SlideShare a Scribd company logo

Analysis of TLS in SMTP World

Download as PPTX, PDF
Binu Ramakrishnan
Binu Ramakrishnan

This talk presents a comprehensive analysis of TLS in the SMTP world. We scanned over 20 million unique email recipient domains and analyzed TLS (X.509) certificates to measure overall STARTTLS deployment quality. We discovered a wealth of information that was previously unknown. The analysis will provide a good baseline in terms of STARTTLS and TLS certificates used in SMTP. Scan tool: https://prbinu.github.io/tls-scan

1 of 33
Analysis of TLS in SMTP World Binu Ramakrishnan Yahoo M3AAWG 34th General Meeting | Dublin, June 2015
BIO M3AAWG 34th General Meeting | Dublin, June 2015  Product Security Engineer, Yahoo Mail – Focused on user data protection and application security  Experience in building Internet scale systems  github.com/prbinu  @securitysauce
Overview M3AAWG 34th General Meeting | Dublin, June 2015 1. Introduction STARTTLS 2. Methodology 3. Findings Certificates TLS Sessions 4. Conclusion 5. Q&A
Objective M3AAWG 34th General Meeting | Dublin, June 2015 • Why STARTTLS is important • Protect user privacy • In case of E2E encryption (GPG/S-MIME) STARTTLS protects meta data from eavesdropping • Understand current STARTTLS deployments with MTAs • Measure overall deployment quality • Present the findings
SMTP Refresher M3AAWG 34th General Meeting | Dublin, June 2015 Source:Wikipedia
Let’s STARTTLS M3AAWG 34th General Meeting | Dublin, June 2015 220 mta-x.mail.bf1.yahoo.com ESMTP ready EHLO mta-x.mail.bf1.yahoo.com 250-mta-x.mail.bf1.yahoo.com 250-PIPELINING 250-SIZE 41943040 250-8BITMIME 250 STARTTLS STARTTLS 220 Start TLS ...
STARTTLS Opportunistic Security M3AAWG 34th General Meeting | Dublin, June 2015 “Some protection most of the time*” • rfc7435 • img source http://bit.ly/1Tujhnc
TLS, PKI and X509 V3 Certificates M3AAWG 34th General Meeting | Dublin, June 2015 Trusted by Client RootCA Intermediate CA-1 Intermediate CA-2 Leaf Certificate-1 Leaf Certificate-2 Leaf Certificate-n
Methodology M3AAWG 34th General Meeting | Dublin, June 2015 • Input size: 20M unique domains • Resolved domain to MX using a fast DNS lookup program • Identify unique MX 6M domains • Scanned MXs to collect TLS data • Completed in 4 hours (28 threads) • Non-blocking event driven program written in C++ • Generated ~10GB of data • Analysis using std Unix text processing tools
M3AAWG 34th General Meeting | Dublin, June 2015
Findings M3AAWG 34th General Meeting | Dublin, June 2015 • Domain-MX-IP Distribution • Certificates • TLS Sessions
M3AAWG 34th General Meeting | Dublin, June 2015
M3AAWG 34th General Meeting | Dublin, June 2015
M3AAWG 34th General Meeting | Dublin, June 2015 80% of MXs we scanned support STARTTLS
Certificates M3AAWG 34th General Meeting | Dublin, June 2015
M3AAWG 34th General Meeting | Dublin, June 2015 Outliers • Half a dozen self- signed ECDSA keys • 512-bit RSA keys • 1024-bit DSA keys • 10240-bit RSA keys ` • Observed few CAs issuing 1024 bit RSA certs in last 2 years • Few are issued with validity period of 10 years Almost same distribution between unique MX and Certs
Signature Algorithm M3AAWG 34th General Meeting | Dublin, June 2015 We are mostly compliant  but … Long live MD2; but this may be not as bad as you think.
M3AAWG 34th General Meeting | Dublin, June 2015 Certificate Trust
M3AAWG 34th General Meeting | Dublin, June 2015
Certificate Expiry M3AAWG 34th General Meeting | Dublin, June 2015 Image source: https://www.flickr.com/photos/eatmorechips/4409100553 Significant number of expired certs is worrisome Some certs that are currently in use expired a decade ago. Is it important?
M3AAWG 34th General Meeting | Dublin, June 2015 • What about the CA bundles we trust? • Are we updating our CA bundle? • Apple, Microsoft, Mozilla and Fedora/RHEL root certificates Trusting the Trust Image source: https://www.flickr.com/photos/dobs/10726756606/
M3AAWG 34th General Meeting | Dublin, June 2015
Other Observations M3AAWG 34th General Meeting | Dublin, June 2015 • Few IPs returned more than 100 unique certs. • 9% of total unique certs comprises of X509 Version-1 (4% for unique MX domains); Few valid X509 V1 root CA certs • Domain MXs directly pointing to rfc1918 private address space • 10K MXs resolved directly to IP, not to a hostname • Valid certs - SAN with more than 200 domain names Image source:https://www.flickr.com/photos/dkshots/6880699090/
M3AAWG 34th General Meeting | Dublin, June 2015 Note: Subject Common Name is deprecated in favor of SAN. So it is important to validate server hostname against SAN Also found large number (676857) of certs with empty SAN field
M3AAWG 34th General Meeting | Dublin, June 2015
TLS Session/Ciphers M3AAWG 34th General Meeting | Dublin, June 2015
SSL Protocol Version Distribution M3AAWG 34th General Meeting | Dublin, June 2015 We also observed an SSLv2 endpoint
M3AAWG 34th General Meeting | Dublin, June 2015
Cipher Distribution M3AAWG 34th General Meeting | Dublin, June 2015 PFS 80%
Logjam M3AAWG 34th General Meeting | Dublin, June 2015 Weak DH 512 and 1024 bit temp key usage Image source: https://www.flickr.com/photos/foresthistory/3663198360/
M3AAWG 34th General Meeting | Dublin, June 2015 Compare with HTTPS The luxury that we don’t have! • CA-Browser (CAB) Forum • Strict certificate validation • Root certificate management & bundling • HTTPS establishes TLS session before making a HTTP request • HPKP, HSTS
Conclusion M3AAWG 34th General Meeting | Dublin, June 2015 • Positive Trends • Opportunistic encryption is proved to be effective against passive attacks. • Modern TLS protocols & ciphers - TLSv1.2 and PFS are widely in use • RSA public keys < 2048 bits still exists in large number, but the overall percentage is low – a positive trend when compared with previous years • Challenges • ~20% of MTAs are with no STARTTLS support • Concerns with the trusting/handling root CA bundles • Mitigating active attacks would be a challenge because of: • Large number of self-signed/expired certificates • Use of vulnerable ciphers & SSL versions • Backward interoperability with plain text SMTP option
Questions? M3AAWG 34th General Meeting | Dublin, June 2015 Thank you!

