best practices and applications of tls-ssl
DESCRIPTION
The most well-known example of the use of public key infrastructure has proven flexible enough to assist in authentication, encryption and data integrity in numerous applications throughout the enterprise.TRANSCRIPT
WH
ITE P
AP
ER
:B
ES
T PR
AC
TICES
AN
D
AP
PLIC
ATIO
NS
OF TLS
/SS
L
Best Practices and Applications of TLS/SSL
White Paper
The most well-known example of the use of public key infrastructure has proven flexible enough to assist in authentication, encryption and data integrity in numerous applications throughout the enterprise.
By Larry SeltzerSecurity Analyst and Writer
White Paper: Best Practices and Applications of TLS/SSL
2
Best Practices and Applications of TLS/SSLThe most well-known example of the use of public key infrastructure has proven flexible enough to assist in authentication, encryption and data integrity in numerous applications throughout the enterprise.
CONTENTS
Executive Summary 3
Introduction 3
What is TLS/SSL? 4
DigitalCertificates 4
AuthenticationandVerification 5
Key Security 5
Encryption 5
WhereTLSWorksIntheStack 6
TLS vs SSL 6
Networks Are Insecure By Default 7
Authentication 7
PrivacyandIntegrity 8
Solutions 8
Trusted Certificate Authorities 8
TrustedRoots 8
Self-SignedCertificates 9
AuthenticationDoesNotProveTrust 9
Extended Validation (EV) SSL 9
Not Just For Web Browsers 10
Client Security with TLS/SSL 10
Wireless 11
SSLVPN 11
Server-to-Server Security with TLS 12
Web and Intranet Servers 13
CommonTLSMistakes 13
Hosted Service Security with TLS 14
Certificate Expiration 15
Certificate Revocation 15
Self-Signed Certificates 16
Certificate Management 17
Conclusion 17
Additional Reading 17
White Paper: Best Practices and Applications of TLS/SSL
3
Executive Summary
TransportLayerSecurityorTLS,widelyknownalsoasSecureSocketsLayerorSSL,
isthemostpopularapplicationofpublickeycryptographyintheworld Itismost
famousforsecuringWebbrowsersessions,butithaswidespreadapplicationto
othertasks
TLS/SSLcanbeusedtoprovidestrongauthenticationofbothpartiesina
communicationsession,strongencryptionofdataintransitbetweenthem,and
verificationoftheintegrityofthatdataintransit
TLS/SSLcanbeusedtosecureabroadrangeofcriticalbusinessfunctions
suchasWebbrowsing,server-to-servercommunications,emailclient-to-server
communications,softwareupdating,databaseaccess,virtualprivatenetworking
andothers
However,whenusedimproperly,TLScangivetheillusionofsecuritywherethe
communicationshavebeencompromised Itisimportanttokeepcertificatesupto
dateandcheckrigorouslyforerrorconditions
Inmany,butnotallapplicationsofTLS,theintegrityoftheprocessisenhancedby
usingacertificateissuedbyanoutsidetrustedCertificateAuthority(CA)
ThispaperwillexplorehowTLSworks,bestpracticesforitsuse,andthevarious
applicationsinwhichitcansecurebusinesscomputing
Introduction
Asthescienceofbusinesscomputing,andofcomputingsecurityinparticular,
hasadvanced,thetrendhasbeentofindsecurityweaknesseseverywhere Where
complexityandfunctionalitygrow,sodotheopportunitiesforabuseofsystemsby
maliciousactors
Thesolutionstotheseproblemsarevariedandmustbeexploredindividually,but
onetechnologyshowsupoften:TLSorTransportLayerSecurity,oftenknownby
thenameofthepredecessortechnology,SSLorSecureSocketsLayer
TLSisbestknownasthetechnologywhichsecuresWebbrowsersessionsfor
bankingandothersensitivetasks,butitcanbeusedformuchmore Client-server
communicationwithavarietyofservertypes,inadditiontoWebservers,benefits
fromuseofTLS Server-to-servercommunicationsalsoneedtobesecuredand
canbethroughTLS Clientsupdatingapplicationsandothersoftwareontheir
PCsshouldonlydosothroughasecureconnection,whichiswhysuchupdate
applicationsusuallyuseTLSorSSL Thispaperwillexploretheseandother
applicationsofTLSthatcansecuretheenterpriseinthemyriadplacesinwhichit
canbeattacked
White Paper: Best Practices and Applications of TLS/SSL
4
TLSprovides3basicbenefits:
• Itprovidesauthenticationofthecommunicatingparties,eitherone-wayorin
bothdirections
• Itencryptsthecommunicationsession“onthewire”
• Itensurestheintegrityofthedatatransferred
ThispaperwillalsodiscusstrustedCAsandtheirroleinthepublickey
infrastructureorPKI ThoughtrustedCAsaren’talwaysnecessary,inmanycases
theyarebeneficialandsometimesnecessaryfortheprotectiontohaveanyeffect
What is TLS/SSL?
