Certificates 16

Certificate Management 17

Conclusion 17

Additional Reading 17


3

Executive Summary

TransportLayerSecurityorTLS,widelyknownalsoasSecureSocketsLayerorSSL,

isthemostpopularapplicationofpublickeycryptographyintheworld Itismost

famousforsecuringWebbrowsersessions,butithaswidespreadapplicationto

othertasks

TLS/SSLcanbeusedtoprovidestrongauthenticationofbothpartiesina

communicationsession,strongencryptionofdataintransitbetweenthem,and

verificationoftheintegrityofthatdataintransit

TLS/SSLcanbeusedtosecureabroadrangeofcriticalbusinessfunctions

suchasWebbrowsing,server-to-servercommunications,emailclient-to-server

communications,softwareupdating,databaseaccess,virtualprivatenetworking

andothers

However,whenusedimproperly,TLScangivetheillusionofsecuritywherethe

communicationshavebeencompromised Itisimportanttokeepcertificatesupto

dateandcheckrigorouslyforerrorconditions

Inmany,butnotallapplicationsofTLS,theintegrityoftheprocessisenhancedby

usingacertificateissuedbyanoutsidetrustedCertificateAuthority(CA)

ThispaperwillexplorehowTLSworks,bestpracticesforitsuse,andthevarious

applicationsinwhichitcansecurebusinesscomputing

Introduction

Asthescienceofbusinesscomputing,andofcomputingsecurityinparticular,

hasadvanced,thetrendhasbeentofindsecurityweaknesseseverywhere Where

complexityandfunctionalitygrow,sodotheopportunitiesforabuseofsystemsby

maliciousactors

Thesolutionstotheseproblemsarevariedandmustbeexploredindividually,but

onetechnologyshowsupoften:TLSorTransportLayerSecurity,oftenknownby

thenameofthepredecessortechnology,SSLorSecureSocketsLayer

TLSisbestknownasthetechnologywhichsecuresWebbrowsersessionsfor

bankingandothersensitivetasks,butitcanbeusedformuchmore Client-server

communicationwithavarietyofservertypes,inadditiontoWebservers,benefits

fromuseofTLS Server-to-servercommunicationsalsoneedtobesecuredand

canbethroughTLS Clientsupdatingapplicationsandothersoftwareontheir

PCsshouldonlydosothroughasecureconnection,whichiswhysuchupdate

applicationsusuallyuseTLSorSSL Thispaperwillexploretheseandother

applicationsofTLSthatcansecuretheenterpriseinthemyriadplacesinwhichit

canbeattacked


4

TLSprovides3basicbenefits:

• Itprovidesauthenticationofthecommunicatingparties,eitherone-wayorin

bothdirections

• Itencryptsthecommunicationsession“onthewire”

• Itensurestheintegrityofthedatatransferred

ThispaperwillalsodiscusstrustedCAsandtheirroleinthepublickey

infrastructureorPKI ThoughtrustedCAsaren’talwaysnecessary,inmanycases

theyarebeneficialandsometimesnecessaryfortheprotectiontohaveanyeffect

What is TLS/SSL?

TLS/SSLisatunnelingprotocolthatworksatthetransportlayer Itprovides

encryption,authenticationandintegrityverificationofdata,anddoessobymeans

ofdigitalcertificates

Digital Certificates

Adigitalcertificateisanelectronicdocumentwhichconfirmstheidentityofan

entity–whichcouldbeauser,aserver,acompany,aprogramonaclient,just

aboutanything–andassociatesthatentitywithapublickey Thedigitalcertificate

istheentity’sidentificationtothepublickeyinfrastructure EachpartytoaTLS-

securedcommunicationcanevaluatethecontentsofthecertificate Themost

examinedfieldistheCommonName Eachthencomparesittowhattheyexpect

Itisalsowisetochecktheissuerofthecertificate Istheissueratrustedparty?For

moreontheseissuersseeTrustedCertificateAuthorities,page8

Userscangeneratetheirowndigitalcertificates,calledself-signedcertificates,

withfreetools1 Butsuchcertificatesareinherentlyuntrustworthyandthereal

valueofcertificatescomeswhentheyareissuedbyatrustedCA Userscancreate

andruntheirownCAontheirnetworkandsometimesthismakessense,butin

manycasesitisnecessarytouseanoutsidetrustedCAwhichoutsidepartiescan

alsotrust Symantec™isthelargestCA

1TheOpenSSLProject-http://openssl org/ Microsoft’scryptotools(http://msdn microsoft com/en-us/library/aa380259(VS 85) aspx)areincludedintheWindowsSDK(http://msdn microsoft com/en-us/windowsserver/bb980924 aspx)