Recommended

2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement
Shawn Wells
 
Hashgraph as Code
Hashgraph as CodeHashgraph as Code
Hashgraph as Code
Calvin Cheng
 
Csa summit 2017 - Plataforma de Seguridad para entornos Cloud
Csa summit 2017 - Plataforma de Seguridad para entornos CloudCsa summit 2017 - Plataforma de Seguridad para entornos Cloud
Csa summit 2017 - Plataforma de Seguridad para entornos Cloud
CSA Argentina
 
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
NGINX, Inc.
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
Deploy360 Programme (Internet Society)
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internet
Rony Melo
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
Deploy360 Programme (Internet Society)
 

Recommended

2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement
Shawn Wells
 
Hashgraph as Code
Hashgraph as CodeHashgraph as Code
Hashgraph as Code
Calvin Cheng
 
Csa summit 2017 - Plataforma de Seguridad para entornos Cloud
Csa summit 2017 - Plataforma de Seguridad para entornos CloudCsa summit 2017 - Plataforma de Seguridad para entornos Cloud
Csa summit 2017 - Plataforma de Seguridad para entornos Cloud
CSA Argentina
 
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
NGINX, Inc.
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
Deploy360 Programme (Internet Society)
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internet
Rony Melo
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
Deploy360 Programme (Internet Society)
 
Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nube
CSA Argentina
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
NetworkCollaborators
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
Deploy360 Programme (Internet Society)
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
North Texas Chapter of the ISSA
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
CSNP
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE - ATT&CKcon
 
Solving CI Operational Challenges
Solving CI Operational ChallengesSolving CI Operational Challenges
Solving CI Operational Challenges
Nicolas Corrarello
 
Smart City Lab 2 - Connect and Chat with your Device
Smart City Lab 2 - Connect and Chat with your DeviceSmart City Lab 2 - Connect and Chat with your Device
Smart City Lab 2 - Connect and Chat with your Device
Peter Waher
 
