Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Lock It Up: TLS for Network Operators 
Chris Grundemann 
Director, Deployment & Operationalization 
Internet Society 
www....
TLS vs SSL 
Secure Sockets Layer (SSL) originally developed by 
Netscape in the mid-1990s 
"Transport Layer Security (TLS)...
TLS – Not Just For Web Sites 
TLS / SSL originally developed for web sites 
Now widely used for many other services, inclu...
Snowden Revelations 
Revelations by Edward Snowden 
in 2013 revealed massive amount 
of surveillance and monitoring. 
Prom...
Response by larger Internet community 
www.internetsociety.org 
10/28/14
RFC 7258 – IETF/IAB Response 
http://tools.ietf.org/html/rfc7258 
"Pervasive Monitoring Is An Attack" 
Pervasive monitorin...
IETF Activity - UTA 
New Working Group: UTA – Using TLS in Applications 
• http://tools.ietf.org/wg/uta/ 
• Goals 
• Updat...
IETF – Increased Activity Across Groups 
Two examples: 
TLS Working Group now defining TLS 1.3 and exploring 
other ways t...
Other Reasons Customers May Request TLS 
Ability to use SPDY protocol (requires TLS) 
• https://en.wikipedia.org/wiki/SPDY...
Other Efforts 
On Sept 29, 2014, CloudFlare 
announced they would be giving 
TLS certificates to all customers 
for free. ...
Heartbleed and Poodle 
Recent attacks have increased desire to strengthen TLS 
security 
Heartbleed (April 2014) vulnerabi...
Outcome Of Activity By IETF And Other Groups 
You WILL see increased usage of TLS across all 
applications 
Example – Encr...
How Do You Help Your Customers? 
If your customers are using more TLS for their applications, 
either by their own choice ...
But what about….? 
"Wait! If application developers run everything over TLS, all 
we will see are TLS-encrypted streams. W...
Resources – Deploy360 Programme 
http://www.internetsociety.org/deploy360/tls/ 
Providing: 
• Resources to learn more abou...
Resources – BetterCrypto.org 
https://bettercrypto.org/ 
"This whitepaper arose out of the need for system 
administrators...
Resources – Mozilla Server Side TLS Doc 
https://wiki.mozilla.org/Security/Server_Side_TLS 
Great document – and not just ...
Resources - NIST SP800-52r1 
http://dx.doi.org/10.6028/NIST.SP.800-52r1 
"Guidelines for the Selection, 
Configuration, an...
One Challenge With TLS 
How do you ensure that the TLS certificate the client is 
receiving is the correct TLS certificate...
But Before That… 
Questions? 
How can we help you with deploying TLS within your 
network and with your customers? 
What a...
Chris Grundemann 
Director, Deployment & Operationalization 
Internet Society 
grundemann@isoc.org 
http://www.internetsoc...
Upcoming SlideShare
Loading in …5
×

ION Santiago: Lock It Up: TLS for Network Operators

913 views

Published on

Presentation given by Chris Grundemann at ION Santiago in Chile on 28 October 2014.

Transport Layer Security (TLS), the successor to Secure Sockets Layer (SSL), can be used in many applications other than Web browsers. In order to make the Internet more secure, TLS needs to be widely deployed by all kinds of applications across the Internet. In this session, we will help network operators understand how best to support the use of TLS-encrypted applications across their networks and address how operators can best support their networks and users once everything is encrypted.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

