This document summarizes a presentation on accelerated TLS/SSL adoption. It discusses the history and evolution of TLS/SSL, including vulnerabilities addressed over time. It outlines industry trends driving greater encryption enforcement, like search engines prioritizing HTTPS, PCI standards, and vendor policies. Finally, it notes that complete HTTPS adoption provides business benefits like increased marketing, lower costs, better user experience, and greater security and trust.

1. Amazon Web Services Japan K.K.
Security Solutions Architect
Hayato Kiriyama
Amazon CloudFront Seminar
Accelerated TLS/SSL Adoption
2016.8.4

2. History and Transition of TLS/SSL
Session Agenda
Past
Present
Future
Recent Trends in Web Traffic Encryption
The Future of Web Services

3. History and Transition of TLS/SSL
Session Agenda
Past
Present
Future
Recent Trends in Web Traffic Encryption
The Future of Web Services

4. History of TLS/SSL
Evolution of Web Encryption Technologies
1995
SSL2.0
1996
SSL3.0
2006
TLS1.1
2008
TLS1.2
2013
Planning of
TLS1.3 starts
1999
TLS1.0

5. Evolution of TLS/SSL
SSL2.0 SSL3.0 TLS1.0 TLS1.1 TLS1.2
Resistance
to Attack
Vectors
Downgrade Attacks
(Forced Downgrade of Encryption Strength)
Weak Secure Secure Secure Secure
Version Rollback Attacks
(Forced revert to SSL2.0)
Weak Secure Secure Secure Secure
CBC Mode Vulnerability Attacks
(BEAST/POODLE Attacks)
Weak Weak
Patch
Required
Secure Secure
Supported
Encryption
Alogorithms
128bit Block Cipher (AES, Camellia) No Support No Support Supported Supported Supported
Authenticated Encryption (GCM, CCM) No Support No Support No Support No Support Supported
Elliptic Curve Cryptography (ECC) No Support No Support Supported Supported Supported
SHA-2 Hash Algorithms (SHA-256, SHA-384) No Support No Support No Support No Support Supported
Source: SSL/TLS Encryption Guidelines v1.1, IPA
http://www.ipa.go.jp/files/000045645.pdf

6. History of TLS/SSL
Evolution of Web Encryption Technologies
1995
SSL2.0
1996
SSL3.0
2006
TLS1.1
2008
TLS1.2
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Battle Against Vulnerabilities
1999
TLS1.0
2015
FREAK
2013
Planning of
TLS1.3 starts

7. History and Transition of TLS/SSL
Session Agenda
Past
Present
Future
Recent Trends in Web Traffic Encryption
The Future of Web Services

8. Google Webmaster Central Blog (Dec. 17, 2015)
https://webmasters.googleblog.com/2015/12/indexing-https-pages-by-default.html
Indexing of HTTPS Pages by Default

9. PCI DSS v3.2 Requirements
By 2016 June 30
PCI DSS Requirements and Security Assessment Procedures Version 3.2 (April 2016)
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
All service providers must provide a
secure service offering
By 2018 June 30
After June 30, 2018, all entities
must have stopped use of SSL/early
TLS as a security control, and use
only secure versions of the protocol

10. Apple will require HTTPS connections for iOS apps by the end of 2016 (June 14, 2016)
https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/324759/
By end of 2016
App Transport Security(ATS) Required

11. HTTP Strict Transport Security(HSTS)
Enforces HTTPS on google.com
Google's HSTS rollout: Forced HTTPS for google.com aims to help block attacks (August 1, 2016)
http://www.zdnet.com/article/googles-hsts-rollout-forced-https-for-google-com-aims-to-help-block-attacks/
* Gmail, Inbox, Google Play, Hangouts, Docs

12. Upgrade to TLS 1.2 and HTTP/1.1 (PayPal)
Source: TLS 1.2 and HTTP/1.1 Upgrade Microsite, PayPal
https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1914

13. Greater Enforcement by Industry/Vendors
Battle Against Vulnerabilities
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Industry Enforcement
2015
FREAK
2015/12
Indexing
HTTPS Pages
by Default
2016/04
PCI DSS v3.2
2016/07
Mandatory
ATS
2016/08
HTTP Strict
Transport
Security (HSTS)
2017/06/30
Mandatory
TLS1.2

14. History and Transition of TLS/SSL
Session Agenda
Past
Present
Future
Recent Trends in Web Traffic Encryption
The Future of Web Services

15. Survey of the SSL Implementation of the Most Popular Web Sites, SSL Pulse
https://www.trustworthyinternet.org/ssl-pulse/
Survey of Most Popular Websites

16. HTTP Archive Trends
http://httparchive.org/trends.php#perHttps
HTTPS Adoption Rate
Percentage of Requests to Top 1,000,000 URLs in Alexa

17. Web Sites with Always On SSL
Top Page
Service
Introduction
Case
Studies
Seminar
Registration
Top Page
Partial SSL Always On SSL
Seminar
Registration
Case
Studies
Service
Introduction

18. Benefits of Always On SSL
Item Effects Business Benefits
Search Engine Optimization Higher rankings in Google
search results
Increase in marketing
presence
Obtain referrer data Access analytics of web sites Analyze user behavior
Web site development and
operation
Protect and maintain contents,
urls, and configurations files
Lower development and
operational costs
Eavesdropping on
vulnerable access points
Prevent man-in-the-middle
and spoofing attacks
Protect users from damages
Use of HTTP/2 Faster web pages Better user experience

19. HTTPS for Maximizing Business Value
Industry Enforcement Business Benefits
2016/04
PCI DSS v3.2
Increase in
Marketing Benefits
Lower Costs
Increase in
User Benefits
2015/12
Indexing
HTTPS Pages
by Default
2016/07
Mandatory
ATS
2017/06/30
Mandatory
TLS1.2
2016/08
HTTP Strict
Transport
Security (HSTS)

20. Business
Benefits
Complete
HTTPS
Evolution of
Web Encryption
Battle Against
Vulnerabilities
Industry
Enforcement
Shifting to the Era of Complete HTTPS

21. Battle Against Vulnerabilities: Security
Conclusion: Behind Accelerated TLS/SSL Adoption
Past
Present
Future
Industry Enforcement: Trust and Reliability
Business Benefits: Greater Business Value