SlideShare a Scribd company logo

ION Sri Lanka - DANE: The Future of TLS

Download as PPTX, PDF
Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

DANE: The Future of Transport Layer Security (TLS) Dan York (Internet Society) If you connect to a “secure” server using TLS/SSL (such as a web server, email server or xmpp server), how do you know you are using the correct certificate? With DNSSEC now being deployed, a new protocol has emerged called “DANE” (“DNS-Based Authentication of Named Entities“), which allows you to securely specify exactly which TLS/SSL certificate an application should use to connect to your site. DANE has great potential to make the Internet much more secure by marrying the strong integrity protection of DNSSEC with the confidentiality of SSL/TLS certificates. In this session, we will explain how DANE works and how you can use it to secure your websites, email, XMPP, VoIP, and other web services.

Technology
1 of 30
DANE: The Future of Transport Layer Security (TLS) ION Sri Lanka January 18, 2015 Dan York Senior Content Strategist Internet Society york@isoc.org
TLS vs SSL Secure Sockets Layer (SSL) originally developed by Netscape in the mid-1990s "Transport Layer Security (TLS)" evolved from SSL 3.0, although "SSL" remains commonly used term TLS version 1.3 in active development: • https://tools.ietf.org/html/draft-ietf-tls-tls13 • https://github.com/tlswg/tls13-spec 1/18/2015 1996 SSL 3.0 RFC 6101 1999 TLS 1.0 RFC 2246 2006 TLS 1.1 RFC 4346 2008 TLS 1.2 RFC 5246 2014/15? TLS 1.3 draft-ietf-tls-tls13
TLS – Not Just For Web Sites TLS / SSL originally developed for web sites Now widely used for many other services, including: • Email • Instant messaging • File transfer • Virtual Private Networks (VPNs) • Voice over IP (VoIP) • Custom applications
What Does TLS Do? • Creates an encrypted tunnel between two applications • Protects from eavesdropping • Can be used in client/server or peer-to-peer • Uses TCP (DTLS uses UDP) App 1 App 2 App 1 App 2 With TLS Without TLS
TLS and Certificates • How do you obtain the encryption keys? • Typically uses PKIX / X.509 certificate • Certificate signed by a Certificate Authority (CA) • The client application initiating the connection checks the certificate: • Does the certificate match the site/service being visited? • Does the app trust the CA who signed the cert?
The Problem With Certificate Authorities • There are too many of them! • Apps like web browsers may “trust” 1,300 Cas • Any CA can issue a certificate for any domain • Attackers can trick a CA into issuing a certificate • “Middleboxes” can issue certificates to intercept traffic • Ex. Gogo inflight WiFi service • Several different solutions being explored
A Quick Overview of DANE 1/18/2015
The Typical TLS (SSL) Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver example.com? 10.1.1.1231 2 5 6 DNS Svr example.co m DNS Svr .com DNS Svr root 3 10.1.1.123 4
The Typical TLS (SSL) Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver 10.1.1.1231 2 5 6 DNS Svr example.co m DNS Svr .com DNS Svr root 3 10.1.1.123 4 Is this encrypted with the CORRECT certificate? example.com?
Problems? Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)
DANE Web Server Web Browser w/DANE https://example.com/ TLS-encrypted web page with CORRECT certificate DNS Server 10.1.1.123 DNSKEY RRSIGs TLSA 1 2 Firewall (or attacker) https://example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall) Log files or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. example.com?
DNS-Based Authentication of Named Entities (DANE) • Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? • A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. An application that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self- signed certificate.
DANE – Different operation modes ("certificate usage" field) • 0 – CA specification • The TLSA record specifies the Certificate Authority (CA) who will provide TLS certificates for the domain. Must be a valid CA included in browser/app. • 1 – Specific TLS certificate • The TLSA record specifies the exact TLS certificate that should be used for the domain. Note that this TLS certificate must be one that is issued by a valid CA. • 2 – Trust anchor assertion • The TLSA record specifies the “trust anchor” to be used for validating the TLS certificates for the domain. Allows for the use of a CA not included in application. • 3 – Domain-issued certificate (“End-Entity Certificate”) • The TLS record specifies the exact TLS certificate that should be used for the domain, BUT, in contrast to usage #1, the TLS certificate does not need to be signed by a valid CA. This allows for the use of self-signed certificates.