5

Authentication and Verification

Publickeycryptographyallowstwopartiestoauthenticateeachother Eachparty

hastwokeys,whicharelargenumericvalues Amessageexchangedbetweenthe

partiesisrunthroughahashingalgorithm Ahashfunctiontakesablockofdata

andcreatesavaluefromit,knownasahashordigest Makeevenasmallchange

inthedataandthehashchangessignificantly Atthesametimethereisnowayto

recreatethedatafromthehash

Thesendingpartytothecommunicationsusestheirprivatekeytoencryptthehash

value Thisencryptedvalueiscalledadigitalsignature Themessageandsignature

aresenttotherecipientparty Therecipientpartyusesthesender’spublickey

todecryptthesignature Theygenerateahashofthemessageusingthesame

algorithmasthesenderandcomparethevalues

Ifthevaluesarethesamethentwothingsarecertain:thedatahasnotbeen

tamperedwithandthesenderiswhotheypurporttobe Thisisbecausetheprivate

keycorrespondingtothepublickeyinthecertificatewasusedtosignthedata,and

theprivatekeyshouldonlybeaccessiblebythesendernamedinthecertificate

NeitherauthenticationnorintegrityverificationaremandatoryinTLS Youcanuse

itsimplysothatthebitsonthewireareencrypted Butauthenticationisacore

feature,importanttomostcustomers

Key Security

Therearesomeabsoluterulesthatneedtobefollowedinorderforthepublickey

infrastructuretoworkproperly

Private keys must be private:Thesignerofamessageneedstokeeptheir

privatekeyabsolutelyconfidential Anyonewhohasitcaneffectively

impersonatethesender

Public keys must be public:Well,notnecessarilypublic,buttheyhavetobe

accessibletoanyonewhomighthaveavalidreasontoreadthemessageorencrypt

amessagetotheentitynamedinthecertificate

Hash algorithms must not collide:Acollisioniswhenthehashalgorithm

generatesthesamedigestfromtwodifferentdatablocks Atsomepointthisis

inevitable,buttheabilitytogeneratecollisionsintentionallycompromisesall

functionsofpublickeycryptography Thisiswhynewandbetterhashalgorithms

havebeendevelopedovertimeandputintopublicuse

Encryption

Evenwhenauthenticationisnotused,TLScanuseencryptionkeysandacipher

algorithmtoencrypt/decryptdataforcommunication Thecipherisalsousedfor

encryptingthemessagedigest


6

Therearemanydifferentcipheralgorithmsfordifferentcircumstances Seethe

TLSvs SSLsectionbelowformoreonciphers

Where TLS Works In the Stack

TLS/SSLsitsbetweentheapplicationandtransportlayers Inthecontext

oftheInternetandmostlocalnetworking,thismeansitsitsaboveTCPor

TransmissionControlProtocol,theprotocolwhichprovidesreliable,ordered data

communicationsforapplications Applicationsthatwouldnormallyworkwith

TCPconnectionsinsteadworkwithTLSconnectionsforthepurposeof

establishingconnections

Application TLSHandshake

TLSRecord

TCP(reliabletransport)

IP

NetworkInterface

Wires(infrastructure)

TLSrequiresareliabletransport,whichmeansTCP ThismeansthatUDP-only

applicationslikeDNS,SNMP,andVOIP,presentaproblem SeeSSLVPNsformore

onthisproblem

TLS vs SSL

TLSisthesuccessortechnologytoSSL,whichwasdevelopedbyNetscapein1994 2

ThefirstpublicreleasewasSSLversion2,andwasquicklyfollowedbyversion

3 TheTLSspecificationwasreleasedin1999inRFC22463,andisonlyaminor

modificationofSSL3

2Mozilla orgSSL0 2PROTOCOLSPECIFICATION-http://www mozilla org/projects/security/pki/nss/ssl/draft02 html Thisversionwaswidelyknownas“version2 ”3RFC2246-TheTLSProtocolVersion1 0-http://tools ietf org/html/rfc2246