TLS/SSLisatunnelingprotocolthatworksatthetransportlayer Itprovides
encryption,authenticationandintegrityverificationofdata,anddoessobymeans
ofdigitalcertificates
Digital Certificates
Adigitalcertificateisanelectronicdocumentwhichconfirmstheidentityofan
entity–whichcouldbeauser,aserver,acompany,aprogramonaclient,just
aboutanything–andassociatesthatentitywithapublickey Thedigitalcertificate
istheentity’sidentificationtothepublickeyinfrastructure EachpartytoaTLS-
securedcommunicationcanevaluatethecontentsofthecertificate Themost
examinedfieldistheCommonName Eachthencomparesittowhattheyexpect
Itisalsowisetochecktheissuerofthecertificate Istheissueratrustedparty?For
moreontheseissuersseeTrustedCertificateAuthorities,page8
Userscangeneratetheirowndigitalcertificates,calledself-signedcertificates,
withfreetools1 Butsuchcertificatesareinherentlyuntrustworthyandthereal
valueofcertificatescomeswhentheyareissuedbyatrustedCA Userscancreate
andruntheirownCAontheirnetworkandsometimesthismakessense,butin
manycasesitisnecessarytouseanoutsidetrustedCAwhichoutsidepartiescan
alsotrust Symantec™isthelargestCA
1TheOpenSSLProject-http://openssl org/ Microsoft’scryptotools(http://msdn microsoft com/en-us/library/aa380259(VS 85) aspx)areincludedintheWindowsSDK(http://msdn microsoft com/en-us/windowsserver/bb980924 aspx)
White Paper: Best Practices and Applications of TLS/SSL
5
Authentication and Verification
Publickeycryptographyallowstwopartiestoauthenticateeachother Eachparty
hastwokeys,whicharelargenumericvalues Amessageexchangedbetweenthe
partiesisrunthroughahashingalgorithm Ahashfunctiontakesablockofdata
andcreatesavaluefromit,knownasahashordigest Makeevenasmallchange
inthedataandthehashchangessignificantly Atthesametimethereisnowayto
recreatethedatafromthehash
Thesendingpartytothecommunicationsusestheirprivatekeytoencryptthehash
value Thisencryptedvalueiscalledadigitalsignature Themessageandsignature
aresenttotherecipientparty Therecipientpartyusesthesender’spublickey
todecryptthesignature Theygenerateahashofthemessageusingthesame
algorithmasthesenderandcomparethevalues
Ifthevaluesarethesamethentwothingsarecertain:thedatahasnotbeen
tamperedwithandthesenderiswhotheypurporttobe Thisisbecausetheprivate
keycorrespondingtothepublickeyinthecertificatewasusedtosignthedata,and
theprivatekeyshouldonlybeaccessiblebythesendernamedinthecertificate
NeitherauthenticationnorintegrityverificationaremandatoryinTLS Youcanuse
itsimplysothatthebitsonthewireareencrypted Butauthenticationisacore
feature,importanttomostcustomers
Key Security
Therearesomeabsoluterulesthatneedtobefollowedinorderforthepublickey
infrastructuretoworkproperly
Private keys must be private:Thesignerofamessageneedstokeeptheir
privatekeyabsolutelyconfidential Anyonewhohasitcaneffectively
impersonatethesender
Public keys must be public:Well,notnecessarilypublic,buttheyhavetobe
accessibletoanyonewhomighthaveavalidreasontoreadthemessageorencrypt
amessagetotheentitynamedinthecertificate
Hash algorithms must not collide:Acollisioniswhenthehashalgorithm
generatesthesamedigestfromtwodifferentdatablocks Atsomepointthisis
inevitable,buttheabilitytogeneratecollisionsintentionallycompromisesall
functionsofpublickeycryptography Thisiswhynewandbetterhashalgorithms
havebeendevelopedovertimeandputintopublicuse
Encryption
Evenwhenauthenticationisnotused,TLScanuseencryptionkeysandacipher
algorithmtoencrypt/decryptdataforcommunication Thecipherisalsousedfor
encryptingthemessagedigest
White Paper: Best Practices and Applications of TLS/SSL
6
Therearemanydifferentcipheralgorithmsfordifferentcircumstances Seethe
TLSvs SSLsectionbelowformoreonciphers
Where TLS Works In the Stack
TLS/SSLsitsbetweentheapplicationandtransportlayers Inthecontext
oftheInternetandmostlocalnetworking,thismeansitsitsaboveTCPor
TransmissionControlProtocol,theprotocolwhichprovidesreliable,ordered data
communicationsforapplications Applicationsthatwouldnormallyworkwith
TCPconnectionsinsteadworkwithTLSconnectionsforthepurposeof
establishingconnections
Application TLSHandshake
TLSRecord
TCP(reliabletransport)
IP
NetworkInterface
Wires(infrastructure)
TLSrequiresareliabletransport,whichmeansTCP ThismeansthatUDP-only
applicationslikeDNS,SNMP,andVOIP,presentaproblem SeeSSLVPNsformore
