18. KeyExchange
RSA: Fast but no forward secrecy.
DHE: Forward secrecy but not fast enough.
ECDHE: Fast and forward secrecy
19. Lets see them in action
https://www.ssllabs.com/ssltest
20.
21.
22.
23.
24. Few takeaways: Keys
● 1024 bits is asking for trouble
● 2048 bits minimal viable
● 4096 good standard
● Switch to ECDSA in future!
25. Few takeaways: Keys
Generating ECDSA keys:
256 bit key:
openssl ecparam -name prime256v1 -genkey -out my.key
512 bit key:openssl ecparam -name secp521r1 -genkey -out my.key
26. Few takeaways: Choosing a CA
● At least Supports Certificate Revocation List (CRL)
● Supports Online Certificate Status Protocol (OCSP)
● Accept trustiness of your Country/Corp CA
34. STARTTLS ≠ TLS
Plain text communications viz. IMAP, POP,
SMTP needed support for encrypted
connections
35. STARTTLS ≠ TLS
Simple solution, use a different port
IMAP uses port 143, SSL/TLS port 993.
POP uses port 110, SSL/TLS port 995.
SMTP uses port 25, SSL/TLS port 465.
and LDAP, XMPP, etc.
36. STARTTLS ≠ TLS
Simple solution, use a different port
IMAP uses port 143, SSL/TLS port 993.
POP uses port 110, SSL/TLS port 995.
SMTP uses port 25, SSL/TLS port 465.
and LDAP, XMPP, etc.
But having 2 ports is just waste of resources....
37. STARTTLS ≠ TLS
STARTTLS can simply be called to upgrade a plaintext
connection to TLS.