DANE – Not Just For The Web • DANE defines protocol for storing TLS certificates in DNS • Securing Web transactions is an obvious use case • Other uses also possible: • Email • VoIP • Jabber/XMPP • PGP • ?
DANE Success Stories SMTP  360+ SMTP servers with TLSA records  http://www.tlsa.info/ - testing service XMPP (Jabber)  255 servers  client-to-server & server-to-server  https://xmpp.net/reports.php#dnssecdane Advertisements!
3 Steps To Use DANE On Your Server / Service 1. Use TLS on your application/service! 2. Generate and publish a TLSA record in DNS  Separate TLSA record for each specific service. For example: – _25._tcp.example.com. – _443._tcp.example.com.  Tools available (ex. hashslinger) to help generate records 3. Sign your domain with DNSSEC
2 Steps To Use DANE In Your Client Application 1. Have access to a DNSSEC-validating DNS resolver  Security of DANE relies on DNSSEC validation  DNSSEC validation can be easily enabled on BIND, Unbound or Windows Server  Some developers have performed validation within actual application 2. Use a DNS application library that supports DNSSEC  GetDNS API – http://getdnsapi.net/ - C, python, node.js and java  http://www.internetsociety.org/deploy360/resources/dnssec-developer- libraries/
DANE Resources DANE Overview and Resources: • http://www.internetsociety.org/deploy360/resources/dane/ IETF Journal article explaining DANE: • http://bit.ly/dane-dnssec RFC 6394 - DANE Use Cases: • http://tools.ietf.org/html/rfc6394 RFC 6698 – DANE Protocol: • http://tools.ietf.org/html/rfc6698
DANE Resources DANE and email: • https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane • http://tools.ietf.org/html/draft-ietf-dane-smime DANE Operational Guidance: • https://tools.ietf.org/html/draft-ietf-dane-ops DANE and SIP (VoIP): • http://tools.ietf.org/html/draft-johansson-dispatch-dane-sip • https://tools.ietf.org/html/draft-ietf-dane-srv Other uses: • https://tools.ietf.org/html/draft-ietf-dane-openpgpkey • https://tools.ietf.org/html/draft-ietf-dane-rawkeys
Why Deploy DNSSEC and DANE? 1/18/2015
Reasons For Deploying DNSSEC/DANE • TRUST – You can be sure your customers are reaching your sites – and that you are communicating with their servers. • SECURITY – You can be sure you are communicating with the correct sites and not sharing business information with attackers, ex. email hijacking. • INNOVATION – Services such as DANE built on top of DNSSEC enable innovative uses of TLS certificates • CONFIDENTIALITY – DANE enables easier use of encryption for applications and services that communicate across the Internet
Email Hijacking – A Current Threat • CERT-CC researchers have identified that someone is hijacking email by using DNS cache poisoning of MX records • Could be prevented by DNSSEC deployment • CERT-CC (Sept 10, 2014): – https://www.cert.org/blogs/certcc/post.cfm?EntryID=206 • Deploy360 blog post (Sept 12, 2014): • http://wp.me/p4eijv-5jI
Resources 1/18/2015
Start Here Page http://www.internetsociety.org/deploy360/start/ Easy method of finding resources for specific audiences, including: • Network operators • Content providers (ex. web site owners) • Developers • Governments • Consumer electronics vendors • Enterprises and campus networks • Registrars • Internet exchange points (IXPs)
The Two Parts of DNSSEC Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries
DNSSEC Signing - The Individual Steps Registry Registrar DNS Hosting Provider Domain Name Registrant • Signs TLD • Accepts DS records • Publishes/signs records • Accepts DS records • Sends DS to registry • Provides UI for mgmt • Signs zones • Publishes all records • Provides UI for mgmt • Enables DNSSEC (unless automatic)
DNSSEC Deployment Maps • DNSSEC deployment maps: • http://www.internetsociety.org/deploy360/dnssec/maps/ • Mailing list to receive weekly maps: • https://elists.isoc.org/mailman/listinfo/dnssec-maps
DNSSEC Deployment Maps – Asia Pacific
https://twitter.com/deploy360 https://www.facebook.com/Deploy360 http://gplus.to/deploy360 http://www.youtube.com/user/Deploy360 http://www.internetsociety.org/deploy360/feed/ http://soundcloud.com/deploy360/ Social Media Channels
Thank You! Dan York Senior Content Strategist york@isoc.org

