Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Snowden revelations - Lessons and Recommendations

188 views

Published on

  • Be the first to comment

  • Be the first to like this

The Snowden revelations - Lessons and Recommendations

  1. 1. © GMO GlobalSign Group. All Rights Reserved.www.globalsign.com Achieving compliant security: Paul van Brouwershaven –Business Development Director The Snowden revelations: Lessons and Recommendations
  2. 2. Business Development Director • Business Development Director for GlobalSign • Previously CTO of a European hosting company • Over 10 years of experience in the hosting industry • Expert in digital certificate solutions • Dedicated to increasing awareness of the requirements for online security • Thinking out of the box, detecting problems and providing solutions
  3. 3. INTERNATIONALFOOTPRINT Customersspanningallindustries
  4. 4. Identity verification
  5. 5. Digital Certificates in practice SSL Encryption & Identity Assurance Secure Email Adobe PDF & Microsoft Office document security Code Signing
  6. 6. SSL • A communication protocol that can use several encryption methods to secure the integrity of data between sender and receiver. • Used to provide a record of identity that is validated by a third party to secure the authenticity of the data.
  7. 7. “The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet.” “They're doing it primarily by cheating, not by mathematics” Bruce Schneier
  8. 8. Is SSL broken? • SSL is 20 years old and has several known security issues • TLS is used instead of SSL in the majority of cases
  9. 9. But we keep the door open • Servers are often configured with a weak configuration by default • No clear view on compatibility, especially for mobile and embedded devices
  10. 10. TLS support by major browsers
  11. 11. Cipher security – known feasible attacks
  12. 12. “The math is good, but math has no agency. Code has agency, and the code has been subverted.” Bruce Schneier
  13. 13. Potential backdoors? • Dual Elliptic Curve Deterministic Random Bit Generator • Documents "appear to confirm" that the backdoor was real, and had been deliberately inserted by the National Security Agency (New York Times) • Would allow NSA to decrypt SSL/TLS encryption
  14. 14. Alexa top 1M has 68 776 sites in Germany No SSL Certificate 73% With SSL Certificate 27% domain.com or subdomain(s) No SSL Certificate 81% With SSL Certificate 19% domain.com / www.domain.com
  15. 15. Requirement for mass SSL deployment • By 2020 50.000.000.000 ‘Things’ will be connected to the Internet • Requires a huge number of IP addresses
  16. 16. Slow IPv6 adoption 6.6% 4.83% 0.4% 0.22% 9.18% 1.01% 6.38% 0.08% 1.19% 9.83% 2.2% 1.02% 0.91%
  17. 17. Host multiple SSL certs on a single IP More on this topic? Visit the GlobalSign stand A07
  18. 18. Fromthe36992 sites testedinGermany SSL2; 7945 SSL3; 35943 TLS1; 36663 TLS1.1; 10446 TLS1.2, 12037 0 5000 10000 15000 20000 25000 30000 35000 40000 SITES Supported SSL/TLS versions
  19. 19. Improving Server Security • Enable support for TLS 1.0, 1.1 & 1.2, remove SSL Apache SSLProtocol All -SSLv2 -SSLv3 Nginx ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  20. 20. Fromthe36992 sites testedinGermany 34990 35312 12173 32552 118 139 1 3935 8368 7628 1 1 7095 106 6650 1 5866 7475 808 3806 85 99 8 4896 7553 0 5000 10000 15000 20000 25000 30000 35000 40000 Support Ciphers
  21. 21. Fromthe17311sites testedinGermany Yes 67% No 33% Prefer TLS Forward Security Yes 84% No 16% Support TLS Forward Security
  22. 22. Improving Server Security • Provide strong Cipher Suites preferences Apache SSLHonorCipherOrder On SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:........... Nginx ssl_prefer_server_ciphers on; ssl_ciphers EDH+CAMELLIA:...........;
  23. 23. Improving Server Security • Check your Cipher Suites preferences regularly!
  24. 24. From 12 822 SSL sites (www.)domain.comI Yes 5% No 95% OCSP Stapling
  25. 25. Improving Server Security • Enable OCSP Stapling Apache SSLUseStapling on SSLStaplingCache “shmcb:logs/stapling_cache(128000)” Nginx ssl_stapling on; resolver 192.0.2.1;
  26. 26. From 12 822 SSL sites (www.)domain.com Yes 1% [CATEGORY NAME] [PERCENTAGE] HTTP Strict-Transport-Security
  27. 27. Improving Server Security • Enable HTTP Strict-Transport-Security Apache Header add Strict-Transport-Security "max-age=15768000“ Nginx add_header Strict-Transport-Security max-age=15768000;
  28. 28. Check your configuration regularly sslcheck.globalsign.com
  29. 29. Questions?

×