onthisproblem
TLS vs SSL
TLSisthesuccessortechnologytoSSL,whichwasdevelopedbyNetscapein1994 2
ThefirstpublicreleasewasSSLversion2,andwasquicklyfollowedbyversion
3 TheTLSspecificationwasreleasedin1999inRFC22463,andisonlyaminor
modificationofSSL3
2Mozilla orgSSL0 2PROTOCOLSPECIFICATION-http://www mozilla org/projects/security/pki/nss/ssl/draft02 html Thisversionwaswidelyknownas“version2 ”3RFC2246-TheTLSProtocolVersion1 0-http://tools ietf org/html/rfc2246
White Paper: Best Practices and Applications of TLS/SSL
7
Changeshavecomeatamuchslowerpacesincethen,withTLS1 14and1 25
largelyconcernedwithsecurityimprovements TLSisstillwidelycalledSSL,
especiallyinproductnames,evenifthetermisstrictlyinaccurate Don’tbe
surprisedtoseethetermsusedinterchangeably TLSversionsaredesignedto
interactwithandrollbacktoearlierprotocolssuchasSSL3 Infact,intheprotocol
handshake,TLS1 0,1 1and1 2usetheversionnumbers3 1,3 2and3 3
Oneofthemaindifferencesyou’llseebetweenSSLandTLSversionsarethe
cryptographicfeatures,includingtheciphers,hashalgorithmsandkeyexchange
mechanismstheysupport Astimeandversionsadvance,supportforweaker
featuresisdroppedfromtheprotocolandstrongeronesadded Administratorson
eitherendofthecommunicationcansetpoliciesrequiringorprohibitingparticular
protocols It’sreasonabletoclaimthattheflexibilityofTLSwithrespecttonew
developmentsinciphersandothercryptographicfeaturesisoneofthemain
reasonsforitssuccess
Networks Are Insecure By Default
Allofourimportantnetworkingprotocolsweredesignedbeforesecurityissues
wereproperlyappreciated Agreatdealofresearchhasgoneintomaking
communicationssecure,butinmostcasesithastobeaddedon Bydefault,our
networksareinsecure
HTTP,SMTPandFTPwerealldesignedtocommunicateincleartext Allofthem
canbeenhancedtosupportencryptionandoftenthesolutionusesTLS Onlywith
HTTPS,however,whichisHTTPoverTLS/SSL,issuchsecurityubiquitous
Authentication
Authenticationinmostnetworksisweak,usuallyrelyingonpasswordscontrolled
byruleswhichdon’tfollowbestpractices It’snosurprisethatthingsarethisway;
followingbestpracticesforpasswordsisdifficultandunpleasant:youhaveto
usepasswordsthatarelonganddifficulttorememberandyouneedtochange
themfrequently
Evenserver-to-serverconnectionsareoftenauthenticatedwithpasswords,which
arehard-codedintoprogramsorconfigurationfiles
4RFC4346-TheTransportLayerSecurity(TLS)ProtocolVersion1 1-http://tools ietf org/html/rfc43465RFC5246-TheTransportLayerSecurity(TLS)ProtocolVersion1 2-http://tools ietf org/html/rfc5246
White Paper: Best Practices and Applications of TLS/SSL
8
Privacy and Integrity
Whencommunicationsarenotsecuredproperlyyoucan’tbecertainthatthedata
hasnotbeenmonitoredortamperedwithin-transit Attacksknownas“manin
themiddle”(MITM)attacks,wheretheattackersitsonthenetworkmonitoring
communicationsbetweenonepartyandanother,arenotuncommon Suchattacks
can,forexample,stealusernamesandotherunsecureddataontheconnection
Whencombinedwithspoofingtechniques,theMITMmayevenmodifythedata,
suchaschangedestinationURLssothatyouclickonalink,whichdirectsyoutoan
attackserver
Solutions
Manyproductsarenowdesignedbetterthantheywereinthepasttoprovide
secureconfigurationoutofthebox Microsoftinparticularhasmadesignificant
progressinthisregardinrecentyears Butatthelevelofnetworkcommunications
andauthentication,securityisstilltheresponsibilityofthenetworkadministrator
InmanyofthesecasesTLScanhelp Itcanprovideauthenticationwherenone
existsbydefault TLScanprovidestrongencryptionwheredatawouldnormally
flowincleartext Anditcanensurethatdatawasnotmodifiedin-transit
Trusted Certificate Authorities
IfyouareusingTLSpurelyforcommunicationoveryourownnetworks,itmay
beadequatetouseaninternalCAandsetyoursystemstotrustit However,
thehassleandcostofsettingupaninternalCAoftendrivesbusinessestodo
otherwise Also,ifdataissentovertheInternet,whereyoudon’tcontrolallpoints
oftransit,theonlywayallpartiescantrustthecertificateisifitwasissuedbya
trustedthird-partyCA
Trusted Roots
Becauseit’sunwisetorelycompletelyonInternetcommunicationstoprovethe
issuerofacertificate,manysoftwareproductscomewithalistof“trustedroot
certificates ”Thesecertificatesareinherentlytrustedandothercertificatessigned
bythosetrustedrootsarealsotrusted