Presented AITC Blockchain Framework @ NPC 17
Presented AITC Blockchain Framework @ NPC 17Presented AITC Blockchain Framework @ NPC 17
Presented AITC Blockchain Framework @ NPC 17
Rajesh Kumar
 
ROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationROTLD DNSSEC Implementation
ROTLD DNSSEC Implementation
Kevin Meynell
 
IETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work BetterIETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work Better
Deploy360 Programme (Internet Society)
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with Panther
Panther Labs
 
Cisco Security Technical Alliances
Cisco Security Technical AlliancesCisco Security Technical Alliances
Cisco Security Technical Alliances
Cisco DevNet
 
MRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationMRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service Communication
NGINX, Inc.
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker Pattern
NGINX, Inc.
 
2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management
Shawn Wells
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 
Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environments
Binu Ramakrishnan
 
Smtp 102013
Smtp 102013Smtp 102013
Smtp 102013
RedChip Companies, Inc.
 

More Related Content

What's hot

Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nube
CSA Argentina
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
NetworkCollaborators
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
Deploy360 Programme (Internet Society)
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
North Texas Chapter of the ISSA
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
CSNP
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE - ATT&CKcon
 
Solving CI Operational Challenges
Solving CI Operational ChallengesSolving CI Operational Challenges
Solving CI Operational Challenges
Nicolas Corrarello
 
Smart City Lab 2 - Connect and Chat with your Device
Smart City Lab 2 - Connect and Chat with your DeviceSmart City Lab 2 - Connect and Chat with your Device
Smart City Lab 2 - Connect and Chat with your Device
Peter Waher
 
Presented AITC Blockchain Framework @ NPC 17
Presented AITC Blockchain Framework @ NPC 17Presented AITC Blockchain Framework @ NPC 17
Presented AITC Blockchain Framework @ NPC 17
Rajesh Kumar
 
ROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationROTLD DNSSEC Implementation
ROTLD DNSSEC Implementation
Kevin Meynell
 
IETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work BetterIETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work Better
Deploy360 Programme (Internet Society)
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with Panther
Panther Labs
 
Cisco Security Technical Alliances
Cisco Security Technical AlliancesCisco Security Technical Alliances
Cisco Security Technical Alliances
Cisco DevNet
 
MRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationMRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service Communication
NGINX, Inc.
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker Pattern
NGINX, Inc.
 
2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management
Shawn Wells
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 

What's hot (20)

Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nube
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
 
Solving CI Operational Challenges
Solving CI Operational ChallengesSolving CI Operational Challenges
Solving CI Operational Challenges
 
Smart City Lab 2 - Connect and Chat with your Device
Smart City Lab 2 - Connect and Chat with your DeviceSmart City Lab 2 - Connect and Chat with your Device
Smart City Lab 2 - Connect and Chat with your Device
 
Presented AITC Blockchain Framework @ NPC 17
Presented AITC Blockchain Framework @ NPC 17Presented AITC Blockchain Framework @ NPC 17
Presented AITC Blockchain Framework @ NPC 17
 
ROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationROTLD DNSSEC Implementation
ROTLD DNSSEC Implementation
 
IETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work BetterIETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work Better
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with Panther
 
Cisco Security Technical Alliances
Cisco Security Technical AlliancesCisco Security Technical Alliances
Cisco Security Technical Alliances
 
MRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationMRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service Communication
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker Pattern
 
2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 

Viewers also liked

Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environments
Binu Ramakrishnan
 
Smtp 102013
Smtp 102013Smtp 102013
Smtp 102013
RedChip Companies, Inc.
 
Continuous Delivery in the AWS Cloud
Continuous Delivery in the AWS CloudContinuous Delivery in the AWS Cloud
Continuous Delivery in the AWS Cloud
Nigel Fernandes
 
Scaling Up Continuous Deployment
Scaling Up Continuous DeploymentScaling Up Continuous Deployment
Scaling Up Continuous Deployment
Timothy Fitz
 
The Hard Problems of Continuous Deployment
The Hard Problems of Continuous DeploymentThe Hard Problems of Continuous Deployment
The Hard Problems of Continuous DeploymentTimothy Fitz
 
Infrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormationInfrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormation
joehack3r
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
Deep Dive: Infrastructure as Code
Deep Dive: Infrastructure as CodeDeep Dive: Infrastructure as Code
Deep Dive: Infrastructure as Code
Amazon Web Services
 
Continuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous DeliveryContinuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous Delivery
Timothy Fitz
 
Infrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormationInfrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormation
Justyna Janczyszyn
 
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
Mirco Hering
 
Dod is not done
Dod is not doneDod is not done
Dod is not done
Kris Buytaert
 
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
XebiaLabs
 
CI&CD on AWS - Meetup Roma Oct 2016
CI&CD on AWS - Meetup Roma Oct 2016CI&CD on AWS - Meetup Roma Oct 2016
CI&CD on AWS - Meetup Roma Oct 2016
Paolo latella
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty Details
Mike Brittain
 
The Journey of devops and continuous delivery in a Large Financial Institution
The Journey of devops and continuous delivery in a Large Financial InstitutionThe Journey of devops and continuous delivery in a Large Financial Institution
The Journey of devops and continuous delivery in a Large Financial Institution
Kris Buytaert
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous Deployment
Christopher Read
 
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
Daniel Bryant
 
AWS May Webinar Series - Deep Dive: Infrastructure as Code
AWS May Webinar Series - Deep Dive: Infrastructure as CodeAWS May Webinar Series - Deep Dive: Infrastructure as Code
AWS May Webinar Series - Deep Dive: Infrastructure as Code
Amazon Web Services
 

Viewers also liked (20)

Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environments
 
Smtp 102013
Smtp 102013Smtp 102013
Smtp 102013
 
Continuous Delivery in the AWS Cloud
Continuous Delivery in the AWS CloudContinuous Delivery in the AWS Cloud
Continuous Delivery in the AWS Cloud
 
Scaling Up Continuous Deployment
Scaling Up Continuous DeploymentScaling Up Continuous Deployment
Scaling Up Continuous Deployment
 
The Hard Problems of Continuous Deployment
The Hard Problems of Continuous DeploymentThe Hard Problems of Continuous Deployment
The Hard Problems of Continuous Deployment
 
Infrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormationInfrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormation
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
 
Smtp server q&a webinar
Smtp server q&a webinarSmtp server q&a webinar
Smtp server q&a webinar
 
Deep Dive: Infrastructure as Code
Deep Dive: Infrastructure as CodeDeep Dive: Infrastructure as Code
Deep Dive: Infrastructure as Code
 
Continuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous DeliveryContinuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous Delivery
 
Infrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormationInfrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormation
 
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
 
Dod is not done
Dod is not doneDod is not done
Dod is not done
 
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
 
CI&CD on AWS - Meetup Roma Oct 2016
CI&CD on AWS - Meetup Roma Oct 2016CI&CD on AWS - Meetup Roma Oct 2016
CI&CD on AWS - Meetup Roma Oct 2016
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty Details
 
The Journey of devops and continuous delivery in a Large Financial Institution
The Journey of devops and continuous delivery in a Large Financial InstitutionThe Journey of devops and continuous delivery in a Large Financial Institution
The Journey of devops and continuous delivery in a Large Financial Institution
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous Deployment
 
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
 
AWS May Webinar Series - Deep Dive: Infrastructure as Code
AWS May Webinar Series - Deep Dive: Infrastructure as CodeAWS May Webinar Series - Deep Dive: Infrastructure as Code
AWS May Webinar Series - Deep Dive: Infrastructure as Code
 

Similar to Analysis of TLS in SMTP World

RecordPoint Records365 vNext Launch
RecordPoint Records365 vNext LaunchRecordPoint Records365 vNext Launch
RecordPoint Records365 vNext Launch
RecordPoint
 
Scot-Cloud 2015
Scot-Cloud 2015Scot-Cloud 2015
Scot-Cloud 2015
Ray Bugg
 
Global Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key VaultGlobal Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key Vault
Alberto Diaz Martin
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
CASCouncil
 
SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...
SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...
SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...
SBA Research
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Cloud Security Alliance Lviv Chapter
 
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGCPKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGCNizar Ben Neji
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023
Shane Coughlan
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
Shain Singh
 
Big Data Expo 2015 - Anchormen Distributed video analysis
Big Data Expo 2015 - Anchormen Distributed video analysisBig Data Expo 2015 - Anchormen Distributed video analysis
Big Data Expo 2015 - Anchormen Distributed video analysis
BigDataExpo
 