7

Changeshavecomeatamuchslowerpacesincethen,withTLS1 14and1 25

largelyconcernedwithsecurityimprovements TLSisstillwidelycalledSSL,

especiallyinproductnames,evenifthetermisstrictlyinaccurate Don’tbe

surprisedtoseethetermsusedinterchangeably TLSversionsaredesignedto

interactwithandrollbacktoearlierprotocolssuchasSSL3 Infact,intheprotocol

handshake,TLS1 0,1 1and1 2usetheversionnumbers3 1,3 2and3 3

Oneofthemaindifferencesyou’llseebetweenSSLandTLSversionsarethe

cryptographicfeatures,includingtheciphers,hashalgorithmsandkeyexchange

mechanismstheysupport Astimeandversionsadvance,supportforweaker

featuresisdroppedfromtheprotocolandstrongeronesadded Administratorson

eitherendofthecommunicationcansetpoliciesrequiringorprohibitingparticular

protocols It’sreasonabletoclaimthattheflexibilityofTLSwithrespecttonew

developmentsinciphersandothercryptographicfeaturesisoneofthemain

reasonsforitssuccess

Networks Are Insecure By Default

Allofourimportantnetworkingprotocolsweredesignedbeforesecurityissues

wereproperlyappreciated Agreatdealofresearchhasgoneintomaking

communicationssecure,butinmostcasesithastobeaddedon Bydefault,our

networksareinsecure

HTTP,SMTPandFTPwerealldesignedtocommunicateincleartext Allofthem

canbeenhancedtosupportencryptionandoftenthesolutionusesTLS Onlywith

HTTPS,however,whichisHTTPoverTLS/SSL,issuchsecurityubiquitous

Authentication

Authenticationinmostnetworksisweak,usuallyrelyingonpasswordscontrolled

byruleswhichdon’tfollowbestpractices It’snosurprisethatthingsarethisway;

followingbestpracticesforpasswordsisdifficultandunpleasant:youhaveto

usepasswordsthatarelonganddifficulttorememberandyouneedtochange

themfrequently

Evenserver-to-serverconnectionsareoftenauthenticatedwithpasswords,which

arehard-codedintoprogramsorconfigurationfiles

4RFC4346-TheTransportLayerSecurity(TLS)ProtocolVersion1 1-http://tools ietf org/html/rfc43465RFC5246-TheTransportLayerSecurity(TLS)ProtocolVersion1 2-http://tools ietf org/html/rfc5246