MicrosoftWindowsincludesalistoftrustedrootcertificateswhichtheyupdate
periodicallythroughWindowsUpdateandtheirotherupdatingmechanisms
ManyotheroperatingsystemshavesimilarlistsApplicationsoftwaremayusethe
operatingsystemtrustedrootlistorincludetheirown SomeWebbrowserson
WindowsusetheWindowslist,butFirefoxusesitsownlist
OnemorecharacteristicofcertificatetrustisthatrootCAoftenhaveaffiliate
programs Thisallowsothercompaniestosellcertificatesonbehalfofthetrusted
rootCAs Infacttheaffiliatescanhavetheirownaffiliates The“parent”CAsigns
theaffiliateCA’scertificatesosoftwarecanprovethattheyareavalidaffiliate
TheTLSclientsoftware“walks”upthishierarchyofCAs,checkingthevalidity
ofthesignaturesateachstep,untiltheyreachonewhichisatrustedroot This
establishesthetrustofthewholehierarchy
White Paper: Best Practices and Applications of TLS/SSL
9
Self-Signed Certificates
DigitalcertificatesneednotbesignedbyatrustedCA Suchcertificates,when
generatedbytoolsseparately,arecalledself-signedcertificates Suchcertificates
canbeusedtoprovideencryptionofdata,butnoauthentication Seethesection
onself-signedcertificatesformoreonthissubject
Authentication Does Not Prove Trust
Therearemanyunfortunatecasesofusersandorganizationsbeingattacked
successfullyfortrustingacommunicationsimplybecauseitwassigned Buta
signature,evenoneissuedbyaCA,isnotproofthatthepartyistrustworthy
Authenticationgivesyoudefinitiveinformationastotheidentityoftheother
party,whichyoucanusetomakeaninformedtrustdecision Youcanlookatthe
identifyingfieldsinthecertificate,suchastheCommonName,toseeifitmatches
theentityyouexpected YoucanalsolookattheIssuerfield,whichidentifies
thecertificateauthoritythatissuedthecertificate,andmakedecisionsastoits
trustworthiness Aswewillseebelow,differentcertificateshavedifferentamounts
ofinformationonthemabouttheidentifiedentityandabouttheissuer
Extended Validation (EV) SSL
Theworkingsofdigitalcertificatesthemselveshavebeenwell-establishedformany
years,buttherulesfortheirissuancebytrustedCAshasnot Thestandardsof
manyCAsforissuingcertificatesreachedsuchapointseveralyearsagothatmany
CAsandvendorsofTLSsoftwareformedtheCA/Browser Forumm(www cabforum
org)toestablishstandards TheresultingstandardisEVSSL,whereEVstandsfor
ExtendedValidation
UsersgenerallyknowEVSSLasthethingthatturnstheirWebbrowserbargreen
MorefundamentallyitisanewclassofTLScertificateissuedwhentheapplicant
meetscertainstrictstandardsforprovingitsidentityestablishedbytheCA/
BrowserForum Therearealsodifferencesinthewaybrowsersbehavewhen
interactingwithEVSSLcertificates,particularlythegreenbrowserbarindicator
andacleardisplayoftheorganizationname
Therulesfortheentitiesareratherstrict:theymustbealegally-recognizedentity,
eitherincorporatedoragovernmentalbodyorsomeregisterednon-profit You
cannotgetapersonalEVSSLcertificate TheCAhastoverifythelegalexistence
aswellasthephysicalexistenceandoperationalexistenceoftheapplyingentity
TheCAmustconfirmthattheentityhastherighttousethedomainandthatthe
personapplyingisauthorizedtodoso 6
Theendresultofthesestandardsisthatitwouldbeextremelydifficult,and
likelyexpensive,toobtainafalseEVSSLcertificate Asaresultofallthework
neededtomeetthestandards,EVSSLcertificatesaremuchmoreexpensivethan
conventionalTLScertificates
6CA/BrowserForumEVSSLCertificateGuidelines-http://www cabforum org/documents html
White Paper: Best Practices and Applications of TLS/SSL
10
Not Just for Web Browsers
TLSandSSLarebestknownforsecuringWebbrowsercommunications,butthey
arebynomeanslimitedtoHTTP ManyotherapplicationsandprotocolsuseTLS
forsecurity,generallyasanoption Someexamplesfollow:
• FTPS–Asecureversionoftheubiquitousfiletransferprotocolsecuredwith
TLS ConventionalFTPtransmissionsareincleartext FTPShasbeenanofficial
RFCsince20057andanunofficialonefor10yearsbeforethat Ithaswidespread
supportinFTPsoftware (NottobeconfusedwithSFTP,whichisFTPthroughan
SSHsession,ormanyotherless-standardizedapproaches )
• Outlook to Exchange–OutlooktoExchangeoverRPCoverTLSisbecoming
popularasasecureexternalaccessmethod,buttherearereasonstouseit
internallyaswell Inthiscaseyoureplacethedefaultself-signedcertificate
intheExchangeserverwitharealTLScertificatefromatrustedCA Thisis
standardoperatingprocedurenowwithExchangehostingservices
• Windows Update –BeforeWindowsVista,WindowsUpdatewassimplya