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C...
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C... Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C...
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C...
Nikki Chapple
 
Unicon July 2015 IAM Briefing
Unicon July 2015 IAM BriefingUnicon July 2015 IAM Briefing
Unicon July 2015 IAM Briefing
John Gasper
 
TLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices
TLS 1.3: Expert Advice to Modernize Your Security and Decryption PracticesTLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices
TLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices
Enterprise Management Associates
 
RPKI Tutorial and Hands-On
RPKI Tutorial and Hands-OnRPKI Tutorial and Hands-On
RPKI Tutorial and Hands-On
APNIC
 
Microsoft Azure News - 2018 March
Microsoft Azure News - 2018 MarchMicrosoft Azure News - 2018 March
Microsoft Azure News - 2018 March
Daniel Toomey
 
Azure licensing (not) so easy - Laurynas Dovydaitis
Azure licensing (not) so easy - Laurynas DovydaitisAzure licensing (not) so easy - Laurynas Dovydaitis
Azure licensing (not) so easy - Laurynas Dovydaitis
ITCamp
 
Campaign for clear licensing itam review microsoft event ny oct 2015
Campaign for clear licensing itam review microsoft event ny oct 2015Campaign for clear licensing itam review microsoft event ny oct 2015
Campaign for clear licensing itam review microsoft event ny oct 2015
Martin Thompson
 
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, BuoyantOnline Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Solo.io
 
Writing RPG Applications Using Cryptographic Services APIs
Writing RPG Applications Using Cryptographic Services APIsWriting RPG Applications Using Cryptographic Services APIs
Writing RPG Applications Using Cryptographic Services APIs
Carsten Flensburg
 
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
ITpreneurs
 

Similar to Analysis of TLS in SMTP World (20)

RecordPoint Records365 vNext Launch
RecordPoint Records365 vNext LaunchRecordPoint Records365 vNext Launch
RecordPoint Records365 vNext Launch
 
Scot-Cloud 2015
Scot-Cloud 2015Scot-Cloud 2015
Scot-Cloud 2015
 
Global Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key VaultGlobal Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key Vault
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...
SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...
SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
 
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGCPKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
 
Big Data Expo 2015 - Anchormen Distributed video analysis
Big Data Expo 2015 - Anchormen Distributed video analysisBig Data Expo 2015 - Anchormen Distributed video analysis
Big Data Expo 2015 - Anchormen Distributed video analysis
 
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C...
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C... Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C...
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C...
 
Unicon July 2015 IAM Briefing
Unicon July 2015 IAM BriefingUnicon July 2015 IAM Briefing
Unicon July 2015 IAM Briefing
 
TLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices
TLS 1.3: Expert Advice to Modernize Your Security and Decryption PracticesTLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices
TLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices
 
RPKI Tutorial and Hands-On
RPKI Tutorial and Hands-OnRPKI Tutorial and Hands-On
RPKI Tutorial and Hands-On
 
Microsoft Azure News - 2018 March
Microsoft Azure News - 2018 MarchMicrosoft Azure News - 2018 March
Microsoft Azure News - 2018 March
 
Azure licensing (not) so easy - Laurynas Dovydaitis
Azure licensing (not) so easy - Laurynas DovydaitisAzure licensing (not) so easy - Laurynas Dovydaitis
Azure licensing (not) so easy - Laurynas Dovydaitis
 
Campaign for clear licensing itam review microsoft event ny oct 2015
Campaign for clear licensing itam review microsoft event ny oct 2015Campaign for clear licensing itam review microsoft event ny oct 2015
Campaign for clear licensing itam review microsoft event ny oct 2015
 
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, BuoyantOnline Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
 
Writing RPG Applications Using Cryptographic Services APIs
Writing RPG Applications Using Cryptographic Services APIsWriting RPG Applications Using Cryptographic Services APIs
Writing RPG Applications Using Cryptographic Services APIs
 
