TLS Certificates on the Web – The Good, The Bad and The Ugly
•
0 gefällt mir•747 views
At RSA 2016, CASC member Rick Andrews talked about TLS certificates on the web: the good, the bad and the ugly.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie TLS Certificates on the Web – The Good, The Bad and The Ugly
Ähnlich wie TLS Certificates on the Web – The Good, The Bad and The Ugly (20)
Mehr von CASCouncil
Mehr von CASCouncil (19)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
TLS Certificates on the Web – The Good, The Bad and The Ugly
- 2. #RSAC TLS Cer1ficates 2 TLS Ecosystem is almost 20 years old Recently endured three cer>ficate-based migra>ons: Away from MD2 and MD5 to SHA-1 Away from small RSA keys to 2048-bit keys or larger Away from SHA-1 to SHA-256
- 3. #RSAC What’s Driving These Migra1ons? 3 Relentless march of aNacks (only gePng beNer) CA/Browser Forum Baseline Requirements EV Guidelines Cer>fica>on Authori>es Browser vendors
- 4. #RSAC What’s Slowing These Migra1ons? 4 Use of TLS in non-browser applica>ons Mail, XMPP and other non-web servers POS and other devices Lack of auto-update capabili>es Ins>tu>onal iner>a Companies wait years to perform a server refresh
- 6. #RSAC Deployment of SHA-2 Certificates TLS Cer1ficates – the Good Trajectory of SHA-2 deployment is encouraging (Netcra_) 6
- 7. #RSAC TLS Cer1ficates – the Good 7 99.98% of cer>ficates contain RSA 2048-bit, ECC 224-bit or larger keys (Netcra_) 200K certs with keys >= RSA 4096 bits (Netcra_) BR Compliance Responsible for standardizing cer>ficate profiles 10.7% of sites use EV (TIM)
- 9. #RSAC TLS Cer1ficates – the Bad 9 Remaining SHA-1 certs will not work in browsers a_er 2016: 13.3% (Netcra_) 11.6% (TIM) US DOD s>ll issuing SHA-1 cer>ficates hNp://news.netcra_.com/archives/2016/01/08/us-military-s>ll- shackled-to-outdated-dod-pki-infrastructure.html More than 1,000 with < RSA 2048-bit or ECC 224-bit (Netcra_) Browsers con>nue to add compliance checks
- 10. #RSAC TLS Cer1ficates – the Bad 10 EV viola>ons ~6% of all EV cer>ficates (Netcra_) Most don’t have a valid Subject Business Category (unlikely to cause usability problems) Thousands don’t provide EV treatment in Chrome (customer doesn’t benefit from the extra cost of EV) BR viola>ons ~3% of all cer>ficates found (Netcra_) Most are policy viola>ons (CN must appear in SAN, invalid Subject State or Country, etc.) unlikely to cause usability problems
- 11. #RSAC TLS Cer1ficates – the Bad 11 Strong keys signed by weaker keys (a dozen or so) don’t provide the cryptographic protec>on expected by the cer>ficate owner: ECC P-384 signed by ECC P-256 ECC P-384 signed by RSA 2048 RSA 4096 and 8192 signed by RSA 2048 Cer>ficate expira>on is embarrassing hNp://news.netcra_.com/archives/2015/04/30/instagram-forgets-to- renew-its-ssl-cer>ficate.html Almost 4% of sites serve an incomplete cer>ficate chain (TIM) Most browsers don’t try to fetch missing subordinate CA
- 13. #RSAC TLS Cer1ficates – the Ugly 13 Invalid Cer>ficates abound In Netcra_’s survey, approximately two thirds of all TLS cer>ficates seen are valid, issued by a trusted CA. The remaining one-third are either self-signed, expired, signed by an unknown issuer or contain mismatched names. One MD5, 3-year cert issued in 2013 by a public CA (RSA 1024-bit key) it’s got 6 other BR viola>ons One 512-bit RSA key used by Government of Korea (South), although it’s signed using SHA-2 it’s got 4 other BR viola>ons Browsers block access to such sites
- 14. #RSAC TLS Cer1ficates – the Ugly 14 Invalid Public Key Exponent: one cer>ficate with an RSA exponent of 1 TLS data is sent in cleartext Mul>ple CNs are prohibited, but Netcra_ found cer>ficates with up to 24 CNs 2009 study demonstrated aNacks on certs with mul>ple CNs EV certs with fewer than the correct number of SCTs Customer doesn’t benefit from the extra cost of EV in Chrome
- 15. #RSAC TLS Cer1ficates – the Ugly, con1nued 15 One cert with RSA 15,424-bit key! (includes 72 SAN values!) It’s an Apache server, but not a web site No harm to the Web Ten-year end-en>ty cer>ficates, issued a_er the BRs became effec>ve Most browsers block public TLS certs with excessive dates Cer>ficates with more than 50 SANs (Netcra_) Nothing illegal, but might cause performance problems
- 17. #RSAC Apply 17 2048-bit RSA with SHA-256 is adequate for now Keep SANs to a minimum (20 or fewer), and only one CN Replace all weak, invalid, revoked or soon-to-expire cer>ficates Generate a new key pair every >me you replace a cer>ficate Make sure your EV cer>ficates have the correct number of SCTs Test your cer>ficate with all major browsers (don’t forget mobile) Confirm that your CA has correctly issued the cer>ficate
- 18. #RSAC Check Your Work 18 Check TLS cer>ficates and configura>on on all servers, not just web servers hNps://cryptoreport.websecurity.symantec.com/checker/ hNps://www.ssllabs.com/ssltest/ Consider a discovery tool like Cer>ficate Intelligence Center hNps://www.symantec.com/ssl-cer>ficates/cer>ficate-intelligence- center/ Certlint from Amazon (open source) hNps://github.com/awslabs/certlint
- 19. #RSAC Data Sets 19 Netcra_ hNp://www.netcra_.com ICSI hNps://notary.icsi.berkeley.edu/ Trustworthy Internet Movement (TIM) SSL Pulse hNps://www.trustworthyinternet.org/ssl-pulse/ Comodo’s cer>ficate search tool hNps://crt.sh
- 20. #RSAC Thank you!