Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TLS Certificates on the Web – The Good, The Bad and The Ugly


Published on

At RSA 2016, CASC member Rick Andrews talked about TLS certificates on the web: the good, the bad and the ugly.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

TLS Certificates on the Web – The Good, The Bad and The Ugly

  1. 1. SESSION ID: #RSAC Rick Andrews TLS Cer1ficates on the Web – The Good, The Bad and The Ugly PDAC-R04 Senior Technical Director Symantec Trust Services
  2. 2. #RSAC TLS Cer1ficates 2   TLS Ecosystem is almost 20 years old   Recently endured three cer>ficate-based migra>ons:   Away from MD2 and MD5 to SHA-1   Away from small RSA keys to 2048-bit keys or larger   Away from SHA-1 to SHA-256
  3. 3. #RSAC What’s Driving These Migra1ons? 3   Relentless march of aNacks (only gePng beNer)   CA/Browser Forum   Baseline Requirements   EV Guidelines   Cer>fica>on Authori>es   Browser vendors
  4. 4. #RSAC What’s Slowing These Migra1ons? 4   Use of TLS in non-browser applica>ons   Mail, XMPP and other non-web servers   POS and other devices   Lack of auto-update capabili>es   Ins>tu>onal iner>a   Companies wait years to perform a server refresh
  5. 5. #RSAC TLS Cer1ficates – the Good
  6. 6. #RSAC Deployment of SHA-2 Certificates TLS Cer1ficates – the Good Trajectory of SHA-2 deployment is encouraging (Netcra_) 6
  7. 7. #RSAC TLS Cer1ficates – the Good 7   99.98% of cer>ficates contain RSA 2048-bit, ECC 224-bit or larger keys (Netcra_)   200K certs with keys >= RSA 4096 bits (Netcra_)   BR Compliance   Responsible for standardizing cer>ficate profiles   10.7% of sites use EV (TIM)
  8. 8. #RSAC TLS Cer1ficates – the Bad
  9. 9. #RSAC TLS Cer1ficates – the Bad 9   Remaining SHA-1 certs will not work in browsers a_er 2016:   13.3% (Netcra_)   11.6% (TIM)   US DOD s>ll issuing SHA-1 cer>ficates   hNp://>ll- shackled-to-outdated-dod-pki-infrastructure.html   More than 1,000 with < RSA 2048-bit or ECC 224-bit (Netcra_)   Browsers con>nue to add compliance checks
  10. 10. #RSAC TLS Cer1ficates – the Bad 10   EV viola>ons   ~6% of all EV cer>ficates (Netcra_)   Most don’t have a valid Subject Business Category (unlikely to cause usability problems)   Thousands don’t provide EV treatment in Chrome (customer doesn’t benefit from the extra cost of EV)   BR viola>ons   ~3% of all cer>ficates found (Netcra_)   Most are policy viola>ons (CN must appear in SAN, invalid Subject State or Country, etc.) unlikely to cause usability problems
  11. 11. #RSAC TLS Cer1ficates – the Bad 11   Strong keys signed by weaker keys (a dozen or so) don’t provide the cryptographic protec>on expected by the cer>ficate owner:   ECC P-384 signed by ECC P-256   ECC P-384 signed by RSA 2048   RSA 4096 and 8192 signed by RSA 2048   Cer>ficate expira>on is embarrassing   hNp:// renew-its-ssl-cer>ficate.html   Almost 4% of sites serve an incomplete cer>ficate chain (TIM)   Most browsers don’t try to fetch missing subordinate CA
  12. 12. #RSAC TLS Cer1ficates – the Ugly
  13. 13. #RSAC TLS Cer1ficates – the Ugly 13   Invalid Cer>ficates abound   In Netcra_’s survey, approximately two thirds of all TLS cer>ficates seen are valid, issued by a trusted CA. The remaining one-third are either self-signed, expired, signed by an unknown issuer or contain mismatched names.   One MD5, 3-year cert issued in 2013 by a public CA (RSA 1024-bit key) it’s got 6 other BR viola>ons   One 512-bit RSA key used by Government of Korea (South), although it’s signed using SHA-2 it’s got 4 other BR viola>ons   Browsers block access to such sites
  14. 14. #RSAC TLS Cer1ficates – the Ugly 14   Invalid Public Key Exponent: one cer>ficate with an RSA exponent of 1   TLS data is sent in cleartext   Mul>ple CNs are prohibited, but Netcra_ found cer>ficates with up to 24 CNs   2009 study demonstrated aNacks on certs with mul>ple CNs   EV certs with fewer than the correct number of SCTs   Customer doesn’t benefit from the extra cost of EV in Chrome
  15. 15. #RSAC TLS Cer1ficates – the Ugly, con1nued 15   One cert with RSA 15,424-bit key! (includes 72 SAN values!) It’s an Apache server, but not a web site   No harm to the Web   Ten-year end-en>ty cer>ficates, issued a_er the BRs became effec>ve   Most browsers block public TLS certs with excessive dates   Cer>ficates with more than 50 SANs (Netcra_)   Nothing illegal, but might cause performance problems
  16. 16. #RSAC Applying What We’ve Learned
  17. 17. #RSAC Apply 17   2048-bit RSA with SHA-256 is adequate for now   Keep SANs to a minimum (20 or fewer), and only one CN   Replace all weak, invalid, revoked or soon-to-expire cer>ficates   Generate a new key pair every >me you replace a cer>ficate   Make sure your EV cer>ficates have the correct number of SCTs   Test your cer>ficate with all major browsers (don’t forget mobile)   Confirm that your CA has correctly issued the cer>ficate
  18. 18. #RSAC Check Your Work 18   Check TLS cer>ficates and configura>on on all servers, not just web servers   hNps://   hNps://   Consider a discovery tool like Cer>ficate Intelligence Center   hNps://>ficates/cer>ficate-intelligence- center/   Certlint from Amazon (open source)   hNps://
  19. 19. #RSAC Data Sets 19   Netcra_   hNp://   ICSI   hNps://   Trustworthy Internet Movement (TIM) SSL Pulse   hNps://   Comodo’s cer>ficate search tool   hNps://
  20. 20. #RSAC Thank you!