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
 

Recently uploaded

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 

Analysis of TLS in SMTP World

  • 1. Analysis of TLS in SMTP World Binu Ramakrishnan Yahoo M3AAWG 34th General Meeting | Dublin, June 2015
  • 2. BIO M3AAWG 34th General Meeting | Dublin, June 2015  Product Security Engineer, Yahoo Mail – Focused on user data protection and application security  Experience in building Internet scale systems  github.com/prbinu  @securitysauce
  • 3. Overview M3AAWG 34th General Meeting | Dublin, June 2015 1. Introduction STARTTLS 2. Methodology 3. Findings Certificates TLS Sessions 4. Conclusion 5. Q&A
  • 4. Objective M3AAWG 34th General Meeting | Dublin, June 2015 • Why STARTTLS is important • Protect user privacy • In case of E2E encryption (GPG/S-MIME) STARTTLS protects meta data from eavesdropping • Understand current STARTTLS deployments with MTAs • Measure overall deployment quality • Present the findings
  • 5. SMTP Refresher M3AAWG 34th General Meeting | Dublin, June 2015 Source:Wikipedia
  • 6. Let’s STARTTLS M3AAWG 34th General Meeting | Dublin, June 2015 220 mta-x.mail.bf1.yahoo.com ESMTP ready EHLO mta-x.mail.bf1.yahoo.com 250-mta-x.mail.bf1.yahoo.com 250-PIPELINING 250-SIZE 41943040 250-8BITMIME 250 STARTTLS STARTTLS 220 Start TLS ...
  • 7. STARTTLS Opportunistic Security M3AAWG 34th General Meeting | Dublin, June 2015 “Some protection most of the time*” • rfc7435 • img source http://bit.ly/1Tujhnc
  • 8. TLS, PKI and X509 V3 Certificates M3AAWG 34th General Meeting | Dublin, June 2015 Trusted by Client RootCA Intermediate CA-1 Intermediate CA-2 Leaf Certificate-1 Leaf Certificate-2 Leaf Certificate-n
  • 9. Methodology M3AAWG 34th General Meeting | Dublin, June 2015 • Input size: 20M unique domains • Resolved domain to MX using a fast DNS lookup program • Identify unique MX 6M domains • Scanned MXs to collect TLS data • Completed in 4 hours (28 threads) • Non-blocking event driven program written in C++ • Generated ~10GB of data • Analysis using std Unix text processing tools
  • 10. M3AAWG 34th General Meeting | Dublin, June 2015
  • 11. Findings M3AAWG 34th General Meeting | Dublin, June 2015 • Domain-MX-IP Distribution • Certificates • TLS Sessions
  • 12. M3AAWG 34th General Meeting | Dublin, June 2015
  • 13. M3AAWG 34th General Meeting | Dublin, June 2015
  • 14. M3AAWG 34th General Meeting | Dublin, June 2015 80% of MXs we scanned support STARTTLS
  • 15. Certificates M3AAWG 34th General Meeting | Dublin, June 2015
  • 16. M3AAWG 34th General Meeting | Dublin, June 2015 Outliers • Half a dozen self- signed ECDSA keys • 512-bit RSA keys • 1024-bit DSA keys • 10240-bit RSA keys ` • Observed few CAs issuing 1024 bit RSA certs in last 2 years • Few are issued with validity period of 10 years Almost same distribution between unique MX and Certs
  • 17. Signature Algorithm M3AAWG 34th General Meeting | Dublin, June 2015 We are mostly compliant  but … Long live MD2; but this may be not as bad as you think.
  • 18. M3AAWG 34th General Meeting | Dublin, June 2015 Certificate Trust
  • 19. M3AAWG 34th General Meeting | Dublin, June 2015
  • 20. Certificate Expiry M3AAWG 34th General Meeting | Dublin, June 2015 Image source: https://www.flickr.com/photos/eatmorechips/4409100553 Significant number of expired certs is worrisome Some certs that are currently in use expired a decade ago. Is it important?
  • 21. M3AAWG 34th General Meeting | Dublin, June 2015 • What about the CA bundles we trust? • Are we updating our CA bundle? • Apple, Microsoft, Mozilla and Fedora/RHEL root certificates Trusting the Trust Image source: https://www.flickr.com/photos/dobs/10726756606/
  • 22. M3AAWG 34th General Meeting | Dublin, June 2015
  • 23. Other Observations M3AAWG 34th General Meeting | Dublin, June 2015 • Few IPs returned more than 100 unique certs. • 9% of total unique certs comprises of X509 Version-1 (4% for unique MX domains); Few valid X509 V1 root CA certs • Domain MXs directly pointing to rfc1918 private address space • 10K MXs resolved directly to IP, not to a hostname • Valid certs - SAN with more than 200 domain names Image source:https://www.flickr.com/photos/dkshots/6880699090/
  • 24. M3AAWG 34th General Meeting | Dublin, June 2015 Note: Subject Common Name is deprecated in favor of SAN. So it is important to validate server hostname against SAN Also found large number (676857) of certs with empty SAN field
  • 25. M3AAWG 34th General Meeting | Dublin, June 2015
  • 26. TLS Session/Ciphers M3AAWG 34th General Meeting | Dublin, June 2015
  • 27. SSL Protocol Version Distribution M3AAWG 34th General Meeting | Dublin, June 2015 We also observed an SSLv2 endpoint
  • 28. M3AAWG 34th General Meeting | Dublin, June 2015
  • 29. Cipher Distribution M3AAWG 34th General Meeting | Dublin, June 2015 PFS 80%
  • 30. Logjam M3AAWG 34th General Meeting | Dublin, June 2015 Weak DH 512 and 1024 bit temp key usage Image source: https://www.flickr.com/photos/foresthistory/3663198360/
  • 31. M3AAWG 34th General Meeting | Dublin, June 2015 Compare with HTTPS The luxury that we don’t have! • CA-Browser (CAB) Forum • Strict certificate validation • Root certificate management & bundling • HTTPS establishes TLS session before making a HTTP request • HPKP, HSTS
  • 32. Conclusion M3AAWG 34th General Meeting | Dublin, June 2015 • Positive Trends • Opportunistic encryption is proved to be effective against passive attacks. • Modern TLS protocols & ciphers - TLSv1.2 and PFS are widely in use • RSA public keys < 2048 bits still exists in large number, but the overall percentage is low – a positive trend when compared with previous years • Challenges • ~20% of MTAs are with no STARTTLS support • Concerns with the trusting/handling root CA bundles • Mitigating active attacks would be a challenge because of: • Large number of self-signed/expired certificates • Use of vulnerable ciphers & SSL versions • Backward interoperability with plain text SMTP option
  • 33. Questions? M3AAWG 34th General Meeting | Dublin, June 2015 Thank you!