Recommended

ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryDeploy360 Programme (Internet Society)
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkDeploy360 Programme (Internet Society)
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECDeploy360 Programme (Internet Society)
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSDeploy360 Programme (Internet Society)
 
SIPCORE - presentation of SIP and DANE (IETF #89)
SIPCORE - presentation of SIP and DANE (IETF #89)SIPCORE - presentation of SIP and DANE (IETF #89)
SIPCORE - presentation of SIP and DANE (IETF #89)Olle E Johansson
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 

Recommended

ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryDeploy360 Programme (Internet Society)
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkDeploy360 Programme (Internet Society)
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECDeploy360 Programme (Internet Society)
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSDeploy360 Programme (Internet Society)
 
SIPCORE - presentation of SIP and DANE (IETF #89)
SIPCORE - presentation of SIP and DANE (IETF #89)SIPCORE - presentation of SIP and DANE (IETF #89)
SIPCORE - presentation of SIP and DANE (IETF #89)Olle E Johansson
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECDeploy360 Programme (Internet Society)
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6labION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6labDeploy360 Programme (Internet Society)
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceToni de la Fuente
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS ProvidersCloudflare
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSwolfSSL
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareCloudflare
 
Vandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksVandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksBasim Aly (JNCIP-SP, JNCIP-ENT)
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
Managing Traffic Spikes This Holiday Season
Managing Traffic Spikes This Holiday Season Managing Traffic Spikes This Holiday Season
Managing Traffic Spikes This Holiday Season Cloudflare
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationCloudflare
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 
Running a Robust DNS Infrastructure with CloudFlare Virtual DNS
Running a Robust DNS Infrastructure with CloudFlare Virtual DNSRunning a Robust DNS Infrastructure with CloudFlare Virtual DNS
Running a Robust DNS Infrastructure with CloudFlare Virtual DNSCloudflare
 
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSDeploy360 Programme (Internet Society)
 
IGF Sri Lanka
IGF Sri LankaIGF Sri Lanka
IGF Sri LankaAPNIC
 

More Related Content

What's hot

Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceToni de la Fuente
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS ProvidersCloudflare
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSwolfSSL
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareCloudflare
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
Managing Traffic Spikes This Holiday Season
Managing Traffic Spikes This Holiday Season Managing Traffic Spikes This Holiday Season
Managing Traffic Spikes This Holiday Season Cloudflare
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationCloudflare
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Running a Robust DNS Infrastructure with CloudFlare Virtual DNS
Running a Robust DNS Infrastructure with CloudFlare Virtual DNSRunning a Robust DNS Infrastructure with CloudFlare Virtual DNS
Running a Robust DNS Infrastructure with CloudFlare Virtual DNSCloudflare
 

What's hot (20)

ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
 
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6labION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS Providers
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLS
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
 
Vandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksVandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricks
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Managing Traffic Spikes This Holiday Season
Managing Traffic Spikes This Holiday Season Managing Traffic Spikes This Holiday Season
Managing Traffic Spikes This Holiday Season
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
Running a Robust DNS Infrastructure with CloudFlare Virtual DNS
Running a Robust DNS Infrastructure with CloudFlare Virtual DNSRunning a Robust DNS Infrastructure with CloudFlare Virtual DNS
Running a Robust DNS Infrastructure with CloudFlare Virtual DNS
 

Viewers also liked

IGF Sri Lanka
IGF Sri LankaIGF Sri Lanka
IGF Sri LankaAPNIC
 
HRM RELATED USE OF ICT IN JUDICIARY
HRM RELATED USE OF ICT IN JUDICIARYHRM RELATED USE OF ICT IN JUDICIARY
HRM RELATED USE OF ICT IN JUDICIARYTalwant Singh
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsScalar Decisions
 
ISOC Sri Lanka Way Forward
ISOC Sri Lanka Way ForwardISOC Sri Lanka Way Forward
ISOC Sri Lanka Way ForwardAPNIC
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network SecuritySachithra Gayan
 
Introduction to ICTA - Org Study Presentation
Introduction to ICTA - Org Study Presentation Introduction to ICTA - Org Study Presentation
Introduction to ICTA - Org Study Presentation Jackseen Jeyaluck
 
[Challenge:Future] Rallying Youth Against Cyber Crime
[Challenge:Future] Rallying Youth Against Cyber Crime[Challenge:Future] Rallying Youth Against Cyber Crime
[Challenge:Future] Rallying Youth Against Cyber CrimeChallenge:Future
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
Intellectual Property in Sri Lanka
Intellectual Property in Sri LankaIntellectual Property in Sri Lanka
Intellectual Property in Sri LankaSLINTEC
 