8

Privacy and Integrity

Whencommunicationsarenotsecuredproperlyyoucan’tbecertainthatthedata

hasnotbeenmonitoredortamperedwithin-transit Attacksknownas“manin

themiddle”(MITM)attacks,wheretheattackersitsonthenetworkmonitoring

communicationsbetweenonepartyandanother,arenotuncommon Suchattacks

can,forexample,stealusernamesandotherunsecureddataontheconnection

Whencombinedwithspoofingtechniques,theMITMmayevenmodifythedata,

suchaschangedestinationURLssothatyouclickonalink,whichdirectsyoutoan

attackserver

Solutions

Manyproductsarenowdesignedbetterthantheywereinthepasttoprovide

secureconfigurationoutofthebox Microsoftinparticularhasmadesignificant

progressinthisregardinrecentyears Butatthelevelofnetworkcommunications

andauthentication,securityisstilltheresponsibilityofthenetworkadministrator

InmanyofthesecasesTLScanhelp Itcanprovideauthenticationwherenone

existsbydefault TLScanprovidestrongencryptionwheredatawouldnormally

flowincleartext Anditcanensurethatdatawasnotmodifiedin-transit

Trusted Certificate Authorities

IfyouareusingTLSpurelyforcommunicationoveryourownnetworks,itmay

beadequatetouseaninternalCAandsetyoursystemstotrustit However,

thehassleandcostofsettingupaninternalCAoftendrivesbusinessestodo

otherwise Also,ifdataissentovertheInternet,whereyoudon’tcontrolallpoints

oftransit,theonlywayallpartiescantrustthecertificateisifitwasissuedbya

trustedthird-partyCA

Trusted Roots

Becauseit’sunwisetorelycompletelyonInternetcommunicationstoprovethe

issuerofacertificate,manysoftwareproductscomewithalistof“trustedroot

certificates ”Thesecertificatesareinherentlytrustedandothercertificatessigned

bythosetrustedrootsarealsotrusted

MicrosoftWindowsincludesalistoftrustedrootcertificateswhichtheyupdate

periodicallythroughWindowsUpdateandtheirotherupdatingmechanisms

ManyotheroperatingsystemshavesimilarlistsApplicationsoftwaremayusethe

operatingsystemtrustedrootlistorincludetheirown SomeWebbrowserson

WindowsusetheWindowslist,butFirefoxusesitsownlist

OnemorecharacteristicofcertificatetrustisthatrootCAoftenhaveaffiliate

programs Thisallowsothercompaniestosellcertificatesonbehalfofthetrusted

rootCAs Infacttheaffiliatescanhavetheirownaffiliates The“parent”CAsigns

theaffiliateCA’scertificatesosoftwarecanprovethattheyareavalidaffiliate

TheTLSclientsoftware“walks”upthishierarchyofCAs,checkingthevalidity

ofthesignaturesateachstep,untiltheyreachonewhichisatrustedroot This

establishesthetrustofthewholehierarchy


9

Self-Signed Certificates

DigitalcertificatesneednotbesignedbyatrustedCA Suchcertificates,when

generatedbytoolsseparately,arecalledself-signedcertificates Suchcertificates

canbeusedtoprovideencryptionofdata,butnoauthentication Seethesection

onself-signedcertificatesformoreonthissubject

Authentication Does Not Prove Trust

Therearemanyunfortunatecasesofusersandorganizationsbeingattacked

successfullyfortrustingacommunicationsimplybecauseitwassigned Buta

signature,evenoneissuedbyaCA,isnotproofthatthepartyistrustworthy

Authenticationgivesyoudefinitiveinformationastotheidentityoftheother

party,whichyoucanusetomakeaninformedtrustdecision Youcanlookatthe

identifyingfieldsinthecertificate,suchastheCommonName,toseeifitmatches

theentityyouexpected YoucanalsolookattheIssuerfield,whichidentifies

thecertificateauthoritythatissuedthecertificate,andmakedecisionsastoits

trustworthiness Aswewillseebelow,differentcertificateshavedifferentamounts

ofinformationonthemabouttheidentifiedentityandabouttheissuer

Extended Validation (EV) SSL

Theworkingsofdigitalcertificatesthemselveshavebeenwell-establishedformany

years,buttherulesfortheirissuancebytrustedCAshasnot Thestandardsof

manyCAsforissuingcertificatesreachedsuchapointseveralyearsagothatmany

CAsandvendorsofTLSsoftwareformedtheCA/Browser Forumm(www cabforum

org)toestablishstandards TheresultingstandardisEVSSL,whereEVstandsfor

ExtendedValidation

UsersgenerallyknowEVSSLasthethingthatturnstheirWebbrowserbargreen

MorefundamentallyitisanewclassofTLScertificateissuedwhentheapplicant

meetscertainstrictstandardsforprovingitsidentityestablishedbytheCA/

BrowserForum Therearealsodifferencesinthewaybrowsersbehavewhen

interactingwithEVSSLcertificates,particularlythegreenbrowserbarindicator

andacleardisplayoftheorganizationname

Therulesfortheentitiesareratherstrict:theymustbealegally-recognizedentity,

eitherincorporatedoragovernmentalbodyorsomeregisterednon-profit You

cannotgetapersonalEVSSLcertificate TheCAhastoverifythelegalexistence

aswellasthephysicalexistenceandoperationalexistenceoftheapplyingentity

TheCAmustconfirmthattheentityhastherighttousethedomainandthatthe

personapplyingisauthorizedtodoso 6

Theendresultofthesestandardsisthatitwouldbeextremelydifficult,and

likelyexpensive,toobtainafalseEVSSLcertificate Asaresultofallthework

neededtomeetthestandards,EVSSLcertificatesaremuchmoreexpensivethan

conventionalTLScertificates

6CA/BrowserForumEVSSLCertificateGuidelines-http://www cabforum org/documents html


10

Not Just for Web Browsers

TLSandSSLarebestknownforsecuringWebbrowsercommunications,butthey

arebynomeanslimitedtoHTTP ManyotherapplicationsandprotocolsuseTLS

forsecurity,generallyasanoption Someexamplesfollow:

• FTPS–Asecureversionoftheubiquitousfiletransferprotocolsecuredwith

TLS ConventionalFTPtransmissionsareincleartext FTPShasbeenanofficial

RFCsince20057andanunofficialonefor10yearsbeforethat Ithaswidespread

supportinFTPsoftware (NottobeconfusedwithSFTP,whichisFTPthroughan

SSHsession,ormanyotherless-standardizedapproaches )

