the snowden revelations - lessons and recommendations
TRANSCRIPT
![Page 1: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/1.jpg)
© GMO GlobalSign Group. All Rights Reserved. www.globalsign.com
Achieving compliant security:
Paul van Brouwershaven – Business Development Director
The Snowden revelations: Lessons and Recommendations
![Page 2: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/2.jpg)
Business Development Director
• Business Development Director for GlobalSign
• Previously CTO of a European hosting company
• Over 10 years of experience in the hosting industry
• Expert in digital certificate solutions
• Dedicated to increasing awareness of the requirements for online security
• Thinking out of the box, detecting problems and providing solutions
![Page 3: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/3.jpg)
INTERNATIONAL FOOTPRINT Customers spanning all industries
![Page 4: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/4.jpg)
Identity verification
![Page 5: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/5.jpg)
Digital Certificates in practice
SSL Encryption &
Identity Assurance
Secure Email
Adobe PDF & Microsoft Office
document security
Code Signing
![Page 6: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/6.jpg)
SSL
• A communication protocol that can use several encryption methods to secure the integrity of data between sender and receiver.
• Used to provide a record of identity that is validated by a third party to secure the authenticity of the data.
![Page 7: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/7.jpg)
“The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the
Internet.”
“They're doing it primarily by cheating, not by mathematics”
Bruce Schneier
![Page 8: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/8.jpg)
Is SSL broken?
• SSL is 20 years old and has several known security issues
• TLS is used instead of SSL in the majority of cases
![Page 9: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/9.jpg)
But we keep the door open
• Servers are often configured with a weak configuration by default
• No clear view on compatibility, especially for mobile and embedded devices
![Page 10: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/10.jpg)
TLS support by major browsers
![Page 11: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/11.jpg)
Cipher security – known feasible attacks
![Page 12: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/12.jpg)
“The math is good, but math has no agency. Code has agency, and the code has been
subverted.”
Bruce Schneier
![Page 13: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/13.jpg)
Potential backdoors?
• Dual Elliptic Curve Deterministic Random Bit Generator
• Documents "appear to confirm" that the backdoor was real, and had been deliberately inserted by the National Security Agency (New York Times)
• Would allow NSA to decrypt SSL/TLS encryption
![Page 14: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/14.jpg)
Alexa top 1M has 68 776 sites in Germany
No SSL Certificate
73%
With SSL Certificate
27%
domain.com or subdomain(s)
No SSL Certificate
81%
With SSL Certificate
19%
domain.com / www.domain.com
![Page 15: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/15.jpg)
Requirement for mass SSL deployment
• By 2020 50.000.000.000 ‘Things’ will be connected to the Internet
• Requires a huge number of IP addresses
![Page 16: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/16.jpg)
Slow IPv6 adoption
6.6%
4.83%
0.4%
0.22%
9.18%
1.01%
6.38%
0.08%
1.19%
9.83%
2.2% 1.02%
0.91%
![Page 17: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/17.jpg)
Host multiple SSL certs on a single IP
Visit the GlobalSign stand A07
![Page 18: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/18.jpg)
From the 36992 sites tested in Germany
SSL2; 7945
SSL3; 35943 TLS1; 36663
TLS1.1; 10446 TLS1.2, 12037
0
5000
10000
15000
20000
25000
30000
35000
40000
SITES
Supported SSL/TLS versions
![Page 19: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/19.jpg)
Improving Server Security
• Enable support for TLS 1.0, 1.1 & 1.2, remove SSL
Apache
SSLProtocol All -SSLv2 -SSLv3
Nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
![Page 20: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/20.jpg)
From the 36992 sites tested in Germany
34990 35312
12173
32552
118 139 1
3935
8368 7628
1 1
7095
106
6650
1
5866 7475
808 3806
85 99 8
4896 7553
0
5000
10000
15000
20000
25000
30000
35000
40000
Support Ciphers
![Page 21: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/21.jpg)
From the 17 311 sites tested in Germany
Yes 67%
No 33%
Prefer TLS Forward Security
Yes 84%
No 16%
Support TLS Forward Security
![Page 22: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/22.jpg)
Improving Server Security
• Provide strong Cipher Suites preferences
Apache SSLHonorCipherOrder On
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:...........
Nginx ssl_prefer_server_ciphers on;
ssl_ciphers EDH+CAMELLIA:...........;
![Page 23: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/23.jpg)
Improving Server Security
• Check your Cipher Suites preferences regularly!
![Page 24: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/24.jpg)
From 12 822 SSL sites (www.)domain.comI
Yes 5%
No 95%
OCSP Stapling
![Page 25: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/25.jpg)
Improving Server Security
• Enable OCSP Stapling
Apache SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling_cache(128000)”
Nginx ssl_stapling on;
resolver 192.0.2.1;
![Page 26: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/26.jpg)
From 12 822 SSL sites (www.)domain.com
Yes 1%
[CATEGORY NAME] [PERCENTAGE]
HTTP Strict-Transport-Security
![Page 27: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/27.jpg)
Improving Server Security
• Enable HTTP Strict-Transport-Security
Apache Header add Strict-Transport-Security "max-age=15768000“
Nginx add_header Strict-Transport-Security max-age=15768000;
![Page 28: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/28.jpg)
Check your configuration regularly
sslcheck.globalsign.com
![Page 29: The Snowden revelations - Lessons and Recommendations](https://reader034.vdocuments.net/reader034/viewer/2022052413/55ceee70bb61ebee7f8b46ab/html5/thumbnails/29.jpg)
Questions?