Social media and Security risks
Social media and Security risksSocial media and Security risks
Social media and Security risksParakum Pathirana
 
Sri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceSri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceUpekha Vandebona
 
Intellectual Property, Sri Lanka and Copyrights
Intellectual Property, Sri Lanka and CopyrightsIntellectual Property, Sri Lanka and Copyrights
Intellectual Property, Sri Lanka and CopyrightsUpekha Vandebona
 
2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow2016 Scalar Security Study Roadshow
2016 Scalar Security Study RoadshowScalar Decisions
 
SRI LANKA, CHINA MARITIME INFRASTRUCTURE
SRI LANKA, CHINA MARITIME INFRASTRUCTURESRI LANKA, CHINA MARITIME INFRASTRUCTURE
SRI LANKA, CHINA MARITIME INFRASTRUCTUREHansani Sampath
 
CTO-CybersecurityForum-2010-Jayantha Fernando
CTO-CybersecurityForum-2010-Jayantha FernandoCTO-CybersecurityForum-2010-Jayantha Fernando
CTO-CybersecurityForum-2010-Jayantha Fernandosegughana
 
Social security on employment in sri lanka
Social security on employment in sri lankaSocial security on employment in sri lanka
Social security on employment in sri lankaArjun Ariaratnam
 
Cyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaCyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaEvan Pathiratne
 

Viewers also liked (20)

ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
 
IGF Sri Lanka
IGF Sri LankaIGF Sri Lanka
IGF Sri Lanka
 
HRM RELATED USE OF ICT IN JUDICIARY
HRM RELATED USE OF ICT IN JUDICIARYHRM RELATED USE OF ICT IN JUDICIARY
HRM RELATED USE OF ICT IN JUDICIARY
 
The Lanka Gate Initiative
The Lanka Gate InitiativeThe Lanka Gate Initiative
The Lanka Gate Initiative
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian Organizations
 
ISOC Sri Lanka Way Forward
ISOC Sri Lanka Way ForwardISOC Sri Lanka Way Forward
ISOC Sri Lanka Way Forward
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network Security
 
Introduction to ICTA - Org Study Presentation
Introduction to ICTA - Org Study Presentation Introduction to ICTA - Org Study Presentation
Introduction to ICTA - Org Study Presentation
 
[Challenge:Future] Rallying Youth Against Cyber Crime
[Challenge:Future] Rallying Youth Against Cyber Crime[Challenge:Future] Rallying Youth Against Cyber Crime
[Challenge:Future] Rallying Youth Against Cyber Crime
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
Intellectual Property in Sri Lanka
Intellectual Property in Sri LankaIntellectual Property in Sri Lanka
Intellectual Property in Sri Lanka
 
Social media and Security risks
Social media and Security risksSocial media and Security risks
Social media and Security risks
 
Sri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceSri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic Commerce
 
Intellectual Property, Sri Lanka and Copyrights
Intellectual Property, Sri Lanka and CopyrightsIntellectual Property, Sri Lanka and Copyrights
Intellectual Property, Sri Lanka and Copyrights
 
Ict act in sri lanka
Ict act in sri lankaIct act in sri lanka
Ict act in sri lanka
 
2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow
 
SRI LANKA, CHINA MARITIME INFRASTRUCTURE
SRI LANKA, CHINA MARITIME INFRASTRUCTURESRI LANKA, CHINA MARITIME INFRASTRUCTURE
SRI LANKA, CHINA MARITIME INFRASTRUCTURE
 
CTO-CybersecurityForum-2010-Jayantha Fernando
CTO-CybersecurityForum-2010-Jayantha FernandoCTO-CybersecurityForum-2010-Jayantha Fernando
CTO-CybersecurityForum-2010-Jayantha Fernando
 
Social security on employment in sri lanka
Social security on employment in sri lankaSocial security on employment in sri lanka
Social security on employment in sri lanka
 
Cyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaCyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri Lanka
 

Similar to ION Sri Lanka - DANE: The Future of TLS

SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?Dan York
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDan York
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
 
SSL: limitations, bad practices and how to do it right
SSL: limitations, bad practices and how to do it rightSSL: limitations, bad practices and how to do it right
SSL: limitations, bad practices and how to do it rightTiago Mendo
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficShain Singh
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 