• Outlook to Exchange–OutlooktoExchangeoverRPCoverTLSisbecoming

popularasasecureexternalaccessmethod,buttherearereasonstouseit

internallyaswell Inthiscaseyoureplacethedefaultself-signedcertificate

intheExchangeserverwitharealTLScertificatefromatrustedCA Thisis

standardoperatingprocedurenowwithExchangehostingservices

• Windows Update –BeforeWindowsVista,WindowsUpdatewassimplya

websiteinInternetExplorerwhichusedHTTPS Inmorerecentversionsof

Windows,itisacustomappsecuredbyTLS Manyotheronlinesoftwareupdate

programs,suchasthegetPlusprogramusedbyAdobe,useTLSconnections

forsecurity

Client Security with TLS/SSL

ClientsidecertificatescanbeusedwithTLStoprovetheidentityoftheclientto

theserver,andvice-versa Thisiscalled“two-wayTLS”andrequirestheclientand

serverbothprovidecertificatestoeachother

Therearestandards-basedsystemsforadministeringTLSinthisrole Active

DirectoryinWindowsmanagesthem8andusescertificatesstoredeitherinthe

clientorusingsmartcardsorotherstrongauthenticationdevices 9OpenLDAPisan

opensourcedirectoryservicethataccomplishesmuchthesame 10

Inspiteofthegreatlyimprovedsecurityfromusingstrongauthentication

mechanismslikeTLScertificates,ithasnotbeenatypicalconfiguration In

exchangeforthesecurity,yougetafairamountofcomplexityandadministrative

work,plusclientscanonlyloginwhentheyhavetheirclientcertificate Butrecent

versionsofWindowsServerhavemadeitmucheasiertohavecertificateand

othercredentialdataindependentoftheuserprofile,allowinguserstomoveto

differentcomputersandstillauthenticate Still,thisisahigher-costsetupthanthe

useofpasswordsandmostorganizationswouldconsideritonlyforhigh-valueor

vulnerableconnections

ThedefaultfortheLDAPprotocolitselfisunencryptedbydefault UnderLDAP

version2itwascommontouseanon-standardsetupcalled“LDAPS”which

tunneledLDAPthroughaTLStunnelonport636 11LDAPversion3addeda

standardextensionforTLS 12

7RFC4217-http://tools ietf org/html/rfc42178ActiveDirectoryCertificateServices-http://technet microsoft com/en-us/windowsserver/dd448615 aspx9Smartcardandothercertificateauthentication-http://technet microsoft com/en-us/library/cc758410(WS 10) aspx10OpenLDAP,UsingTLS-http://www openldap org/doc/admin24/tls html11MicrosoftKnowledgeBase,HowtoenableLDAPoverSSLwithathird-partycertificationauthority-http://support microsoft com/kb/32105112RFC2830,LightweightDirectoryAccessProtocol(v3):ExtensionforTransportLayerSecurity-http://tools ietf org/html/rfc2830


11

Wireless

Asecurewirelessnetworkrequiresstrongerauthenticationthantheshared

secretpasswordusedonyourhomerouter ThroughtheWPAandWPA2security

standards,allwirelessnetworkssupportExtensibleAuthenticationProtocol(EAP),

aframeworkforauthenticationmethodsforaccesstothenetwork Dozensofsuch

methodshavebeenimplemented 13

ThemainpointofEAPinawirelessaccesspointorrouteristoallowittohookinto

anenterpriseauthenticationsystemsuchasyourLANorWAN Inthisscenario,you

shoulddemandthehighestlevelofauthenticationontheaccesspointitselfand

veryhighlevelsfromclientsconnectingtoit TLSisagoodchoice

EAP-TLS14isoneofthemethodswidely,ifnotuniversally,supportedinthewireless

industryandoneofthestrongest,ifcarefullyimplemented ItusesnormalPKI

methodstosecureconnectionstoaRADIUSserver EAP-TLSissupportedoutof

theboxinallmajoroperatingsystems,includingtheopensourceones

ThemaindifficultywithEAP-TLSisthatclientsneedtohaveindividualcertificates,

andtheyneedcarefulmanagement Inthissenseitisthesameasclient

certificatesontheLAN:astraighttrade-offofsecurityforeaseofadministration

SeveralotherEAPmethodsuseTLSindifferentways,generallyinorderto

avoidtheneedforclient-sidecertificatesandtheadministrativeburden They

necessarilytradeoffsecurityforthiseaseofadministration,ascredentialscanbe

lostrelativelyeasilyandtheirlossmaybedifficulttodetect

SSL VPN

VirtualprivatenetworkingisamustforsecurecommunicationsovertheInternet

Therearetwopopularmethods:IPSecandSSLVPN

IPSec15isanend-to-endprotocolforauthenticatingeachpacketinaTCP/IP

network ItoperatesattheInternetlayerofthenetwork,i e belowthetransport

layer Thisissignificantforitsapplication

SSLVPNscreateatunnelabovethetransportlayer Allapplicationnetwork

communicationsgoesthroughthetunnel IPSecisawidely-implementedand

deployedInternetstandard SSLVPNisnotastandardassuch,butwidely

implementedanddeployed

BecauseIPSecoperatesatoneofthelowerlevelsoftheInternetprotocolstack,

itcantransportalmostanythingyouneedandwithminimaloverhead SSLVPNs

operateabovethetransportlayerandrequireareliabletransport;thismeans

applicationsthatuseUDPfortransportcannotbesupportedinastraightforward

waythroughanSSLVPN EithertheyhavetorunoutsidethetunnelortheUDP

packetshavetobere-encapsulatedinTCPbeforetransport

13Wikipedia,ExtensibleApplicationProtocol-http://en wikipedia org/wiki/Extensible_Authentication_Protocol14TheEAP-TLSAuthenticationProtocol-http://tools ietf org/html/rfc521615AnIllustratedGuidetoIPsec-http://www unixwiz net/techtips/iguide-ipsec html