websiteinInternetExplorerwhichusedHTTPS Inmorerecentversionsof
Windows,itisacustomappsecuredbyTLS Manyotheronlinesoftwareupdate
programs,suchasthegetPlusprogramusedbyAdobe,useTLSconnections
forsecurity
Client Security with TLS/SSL
ClientsidecertificatescanbeusedwithTLStoprovetheidentityoftheclientto
theserver,andvice-versa Thisiscalled“two-wayTLS”andrequirestheclientand
serverbothprovidecertificatestoeachother
Therearestandards-basedsystemsforadministeringTLSinthisrole Active
DirectoryinWindowsmanagesthem8andusescertificatesstoredeitherinthe
clientorusingsmartcardsorotherstrongauthenticationdevices 9OpenLDAPisan
opensourcedirectoryservicethataccomplishesmuchthesame 10
Inspiteofthegreatlyimprovedsecurityfromusingstrongauthentication
mechanismslikeTLScertificates,ithasnotbeenatypicalconfiguration In
exchangeforthesecurity,yougetafairamountofcomplexityandadministrative
work,plusclientscanonlyloginwhentheyhavetheirclientcertificate Butrecent
versionsofWindowsServerhavemadeitmucheasiertohavecertificateand
othercredentialdataindependentoftheuserprofile,allowinguserstomoveto
differentcomputersandstillauthenticate Still,thisisahigher-costsetupthanthe
useofpasswordsandmostorganizationswouldconsideritonlyforhigh-valueor
vulnerableconnections
ThedefaultfortheLDAPprotocolitselfisunencryptedbydefault UnderLDAP
version2itwascommontouseanon-standardsetupcalled“LDAPS”which
tunneledLDAPthroughaTLStunnelonport636 11LDAPversion3addeda
standardextensionforTLS 12
7RFC4217-http://tools ietf org/html/rfc42178ActiveDirectoryCertificateServices-http://technet microsoft com/en-us/windowsserver/dd448615 aspx9Smartcardandothercertificateauthentication-http://technet microsoft com/en-us/library/cc758410(WS 10) aspx10OpenLDAP,UsingTLS-http://www openldap org/doc/admin24/tls html11MicrosoftKnowledgeBase,HowtoenableLDAPoverSSLwithathird-partycertificationauthority-http://support microsoft com/kb/32105112RFC2830,LightweightDirectoryAccessProtocol(v3):ExtensionforTransportLayerSecurity-http://tools ietf org/html/rfc2830
White Paper: Best Practices and Applications of TLS/SSL
11
Wireless
Asecurewirelessnetworkrequiresstrongerauthenticationthantheshared
secretpasswordusedonyourhomerouter ThroughtheWPAandWPA2security
standards,allwirelessnetworkssupportExtensibleAuthenticationProtocol(EAP),
aframeworkforauthenticationmethodsforaccesstothenetwork Dozensofsuch
methodshavebeenimplemented 13
ThemainpointofEAPinawirelessaccesspointorrouteristoallowittohookinto
anenterpriseauthenticationsystemsuchasyourLANorWAN Inthisscenario,you
shoulddemandthehighestlevelofauthenticationontheaccesspointitselfand
veryhighlevelsfromclientsconnectingtoit TLSisagoodchoice
EAP-TLS14isoneofthemethodswidely,ifnotuniversally,supportedinthewireless
industryandoneofthestrongest,ifcarefullyimplemented ItusesnormalPKI
methodstosecureconnectionstoaRADIUSserver EAP-TLSissupportedoutof
theboxinallmajoroperatingsystems,includingtheopensourceones
ThemaindifficultywithEAP-TLSisthatclientsneedtohaveindividualcertificates,
andtheyneedcarefulmanagement Inthissenseitisthesameasclient
certificatesontheLAN:astraighttrade-offofsecurityforeaseofadministration
SeveralotherEAPmethodsuseTLSindifferentways,generallyinorderto
avoidtheneedforclient-sidecertificatesandtheadministrativeburden They
necessarilytradeoffsecurityforthiseaseofadministration,ascredentialscanbe
lostrelativelyeasilyandtheirlossmaybedifficulttodetect
SSL VPN
VirtualprivatenetworkingisamustforsecurecommunicationsovertheInternet
Therearetwopopularmethods:IPSecandSSLVPN
IPSec15isanend-to-endprotocolforauthenticatingeachpacketinaTCP/IP
network ItoperatesattheInternetlayerofthenetwork,i e belowthetransport
layer Thisissignificantforitsapplication
SSLVPNscreateatunnelabovethetransportlayer Allapplicationnetwork
communicationsgoesthroughthetunnel IPSecisawidely-implementedand
deployedInternetstandard SSLVPNisnotastandardassuch,butwidely
implementedanddeployed
BecauseIPSecoperatesatoneofthelowerlevelsoftheInternetprotocolstack,
itcantransportalmostanythingyouneedandwithminimaloverhead SSLVPNs
operateabovethetransportlayerandrequireareliabletransport;thismeans
applicationsthatuseUDPfortransportcannotbesupportedinastraightforward