Similar to ION Sri Lanka - DANE: The Future of TLS (20)

ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
 
SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
ION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network Operators
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
DNSSEC and DANE Deployment: Trends, Tools and Challenges
DNSSEC and DANE Deployment: Trends, Tools and ChallengesDNSSEC and DANE Deployment: Trends, Tools and Challenges
DNSSEC and DANE Deployment: Trends, Tools and Challenges
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
SSL: limitations, bad practices and how to do it right
SSL: limitations, bad practices and how to do it rightSSL: limitations, bad practices and how to do it right
SSL: limitations, bad practices and how to do it right
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 

More from Deploy360 Programme (Internet Society)

More from Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

ION Sri Lanka - DANE: The Future of TLS

  • 1. DANE: The Future of Transport Layer Security (TLS) ION Sri Lanka January 18, 2015 Dan York Senior Content Strategist Internet Society york@isoc.org
  • 2. TLS vs SSL Secure Sockets Layer (SSL) originally developed by Netscape in the mid-1990s "Transport Layer Security (TLS)" evolved from SSL 3.0, although "SSL" remains commonly used term TLS version 1.3 in active development: • https://tools.ietf.org/html/draft-ietf-tls-tls13 • https://github.com/tlswg/tls13-spec 1/18/2015 1996 SSL 3.0 RFC 6101 1999 TLS 1.0 RFC 2246 2006 TLS 1.1 RFC 4346 2008 TLS 1.2 RFC 5246 2014/15? TLS 1.3 draft-ietf-tls-tls13
  • 3. TLS – Not Just For Web Sites TLS / SSL originally developed for web sites Now widely used for many other services, including: • Email • Instant messaging • File transfer • Virtual Private Networks (VPNs) • Voice over IP (VoIP) • Custom applications
  • 4. What Does TLS Do? • Creates an encrypted tunnel between two applications • Protects from eavesdropping • Can be used in client/server or peer-to-peer • Uses TCP (DTLS uses UDP) App 1 App 2 App 1 App 2 With TLS Without TLS
  • 5. TLS and Certificates • How do you obtain the encryption keys? • Typically uses PKIX / X.509 certificate • Certificate signed by a Certificate Authority (CA) • The client application initiating the connection checks the certificate: • Does the certificate match the site/service being visited? • Does the app trust the CA who signed the cert?
  • 6. The Problem With Certificate Authorities • There are too many of them! • Apps like web browsers may “trust” 1,300 Cas • Any CA can issue a certificate for any domain • Attackers can trick a CA into issuing a certificate • “Middleboxes” can issue certificates to intercept traffic • Ex. Gogo inflight WiFi service • Several different solutions being explored
  • 7. A Quick Overview of DANE 1/18/2015
  • 8. The Typical TLS (SSL) Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver example.com? 10.1.1.1231 2 5 6 DNS Svr example.co m DNS Svr .com DNS Svr root 3 10.1.1.123 4
  • 9. The Typical TLS (SSL) Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver 10.1.1.1231 2 5 6 DNS Svr example.co m DNS Svr .com DNS Svr root 3 10.1.1.123 4 Is this encrypted with the CORRECT certificate? example.com?
  • 10. Problems? Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)
  • 11. DANE Web Server Web Browser w/DANE https://example.com/ TLS-encrypted web page with CORRECT certificate DNS Server 10.1.1.123 DNSKEY RRSIGs TLSA 1 2 Firewall (or attacker) https://example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall) Log files or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. example.com?
  • 12. DNS-Based Authentication of Named Entities (DANE) • Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? • A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. An application that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self- signed certificate.
  • 13. DANE – Different operation modes ("certificate usage" field) • 0 – CA specification • The TLSA record specifies the Certificate Authority (CA) who will provide TLS certificates for the domain. Must be a valid CA included in browser/app. • 1 – Specific TLS certificate • The TLSA record specifies the exact TLS certificate that should be used for the domain. Note that this TLS certificate must be one that is issued by a valid CA. • 2 – Trust anchor assertion • The TLSA record specifies the “trust anchor” to be used for validating the TLS certificates for the domain. Allows for the use of a CA not included in application. • 3 – Domain-issued certificate (“End-Entity Certificate”) • The TLS record specifies the exact TLS certificate that should be used for the domain, BUT, in contrast to usage #1, the TLS certificate does not need to be signed by a valid CA. This allows for the use of self-signed certificates.