12

WhetherencapsulationofUDPisaproblemfortheapplicationdependson

anumberoffactors:ThequalityoftheSSLimplementation,thespeedofthe

connectionand–perhapsmostimportantly–thetoleranceoftheapplicationfor

“lossy”transport

ApplicationswhichuseUDPdosoforperformancereasons,butneedtoexpect

somelevelofpacketloss,ifonlybecauseUDPdoesn’tguaranteedelivery Themost

importantUDPapplicationisprobablyVOIP,andsomeimplementationstolerate

encapsulationfairlywell Otherreal-timeUDPapplications,suchasstreaming

videoandsomemulti-playergamesdon’tfareaswell SomeVPN/firewallproducts

supportbothTLSandIPSecforuserswhoneedboth 16

SowhynotjustuseIPSecforallVPNs?Becausetheyarecomparativelydifficult

toadministeranduse Whenyou’resettingupindividualusersorsmallgroups

remotely,anSSLVPNwillbemucheasiertosupport,especiallyiftheapplication

needsaresimple Site-to-siteVPNs,wherewholenetworksareconnectedoverthe

Internet,needthepowerandflexibilityofIPSec

Manyapplication-focusedremoteaccessmethodsareTLS-based,andsomeare

SSLVPNsrepackagedasremoteaccessfortheproduct

Server-to-Server Security with TLS

Manyserver-to-serverconnectionsofferTLSasanoptionandit’sanexcellentone,

especiallywhentheconnectionisrunoverthepublicInternet AfullVPNinsuch

casesisinadvisable,astheapplicationneedsarenarrowandcertificatescanbe

usedtoprovidestrongauthenticationoftheserverstoeachother

16ThankstoGaryTomlinsonandJohnGmuenderofSonicwall(www sonicwall com)fortheirhelpinunderstandingtheproblemofUDPonSSLVPNs


13

Connectionssuchasthesearealmostalwayshigh-value ConsiderWebservers

talkingtodatabaseserversormailserverssynchronizingwitheachother Thedata

intheconnectionisatreasuretroveforanattacker ProductssuchasMicrosoft’s

ExchangeServerandOracleApplicationServersupportTLSwithcertificatesoutof

thebox

WheninteractingacrosstheInternet,certificatesfromatrustedCAarehighly

recommended Eachpartyshouldmakeasfewassumptionsaboutthesecurityof

theotheraspossible

Beyondthat,therearegoodreasonsinsuchcasesforusingEVSSLcertificates

ResearchhasshownthatweaknessesintheCAvalidationproceduresformany

conventionalSSLcertificatesleavethemvulnerabletoman-in-the-middle

attacks 18

Briefly,theproblemcomeswiththeveryinexpensivedomain-validatedcertificates

Thesecertificatesvalidateadomainname,notanorganization,andthedomain

nameistheonlyidentifyingdatainthecertificate

Partofthereasontheyaresoinexpensiveisthattheapplicationandvalidation

proceduresarecompletelyautomatedinmanycases Aconfirmationrequestis

sentine-mailtotheadministrativecontactforthedomain Whoevercontrolsthat

emailaccountcanauthorizethecertificate Combinedwithsoftwarevulnerabilities

insomeTLSsoftware,thisprocesscanbeabusedtoallowspoofingofadomain

certificateandperhapsaman-in-the-middleattack

TheadvantageofEVSSL,inthiscase,isthattheEVSSLspecificationguarantees

thatanorganizationnameandotherdatawillbeinthecertificateandwillbe

verifiedbytheCA Forahigh-valueconnectionit’sworthhavingthisassurance EV

SSLsupportinsuchcasesmayrequirecustomprogramming

Web and Intranet Servers

Perhapsit’stooobvioustopointout,butTLScanbeusedtosecureabrowser-Web

serverconnection ItisworththinkingabouttheextentofyourTLSusageforboth

internalandexternalsites

HTTPisaprofoundlyinsecureprotocolwithoutTLS Itisplain-text,easilysniffable,

andeasilymanipulated EvenonaninternalnetworkyoushoulduseTLS/HTTPSfor

allsufficientlyvaluablebusinessconnections

Common TLS Mistakes

Don’tmakethemistakeofassumingthataTLSimplementationsecuresyour

websiteandthat’sit Therearemanycommonsitedesignmistakeswhichdefeat

thesecurityofTLS

18SpoofingServer-ServerCommunication:HowYouCanPreventIt-go symantec com/ssl-certificates*Configurationandalertoptionsvary,dependingonthemanagementconsoleyouuse


14

Keep sensitive data out of URLs –WhenyouuseHTTPGETmethodswith

parametersthathavecriticaldatainthem,youexposethatdatatothewhole

world EnvisionaURLlikethisone:

Therearemanyreasonswhythisisabadidea Butfirst,theTLSconnectionwill

encrypttheURL,soatleastuserssniffingthenetworkwon’tseetheURLandthe

parameters Ontheotherhand,theURLwillbestoredintheWebserverlog,inthe

clientbrowserhistory,andinreferrerheaders Thislastpointmeansthatifthereis

alink,particularlyanon-TLSlink,outofthepagelinkedtojustabove,thefullURL

willbeincludedintheheaderssenttothatserver

Use “Secure” Cookie Flag –The“secure”flagwilltelltheservertosendcookies

onlyoveraTLSconnection Therearenumerousattackstohijackcookies,and

cookiesoftencontainthemostsensitiveofdata Cookiescanbestolenthrough

simplepacketsniffing,sessionhijacking,cross-sitescripting,orcross-siterequest

forgery It’sstillnotuncommontofindsignificantwebsitesthatuseinsecure

cookiesinHTTPSsessions

Do Not Mix TLS/SSL and Non-TLS/SSL Content–Justbecauseyourpagehasan

HTTPSlinkdoesn’tmeanallthecontentwill Ifthere’saframeoranimageorsome

otherelementthatiscalledwithanHTTPlink,itwillnotbeTLS-protected Most

browserswon’twarnusersabouttheinconsistency

Do Not Perform Redirects from Non-TLS/SSL Page to TLS/ SSL Login Page–

Eventodaytherearemajorbankswhichusehttpontheirloginpagesandredirect

tohttpsfromthere Thisisaninvitationforphishingpagesandothersortsof

abuse Unfortunately,usersusuallygettohttpspagesfromhttppages,butthe

betterwaywouldbefromabrowserbookmarkknowntobesecureortoenterthe

URLmanually

Hosted Service Security with TLS

OutsourcedservicesthroughtheWebareincreasinglypopularforgoodreason

Web-basedservicescanworkatleastaswellandsaveonstaff,infrastructure

andcapitalcosts Anyrespectableserviceofferedinthiswaywilluseaprotected

connection,probablyTLS

Acommonreasonwhycompaniesmovetooutsourcedservers,mostlyMicrosoft

Exchange,istogeteasiersupportformobiledeviceslikeBlackberries It’s

important,ifthisisoneofyourneeds,tobuyTLScertificatesthatarenatively

supportedbyActiveSyncorwhateverserviceyouwillbeusingforyourdevices

HostingservicesreportthatgettingTLSconnectionsworkingproperlyistypically

thebiggestramp-upproblemtheyhave


15

Certificate Expiration

DigitalCertificatescomewithanexpirationdate,andforgoodreason Byissuing

acertificate,theCAisvouchingfortheapplicant,andit’spossibleforsuch

informationtoget“stale” Evenwithinternalcertificatesthere’sreasontohave

andcheckexpirationdates Infactit’smorereasonableforinternalcertificatesto

haveshortexpirationdates,sinceit’seasiertodistributethem,andtheissuing

authorityinITisprobablythesamegroupwhoadministerthecertificatesinthe

userdirectory

Somearguethatexpiredcertificatesarejustastrustworthy,oralmostas

trustworthy,asa“live”one Butanexpiredcertificateis,attheveryleast,asignof

administratorswhodon’tpaycloseattentiontotheirservers

Certificate Revocation

Revocationisanessentialfeatureofthepublickeyinfrastructure,onewhichcan’t

betakentooseriously

ForanumberofreasonsaCAmayrevokethecertificateofacustomer Itcouldbe

forviolatingthetermsofservice,forinstancebyservingmalwarefromthesite,or

itcouldbebecausethecustomerinformedtheCAthattheprivatekeyhadbeen

compromised

Whenacertificateisrevoked,youhavetoassumethattheholderisnot

trustworthy It’salotworsethanasitenothavingacertificateatall

Howdoyoucheck?Youdon’tusuallycheckityourself YourTLSsoftware(usually

abrowser)doesitbyoneoftwomethods:CRL,whichstandsforcertificate

revocationlists,istheoldmethod Thecertificateitselfmaycontaintheaddress

ofarevocationlistfortheCA,andthislistisbasicallyalistofcertificateserial

numbers Ifthecertificateyouarecheckingisinthelistthenit’srevoked Don’t

trustit Usersbrowsingthesite(inInternetExplorer)willseeamessagelikethis:


16

CRLsaresimple,butthere’saproblemwiththem:overtimetheycangetbig,

especiallyforalargeCA Theycanbecached,butthentheCRLcheckmaybeoutof

date SoaprotocolnamedOCSP(onlinecertificatestatusprotocol)wasdeveloped

toletprogramscheckcertificatesoneatatime OCSPisthepreferredmethodnow

NotallCAssupportOCSP AswithCRL,thecertificatewillcontainafieldwiththe

addressoftheOCSPserveriftheCAsupportsOCSP

Self-Signed Certificates

It’snotuncommontofindself-signedcertificatesbothontheInternetand

internallyincorporations Thesearecertificateswhichhavenotbeenissuedby

aCA,eitherinternalorexternal,butgeneratedstaticallybyanyofanumberof

availablefreetools

Anyonecanmakethemandtheirexpirationdatemaybesetdecadesinthefuture,

sotheymayseemlikeagooddeal But,aswithmostthings,yougetwhatyoupay

forwithdigitalcertificates Self-signedcertificatesdon’tprovealotaboutthesite

they’reprotecting

Aself-signedcertificatewillallowsoftwaretoencryptdataandensureitsintegrity

intransit,butitprovidesnoauthentication Youcan’tmakeanyassumptionsabout

theotherparty

Notethatself-signedcertificatesarenotthesameascreatinganinternalCA A

companycancreatetheirownCA,putthename/addressofthatCAinthebrowser

orsystem’slistoftrustedrootCAsandthenitbecomesastrustedasanyfroma

realCAcompany Self-signedcertificatesarenotvouchedforbyanyone

ThevendorsofallthemajorWebbrowsersknowthatself-signedcertificatesare

troubleandtheyissuedire-lookingwarningswhenoneisencountered


17

Certificate Management

Managinglargenumbersofcertificatesindifferentrolescanbeadifficulttask,and

ifit’snotdoneinanorganizedfashionit’saninvitationtotrouble

Withoutasystemforcertificatemanagementyouarelikelytofindindividuals

trackingcertificatesontheirownusingaspread-sheetortextfile Thisishow

companiesgetsurprisedbyexpiringcertificates,andiftheemployeemanagingthe

certificatesleaves,therecordscouldenduplost

GoodCAshaveonlinemanagementtoolsfortheircertificates,suchasSymantec

ManagedPKIforSSL Therearealsothirdpartymanagementpackageswhichtrack

bothexternally-grantedcertificatesandthosefrominternalCAs

Conclusions

TLS,widelyknownasSSL,isthestandardforsecureapplicationnetwork

communicationsbothwithintheenterpriseandacrosstheInternet TLScan

helpsecureyourapplicationsbystrengtheningauthentication,encryptingdata

communications,andensuringintegrityofdataintransit

TLSisaflexibletechnologythatadaptswelltonumeroussituationsfromWeb

serveraccesstoserver-servercommunicationstovirtualprivatenetworking

Industryhaspickeduponthisandimplementeditwidely It’snotalwaysplugand

play,butit’subiquitousenoughthatexpertiseisfairlycommon

Finally,inmanycasesthecapabilitiesofTLSareenhancedbycertificatesfroma

trustedCAandinsome,atrustedCAisnecessaryforTLS/SSLtomakesense

Additional Reading

Oppliger, Rolf. SSL and TLS:TheoryandPractice(InformationSecurityandPrivacy

(2009) ArtechHousePublishers,ISBN1596934476

Rescorla, Eric SSL and TLS:DesigningandBuildingSecureSystems(2000)

Addison-WesleyProfessional ISBN0201615983

Symantec SSL Resources:go symantec com/ssl-certificates

Mozilla Developer Center: Introduction to Public-Key Cryptography:https://

developer mozilla org/en/Introduc-tion_to_Public-Key_Cryptography

The IETF TLS Working Group:http://datatracker ietf org/wg/tls/charter/

Microsoft – How to Set Up SSL on IIS7:http://learn iis net/page aspx/144/how-to-

set-up-ssl-on-iis-7/

Microsoft – SSL Capacity Planning:http://technet micro-soft com/en-us/library/

cc302551 aspx

TLS and SSL – What’s the Difference?: http://luxsci com/blog/ssl-versus-tls-whats-

the-difference html


More Information

Visitourwebsite

http://go symantec com/ssl-certificates

TospeakwithaProductSpecialistintheU S

Call1(866)893-6565or1(650)426-5112

TospeakwithaProductSpecialistoutsidetheU S

Forspecificcountryofficesandcontactnumbers,pleasevisitourwebsite

AboutSymantec

Symantecisagloballeaderinprovidingsecurity,storage,andsystems

managementsolutionstohelpconsumersandorganizationssecureandmanage

theirinformation-drivenworld Oursoftwareandservicesprotectagainstmore

risksatmorepoints,morecompletelyandefficiently,enablingconfidence

whereverinformationisusedorstored

SymantecCorporationWorldHeadquarters

350EllisStreet

MountainView,CA94043USA

1(866)8936565

www symantec com

Copyright©2012SymantecCorporation Allrightsreserved Symantec,theSymantecLogo,andtheCheckmarkLogoaretrademarksorregisteredtrademarksofSymantecCorporationoritsaffiliatesintheU S andothercountries VeriSignandotherrelatedmarksarethetrademarksorregisteredtrademarksofVeriSign,Inc oritsaffiliatesorsubsidiariesintheU S andothercountriesandlicensedtoSymantecCorporation Othernamesmaybetrademarksoftheirrespectiveowners

http://go.symantec.com/ssl-certificates

best practices and applications of tls-ssl

Technology