waythroughanSSLVPN EithertheyhavetorunoutsidethetunnelortheUDP
packetshavetobere-encapsulatedinTCPbeforetransport
13Wikipedia,ExtensibleApplicationProtocol-http://en wikipedia org/wiki/Extensible_Authentication_Protocol14TheEAP-TLSAuthenticationProtocol-http://tools ietf org/html/rfc521615AnIllustratedGuidetoIPsec-http://www unixwiz net/techtips/iguide-ipsec html
White Paper: Best Practices and Applications of TLS/SSL
12
WhetherencapsulationofUDPisaproblemfortheapplicationdependson
anumberoffactors:ThequalityoftheSSLimplementation,thespeedofthe
connectionand–perhapsmostimportantly–thetoleranceoftheapplicationfor
“lossy”transport
ApplicationswhichuseUDPdosoforperformancereasons,butneedtoexpect
somelevelofpacketloss,ifonlybecauseUDPdoesn’tguaranteedelivery Themost
importantUDPapplicationisprobablyVOIP,andsomeimplementationstolerate
encapsulationfairlywell Otherreal-timeUDPapplications,suchasstreaming
videoandsomemulti-playergamesdon’tfareaswell SomeVPN/firewallproducts
supportbothTLSandIPSecforuserswhoneedboth 16
SowhynotjustuseIPSecforallVPNs?Becausetheyarecomparativelydifficult
toadministeranduse Whenyou’resettingupindividualusersorsmallgroups
remotely,anSSLVPNwillbemucheasiertosupport,especiallyiftheapplication
needsaresimple Site-to-siteVPNs,wherewholenetworksareconnectedoverthe
Internet,needthepowerandflexibilityofIPSec
Manyapplication-focusedremoteaccessmethodsareTLS-based,andsomeare
SSLVPNsrepackagedasremoteaccessfortheproduct
Server-to-Server Security with TLS
Manyserver-to-serverconnectionsofferTLSasanoptionandit’sanexcellentone,
especiallywhentheconnectionisrunoverthepublicInternet AfullVPNinsuch
casesisinadvisable,astheapplicationneedsarenarrowandcertificatescanbe
usedtoprovidestrongauthenticationoftheserverstoeachother
16ThankstoGaryTomlinsonandJohnGmuenderofSonicwall(www sonicwall com)fortheirhelpinunderstandingtheproblemofUDPonSSLVPNs
White Paper: Best Practices and Applications of TLS/SSL
13
Connectionssuchasthesearealmostalwayshigh-value ConsiderWebservers
talkingtodatabaseserversormailserverssynchronizingwitheachother Thedata
intheconnectionisatreasuretroveforanattacker ProductssuchasMicrosoft’s
ExchangeServerandOracleApplicationServersupportTLSwithcertificatesoutof
thebox
WheninteractingacrosstheInternet,certificatesfromatrustedCAarehighly
recommended Eachpartyshouldmakeasfewassumptionsaboutthesecurityof
theotheraspossible
Beyondthat,therearegoodreasonsinsuchcasesforusingEVSSLcertificates
ResearchhasshownthatweaknessesintheCAvalidationproceduresformany
conventionalSSLcertificatesleavethemvulnerabletoman-in-the-middle
attacks 18
Briefly,theproblemcomeswiththeveryinexpensivedomain-validatedcertificates
Thesecertificatesvalidateadomainname,notanorganization,andthedomain
nameistheonlyidentifyingdatainthecertificate
Partofthereasontheyaresoinexpensiveisthattheapplicationandvalidation
proceduresarecompletelyautomatedinmanycases Aconfirmationrequestis
sentine-mailtotheadministrativecontactforthedomain Whoevercontrolsthat
emailaccountcanauthorizethecertificate Combinedwithsoftwarevulnerabilities
insomeTLSsoftware,thisprocesscanbeabusedtoallowspoofingofadomain
certificateandperhapsaman-in-the-middleattack
TheadvantageofEVSSL,inthiscase,isthattheEVSSLspecificationguarantees
thatanorganizationnameandotherdatawillbeinthecertificateandwillbe
verifiedbytheCA Forahigh-valueconnectionit’sworthhavingthisassurance EV
SSLsupportinsuchcasesmayrequirecustomprogramming
Web and Intranet Servers
Perhapsit’stooobvioustopointout,butTLScanbeusedtosecureabrowser-Web
serverconnection ItisworththinkingabouttheextentofyourTLSusageforboth
internalandexternalsites
HTTPisaprofoundlyinsecureprotocolwithoutTLS Itisplain-text,easilysniffable,
andeasilymanipulated EvenonaninternalnetworkyoushoulduseTLS/HTTPSfor
allsufficientlyvaluablebusinessconnections
Common TLS Mistakes
Don’tmakethemistakeofassumingthataTLSimplementationsecuresyour
websiteandthat’sit Therearemanycommonsitedesignmistakeswhichdefeat
thesecurityofTLS
18SpoofingServer-ServerCommunication:HowYouCanPreventIt-go symantec com/ssl-certificates*Configurationandalertoptionsvary,dependingonthemanagementconsoleyouuse
White Paper: Best Practices and Applications of TLS/SSL
14
Keep sensitive data out of URLs –WhenyouuseHTTPGETmethodswith