  • 14. DANE – Not Just For The Web • DANE defines protocol for storing TLS certificates in DNS • Securing Web transactions is an obvious use case • Other uses also possible: • Email • VoIP • Jabber/XMPP • PGP • ?
  • 15. DANE Success Stories SMTP  360+ SMTP servers with TLSA records  http://www.tlsa.info/ - testing service XMPP (Jabber)  255 servers  client-to-server & server-to-server  https://xmpp.net/reports.php#dnssecdane Advertisements!
  • 16. 3 Steps To Use DANE On Your Server / Service 1. Use TLS on your application/service! 2. Generate and publish a TLSA record in DNS  Separate TLSA record for each specific service. For example: – _25._tcp.example.com. – _443._tcp.example.com.  Tools available (ex. hashslinger) to help generate records 3. Sign your domain with DNSSEC
  • 17. 2 Steps To Use DANE In Your Client Application 1. Have access to a DNSSEC-validating DNS resolver  Security of DANE relies on DNSSEC validation  DNSSEC validation can be easily enabled on BIND, Unbound or Windows Server  Some developers have performed validation within actual application 2. Use a DNS application library that supports DNSSEC  GetDNS API – http://getdnsapi.net/ - C, python, node.js and java  http://www.internetsociety.org/deploy360/resources/dnssec-developer- libraries/
  • 18. DANE Resources DANE Overview and Resources: • http://www.internetsociety.org/deploy360/resources/dane/ IETF Journal article explaining DANE: • http://bit.ly/dane-dnssec RFC 6394 - DANE Use Cases: • http://tools.ietf.org/html/rfc6394 RFC 6698 – DANE Protocol: • http://tools.ietf.org/html/rfc6698
  • 19. DANE Resources DANE and email: • https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane • http://tools.ietf.org/html/draft-ietf-dane-smime DANE Operational Guidance: • https://tools.ietf.org/html/draft-ietf-dane-ops DANE and SIP (VoIP): • http://tools.ietf.org/html/draft-johansson-dispatch-dane-sip • https://tools.ietf.org/html/draft-ietf-dane-srv Other uses: • https://tools.ietf.org/html/draft-ietf-dane-openpgpkey • https://tools.ietf.org/html/draft-ietf-dane-rawkeys
  • 20. Why Deploy DNSSEC and DANE? 1/18/2015
  • 21. Reasons For Deploying DNSSEC/DANE • TRUST – You can be sure your customers are reaching your sites – and that you are communicating with their servers. • SECURITY – You can be sure you are communicating with the correct sites and not sharing business information with attackers, ex. email hijacking. • INNOVATION – Services such as DANE built on top of DNSSEC enable innovative uses of TLS certificates • CONFIDENTIALITY – DANE enables easier use of encryption for applications and services that communicate across the Internet
  • 22. Email Hijacking – A Current Threat • CERT-CC researchers have identified that someone is hijacking email by using DNS cache poisoning of MX records • Could be prevented by DNSSEC deployment • CERT-CC (Sept 10, 2014): – https://www.cert.org/blogs/certcc/post.cfm?EntryID=206 • Deploy360 blog post (Sept 12, 2014): • http://wp.me/p4eijv-5jI
  • 24. Start Here Page http://www.internetsociety.org/deploy360/start/ Easy method of finding resources for specific audiences, including: • Network operators • Content providers (ex. web site owners) • Developers • Governments • Consumer electronics vendors • Enterprises and campus networks • Registrars • Internet exchange points (IXPs)
  • 25. The Two Parts of DNSSEC Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries
  • 26. DNSSEC Signing - The Individual Steps Registry Registrar DNS Hosting Provider Domain Name Registrant • Signs TLD • Accepts DS records • Publishes/signs records • Accepts DS records • Sends DS to registry • Provides UI for mgmt • Signs zones • Publishes all records • Provides UI for mgmt • Enables DNSSEC (unless automatic)
  • 27. DNSSEC Deployment Maps • DNSSEC deployment maps: • http://www.internetsociety.org/deploy360/dnssec/maps/ • Mailing list to receive weekly maps: • https://elists.isoc.org/mailman/listinfo/dnssec-maps
  • 28. DNSSEC Deployment Maps – Asia Pacific
  • 30. Thank You! Dan York Senior Content Strategist york@isoc.org