Your SlideShare is downloading. ×
0
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABS
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

QualysGuard InfoDay 2012 - SSL LABS

390

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
390
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Risk Analysis Consultants V060420 www.rac.cz SSL LABSRAC QualysGuard InfoDay 2012 1
  • 2. Risk Analysis Consultants V060420 www.rac.cz Qualys & SSLRAC QualysGuard InfoDay 2012
  • 3. SSL Labs SSL Labs: www.rac.cz  A non-commercial security research effort focused on SSL,Risk Analysis Consultants TLS, and friends Projects:  Assessment tool  SSL Rating Guide  Passive SSL client fingerprinting tool V060420  SSL Threat Model  SSL Survey RAC QualysGuard InfoDay 2012
  • 4. SSL Implementation Ecosystem The SSL ecosystem includes many players: www.rac.cz  Basic cryptographic algorithms  SSL and TLS encryption protocolsRisk Analysis Consultants  IETF TLS Working Group  Public Key Infrastructure (PKI) standards  SSL library developers  SSL Client vendors (esp. major browser vendors)  SSL Server vendors  Certificate Authorities and their resellers  CA/Browser Forum V060420  System administrators  Consumers RAC QualysGuard InfoDay 2012
  • 5. Free SSL Lab Audit Service www.rac.cz Audit implementation of SSL protocol on you WebRisk Analysis Consultants Projects:  Certificate Validity and Trust  SSL Protocol version support  Encryption Cipher Strength  Encryption Key Exchange  SOLUTION description V060420  Risk of Attack description Register here: http://www.ssllabs.com RAC QualysGuard InfoDay 2012
  • 6. SSL Assessment Details Highlights: www.rac.cz  Renegotiation vulnerability  Cipher suite preference  TLS version intoleranceRisk Analysis Consultants  Session resumption  Firefox 3.6 trust base Every assessment consists of about:  2000 packets  200 connections V060420  250 KB data RAC QualysGuard InfoDay 2012
  • 7. SSL Assessment Details www.rac.czRisk Analysis Consultants V060420 RAC QualysGuard InfoDay 2012
  • 8. Countries Overview Countries with over 5,000 certificates: www.rac.czRisk Analysis Consultants V060420 RAC QualysGuard InfoDay 2012
  • 9. How Many Certs Failed Validation and Why? www.rac.cz 32,642 (3.76%) have incomplete chainsRisk Analysis Consultants Remember that the methodology excludes hostname mismatch problems V060420 Trusted versus untrusted Validation failures certificates RAC QualysGuard InfoDay 2012
  • 10. Protocol Support Half of all trusted servers www.rac.cz support the insecure SSL v2 protocol  Modern browsers won’t useRisk Analysis Consultants it, but wide support for SSL v2 demonstrates how we neglect to give any attention to SSL configuration  Virtually all servers support SSLv3 and TLS v1.0 Protocol Support Best protocol  Virtually no support for TLS SSL v2.0 625,484 - v1.1 (released in 2006) or TLS v1.2 (released in 2008) SSL v3.0 1,156,033 13,471 V060420  At least 18,111 servers will TLS v1.0 1,143,673 1,141,458 accept SSLv2 but only deliver a user-friendly error TLS v1.1 2,191 2,007 message over HTTP TLS v1.2 211 211 RAC QualysGuard InfoDay 2012
  • 11. Ciphers, Key Exchange and Hash Functions Cipher Servers Percentage Triple DES and RC4 www.rac.cz 3DES_EDE_CBC 1,139,215 98.42% rule in the cipher space RC4_128 1,129,315 97.56%  There is also good support AES_128_CBC 713,188 61.61%Risk Analysis Consultants AES_256_CBC 703,320 60.76% for AES, DES and RC2 DES_CBC 666,185 57.55% RC4_40 624,294 53.93% Key exchange Servers Percentage RC2_CBC_40 600,048 51.84% RSA 1,157,434 99.99% RC2_128_CBC 518,803 44.82% RSA_EXPORT 623,914 53.90% RC4_56 414,396 35.80% DHE_RSA 478,694 41.35% DES_CBC_40 297,783 25.72% RSA_EXPORT_1024 418,707 36.17% IDEA_CBC 80,405 6.94% DHE_RSA_EXPORT 250,337 21.62% RC2_CBC_56 73,491 6.34% Hash Servers Percentage CAMELLIA_256_CB 33,287 2.87% C V060420 SHA 1,154,171 99.71% CAMELLIA_128_CB 33,287 2.87% MD5 1,103,240 95.31% C SHA256 77 - SEED_CBC 13,406 1.15% SHA384 423 - NULL 7,513 0.64% AES_256_GCM 3 - AES_128_GCM 1 - FORTEZZA_CBC 1 - RAC QualysGuard InfoDay 2012
  • 12. Cipher Strength All servers support strong and most www.rac.cz support very strong ciphers  But there is also wide supportRisk Analysis Consultants for weak ciphers V060420 Best cipher strength support Cipher strength support RAC QualysGuard InfoDay 2012
  • 13. SSL Labs Score Distribution Most servers not configured www.rac.cz well Key length Score A >= 80  Only 31.24% got an A B >= 65Risk Analysis Consultants  68.76% got a B or worse C >= 50 D >= 35  Most probably just use the E >= 20 default settings of their web F < 20 server V060420 Score distribution Grade distribution RAC QualysGuard InfoDay 2012

×