parametersthathavecriticaldatainthem,youexposethatdatatothewhole
world EnvisionaURLlikethisone:
Therearemanyreasonswhythisisabadidea Butfirst,theTLSconnectionwill
encrypttheURL,soatleastuserssniffingthenetworkwon’tseetheURLandthe
parameters Ontheotherhand,theURLwillbestoredintheWebserverlog,inthe
clientbrowserhistory,andinreferrerheaders Thislastpointmeansthatifthereis
alink,particularlyanon-TLSlink,outofthepagelinkedtojustabove,thefullURL
willbeincludedintheheaderssenttothatserver
Use “Secure” Cookie Flag –The“secure”flagwilltelltheservertosendcookies
onlyoveraTLSconnection Therearenumerousattackstohijackcookies,and
cookiesoftencontainthemostsensitiveofdata Cookiescanbestolenthrough
simplepacketsniffing,sessionhijacking,cross-sitescripting,orcross-siterequest
forgery It’sstillnotuncommontofindsignificantwebsitesthatuseinsecure
cookiesinHTTPSsessions
Do Not Mix TLS/SSL and Non-TLS/SSL Content–Justbecauseyourpagehasan
HTTPSlinkdoesn’tmeanallthecontentwill Ifthere’saframeoranimageorsome
otherelementthatiscalledwithanHTTPlink,itwillnotbeTLS-protected Most
browserswon’twarnusersabouttheinconsistency
Do Not Perform Redirects from Non-TLS/SSL Page to TLS/ SSL Login Page–
Eventodaytherearemajorbankswhichusehttpontheirloginpagesandredirect
tohttpsfromthere Thisisaninvitationforphishingpagesandothersortsof
abuse Unfortunately,usersusuallygettohttpspagesfromhttppages,butthe
betterwaywouldbefromabrowserbookmarkknowntobesecureortoenterthe
URLmanually
Hosted Service Security with TLS
OutsourcedservicesthroughtheWebareincreasinglypopularforgoodreason
Web-basedservicescanworkatleastaswellandsaveonstaff,infrastructure
andcapitalcosts Anyrespectableserviceofferedinthiswaywilluseaprotected
connection,probablyTLS
Acommonreasonwhycompaniesmovetooutsourcedservers,mostlyMicrosoft
Exchange,istogeteasiersupportformobiledeviceslikeBlackberries It’s
important,ifthisisoneofyourneeds,tobuyTLScertificatesthatarenatively
supportedbyActiveSyncorwhateverserviceyouwillbeusingforyourdevices
HostingservicesreportthatgettingTLSconnectionsworkingproperlyistypically
thebiggestramp-upproblemtheyhave
White Paper: Best Practices and Applications of TLS/SSL
15
Certificate Expiration
DigitalCertificatescomewithanexpirationdate,andforgoodreason Byissuing
acertificate,theCAisvouchingfortheapplicant,andit’spossibleforsuch
informationtoget“stale” Evenwithinternalcertificatesthere’sreasontohave
andcheckexpirationdates Infactit’smorereasonableforinternalcertificatesto
haveshortexpirationdates,sinceit’seasiertodistributethem,andtheissuing
authorityinITisprobablythesamegroupwhoadministerthecertificatesinthe
userdirectory
Somearguethatexpiredcertificatesarejustastrustworthy,oralmostas
trustworthy,asa“live”one Butanexpiredcertificateis,attheveryleast,asignof
administratorswhodon’tpaycloseattentiontotheirservers
Certificate Revocation
Revocationisanessentialfeatureofthepublickeyinfrastructure,onewhichcan’t
betakentooseriously
ForanumberofreasonsaCAmayrevokethecertificateofacustomer Itcouldbe
forviolatingthetermsofservice,forinstancebyservingmalwarefromthesite,or
itcouldbebecausethecustomerinformedtheCAthattheprivatekeyhadbeen
compromised
Whenacertificateisrevoked,youhavetoassumethattheholderisnot
trustworthy It’salotworsethanasitenothavingacertificateatall
Howdoyoucheck?Youdon’tusuallycheckityourself YourTLSsoftware(usually
abrowser)doesitbyoneoftwomethods:CRL,whichstandsforcertificate
revocationlists,istheoldmethod Thecertificateitselfmaycontaintheaddress
ofarevocationlistfortheCA,andthislistisbasicallyalistofcertificateserial
numbers Ifthecertificateyouarecheckingisinthelistthenit’srevoked Don’t
trustit Usersbrowsingthesite(inInternetExplorer)willseeamessagelikethis:
White Paper: Best Practices and Applications of TLS/SSL
16
CRLsaresimple,butthere’saproblemwiththem:overtimetheycangetbig,
especiallyforalargeCA Theycanbecached,butthentheCRLcheckmaybeoutof
date SoaprotocolnamedOCSP(onlinecertificatestatusprotocol)wasdeveloped
toletprogramscheckcertificatesoneatatime OCSPisthepreferredmethodnow
NotallCAssupportOCSP AswithCRL,thecertificatewillcontainafieldwiththe
addressoftheOCSPserveriftheCAsupportsOCSP
Self-Signed Certificates
It’snotuncommontofindself-signedcertificatesbothontheInternetand