Editor's Notes

  1. The focus of this talk is MTA-MX communication.
  2. Our analysis of STARTTLS is to find out how vulnerable out opportunistic encryption is. Active attack: An attacker who sits between the communication channel and attempt to modify data. Eg: MITM – The attacker pretends to be the trusted user or a server – exploit authentication flaws in the system Session replays etc What is the level of security STARTTLS provides? Provide protection against passive attacks. Active attacks: Downgrade to plaintext communication Modify DNS records and route traffic
  3. PKI – overall structure , trusted anchors – root CAs Chain of trust – from root CA to server certificate.
  4. Non-temporal analysis on the scanning results from a representative scan done in May 3rd week.
  5. We scanned 20M unique domains and found 6M MXs and 1M IPs. The stats are based on unique MX domains and unique certificates.
  6. Around 33% of the domains are hosted around 10 MX/mail providers. This is significant.
  7. STARTTLS is supported on majority of 8M domains we scanned.
  8. 1. Expiry allow us to incrementally upgrade and improve secuirty. For example migrating from 512 – 1024 -2048 bit RSA keys or the use of MD5 -> SHA1 -> SHA2 keys 2. It also helps us to make sure no one can use a compromised key (unknown to you) for ever.
  9. https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3621 http://www.entrust.com/root-certificates-1024-bit-rsa-keys-removed/ https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/ Mozilla Root CA: https://docs.google.com/spreadsheets/d/1fgCRd7Xrx1Fwg9a-l8XreloC_iWdigrDOOp4Igv_UFs/edit#gid=1293109028 Apple Root Cas: https://support.apple.com/en-us/HT204132 Symantec Cas: http://www.symantec.com/page.jsp?id=roots Fedora root CAs: https://fedoraproject.org/wiki/CA-Certificates
  10. https://bugzilla.mozilla.org/show_bug.cgi?id=552346 http://tools.ietf.org/html/rfc2818#section-3.1
  11. The above stats is for unique certs. For MX domains, PFS support is 88%. The above classification is based on Mozilla’s cipher classification, where the green is modern, yellow is for intermediate and red is obsolete/unsafe vulnerable ciphers
  12. https://weakdh.org/ https://weakdh.org/sysadmin.html https://freakattack.com/ The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers.
  13. http://www.certificate-transparency.org/known-logs