ION Santiago: Lock It Up: TLS for Network Operators

  1. 1. Lock It Up: TLS for Network Operators Chris Grundemann Director, Deployment & Operationalization Internet Society www.internetsociety.org
  2. 2. TLS vs SSL Secure Sockets Layer (SSL) originally developed by Netscape in the mid-1990s "Transport Layer Security (TLS)" evolved from SSL 3.0, although "SSL" remains commonly used term TLS version 1.3 in active development: • https://tools.ietf.org/html/draft-ietf-tls-tls13 • https://github.com/tlswg/tls13-spec www.internetsociety.org 10/28/14 1996 SSL 3.0 RFC 6101 1999 TLS 1.0 RFC 2246 2006 TLS 1.1 RFC 4346 2008 TLS 1.2 RFC 5246 2014/15? TLS 1.3 draft-ietf-tls-tls13
  3. 3. TLS – Not Just For Web Sites TLS / SSL originally developed for web sites Now widely used for many other services, including: • Email • Instant messaging • File transfer • Virtual Private Networks (VPNs) • Voice over IP (VoIP) • Custom applications www.internetsociety.org
  4. 4. Snowden Revelations Revelations by Edward Snowden in 2013 revealed massive amount of surveillance and monitoring. Prompted global concerns about the security and privacy of our data and of our communication sessions over the Internet. Increased desire to see TLS used more widely across all applications and services. www.internetsociety.org
  5. 5. Response by larger Internet community www.internetsociety.org 10/28/14
  6. 6. RFC 7258 – IETF/IAB Response http://tools.ietf.org/html/rfc7258 "Pervasive Monitoring Is An Attack" Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible. Has prompted a security/privacy review across all areas of IETF. Expect to see changes over time across all the protocols used for communication on the Internet. www.internetsociety.org 10/28/14
  7. 7. IETF Activity - UTA New Working Group: UTA – Using TLS in Applications • http://tools.ietf.org/wg/uta/ • Goals • Update the definitions for using TLS over a set of representative application protocols. This includes communication with proxies, between servers, and between peers, where appropriate, in addition to client/server communication. • Specify a set of best practices for TLS clients and servers, including but not limited to recommended versions of TLS, using forward secrecy, and one or more ciphersuites and extensions that are mandatory to implement. • Consider, and possibly define, a standard way for an application client and server to use unauthenticated encryption through TLS when server and/or client authentication cannot be achieved. • Create a document that helps application protocol developers use TLS in future application definitions. www.internetsociety.org
  8. 8. IETF – Increased Activity Across Groups Two examples: TLS Working Group now defining TLS 1.3 and exploring other ways to secure TLS • http://tools.ietf.org/wg/tls/ HTTPBIS Working Group defining more secure HTTP 2.0 • http://tools.ietf.org/wg/httpbis/ • will only work with https URLs www.internetsociety.org
  9. 9. Other Reasons Customers May Request TLS Ability to use SPDY protocol (requires TLS) • https://en.wikipedia.org/wiki/SPDY Improved Google search result ranking • Deploy360 post: http://wp.me/p4eijv-5eJ www.internetsociety.org
  10. 10. Other Efforts On Sept 29, 2014, CloudFlare announced they would be giving TLS certificates to all customers for free. Calling it "Universal SSL", this made 2+ million web sites TLS-encrypted in one action. Similar actions to make TLS more accessible are being seen by other groups and organizations www.internetsociety.org
  11. 11. Heartbleed and Poodle Recent attacks have increased desire to strengthen TLS security Heartbleed (April 2014) vulnerability in OpenSSL highlighted need for security reviews of common libraries – and also need for diversity in library usage • http://heartbleed.com/ Poodle (September 2014) demonstrated need to completely deprecate usage of SSL v3.0 • https://www.openssl.org/~bodo/ssl-poodle.pdf www.internetsociety.org
  12. 12. Outcome Of Activity By IETF And Other Groups You WILL see increased usage of TLS across all applications Example – Encrypt The Web report from EFF • https://www.eff.org/encrypt-the-web-report www.internetsociety.org
  13. 13. How Do You Help Your Customers? If your customers are using more TLS for their applications, either by their own choice or because the service they are using is now using TLS, how do you help them make their connections over the Internet more secure? 1. Use TLS for your own services and systems 2. Allow TLS-encrypted sessions to flow through your network (i.e. don't block them or try to force them to downgrade to unencrypted connections) 3. Educate your customers about how they can move their own servers and services to support TLS www.internetsociety.org
  14. 14. But what about….? "Wait! If application developers run everything over TLS, all we will see are TLS-encrypted streams. We won't be able to see into the traffic and manage our network appropriately." "We can't use wireshark!" Unfortunately, the same monitoring capability used by network operators was abused by intelligence agencies and other attackers. Momentum now is to close all these holes. Network management must now assume TLS will be there. www.internetsociety.org
  15. 15. Resources – Deploy360 Programme http://www.internetsociety.org/deploy360/tls/ Providing: • Resources to learn more about TLS • Links to libraries and other tools • Ongoing coverage on Deploy360 blog of TLS-related issues and news www.internetsociety.org
  16. 16. Resources – BetterCrypto.org https://bettercrypto.org/ "This whitepaper arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security specialists saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators." "This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.)." www.internetsociety.org
  17. 17. Resources – Mozilla Server Side TLS Doc https://wiki.mozilla.org/Security/Server_Side_TLS Great document – and not just for Mozilla "The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below." "The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools." www.internetsociety.org
  18. 18. Resources - NIST SP800-52r1 http://dx.doi.org/10.6028/NIST.SP.800-52r1 "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations Document from U.S. National Institute of Standards and Technologies (NIST) revised in April 2014 (post-Snowden) Aimed at US government agencies but provides a useful tutorial and set of guidelines for other organizations www.internetsociety.org
  19. 19. One Challenge With TLS How do you ensure that the TLS certificate the client is receiving is the correct TLS certificate that the server operator wants the client to receive? This brings us to our next talk here at ION Santiago about DANE… www.internetsociety.org
  20. 20. But Before That… Questions? How can we help you with deploying TLS within your network and with your customers? What additional assistance do you need? Thank you for helping make the Internet more secure! www.internetsociety.org
  21. 21. Chris Grundemann Director, Deployment & Operationalization Internet Society grundemann@isoc.org http://www.internetsociety.org/deploy360/ Thank You! www.internetsociety.org www.isoc.org/do

×