internallyincorporations Thesearecertificateswhichhavenotbeenissuedby
aCA,eitherinternalorexternal,butgeneratedstaticallybyanyofanumberof
availablefreetools
Anyonecanmakethemandtheirexpirationdatemaybesetdecadesinthefuture,
sotheymayseemlikeagooddeal But,aswithmostthings,yougetwhatyoupay
forwithdigitalcertificates Self-signedcertificatesdon’tprovealotaboutthesite
they’reprotecting
Aself-signedcertificatewillallowsoftwaretoencryptdataandensureitsintegrity
intransit,butitprovidesnoauthentication Youcan’tmakeanyassumptionsabout
theotherparty
Notethatself-signedcertificatesarenotthesameascreatinganinternalCA A
companycancreatetheirownCA,putthename/addressofthatCAinthebrowser
orsystem’slistoftrustedrootCAsandthenitbecomesastrustedasanyfroma
realCAcompany Self-signedcertificatesarenotvouchedforbyanyone
ThevendorsofallthemajorWebbrowsersknowthatself-signedcertificatesare
troubleandtheyissuedire-lookingwarningswhenoneisencountered
White Paper: Best Practices and Applications of TLS/SSL
17
Certificate Management
Managinglargenumbersofcertificatesindifferentrolescanbeadifficulttask,and
ifit’snotdoneinanorganizedfashionit’saninvitationtotrouble
Withoutasystemforcertificatemanagementyouarelikelytofindindividuals
trackingcertificatesontheirownusingaspread-sheetortextfile Thisishow
companiesgetsurprisedbyexpiringcertificates,andiftheemployeemanagingthe
certificatesleaves,therecordscouldenduplost
GoodCAshaveonlinemanagementtoolsfortheircertificates,suchasSymantec
ManagedPKIforSSL Therearealsothirdpartymanagementpackageswhichtrack
bothexternally-grantedcertificatesandthosefrominternalCAs
Conclusions
TLS,widelyknownasSSL,isthestandardforsecureapplicationnetwork
communicationsbothwithintheenterpriseandacrosstheInternet TLScan
helpsecureyourapplicationsbystrengtheningauthentication,encryptingdata
communications,andensuringintegrityofdataintransit
TLSisaflexibletechnologythatadaptswelltonumeroussituationsfromWeb
serveraccesstoserver-servercommunicationstovirtualprivatenetworking
Industryhaspickeduponthisandimplementeditwidely It’snotalwaysplugand
play,butit’subiquitousenoughthatexpertiseisfairlycommon
Finally,inmanycasesthecapabilitiesofTLSareenhancedbycertificatesfroma
trustedCAandinsome,atrustedCAisnecessaryforTLS/SSLtomakesense
Additional Reading
Oppliger, Rolf. SSL and TLS:TheoryandPractice(InformationSecurityandPrivacy
(2009) ArtechHousePublishers,ISBN1596934476
Rescorla, Eric SSL and TLS:DesigningandBuildingSecureSystems(2000)
Addison-WesleyProfessional ISBN0201615983
Symantec SSL Resources:go symantec com/ssl-certificates
Mozilla Developer Center: Introduction to Public-Key Cryptography:https://
developer mozilla org/en/Introduc-tion_to_Public-Key_Cryptography
The IETF TLS Working Group:http://datatracker ietf org/wg/tls/charter/
Microsoft – How to Set Up SSL on IIS7:http://learn iis net/page aspx/144/how-to-
set-up-ssl-on-iis-7/
Microsoft – SSL Capacity Planning:http://technet micro-soft com/en-us/library/
cc302551 aspx
TLS and SSL – What’s the Difference?: http://luxsci com/blog/ssl-versus-tls-whats-
the-difference html
White Paper: Best Practices and Applications of TLS/SSL
More Information
Visitourwebsite
http://go symantec com/ssl-certificates
TospeakwithaProductSpecialistintheU S
Call1(866)893-6565or1(650)426-5112
TospeakwithaProductSpecialistoutsidetheU S
Forspecificcountryofficesandcontactnumbers,pleasevisitourwebsite
AboutSymantec
Symantecisagloballeaderinprovidingsecurity,storage,andsystems
managementsolutionstohelpconsumersandorganizationssecureandmanage
theirinformation-drivenworld Oursoftwareandservicesprotectagainstmore
risksatmorepoints,morecompletelyandefficiently,enablingconfidence
whereverinformationisusedorstored
SymantecCorporationWorldHeadquarters
350EllisStreet
MountainView,CA94043USA
1(866)8936565
www symantec com
Copyright©2012SymantecCorporation Allrightsreserved Symantec,theSymantecLogo,andtheCheckmarkLogoaretrademarksorregisteredtrademarksofSymantecCorporationoritsaffiliatesintheU S andothercountries VeriSignandotherrelatedmarksarethetrademarksorregisteredtrademarksofVeriSign,Inc oritsaffiliatesorsubsidiariesintheU S andothercountriesandlicensedtoSymantecCorporation Othernamesmaybetrademarksoftheirrespectiveowners