The Snowden revelations - Lessons and Recommendations

© GMO GlobalSign Group. All Rights Reserved. www.globalsign.com

Achieving compliant security:

Paul van Brouwershaven – Business Development Director

The Snowden revelations: Lessons and Recommendations

Business Development Director

• Business Development Director for GlobalSign

• Previously CTO of a European hosting company

• Over 10 years of experience in the hosting industry

• Expert in digital certificate solutions

• Dedicated to increasing awareness of the requirements for online security

• Thinking out of the box, detecting problems and providing solutions

INTERNATIONAL FOOTPRINT Customers spanning all industries

http://www.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/en/b/b6/GM,_logo.png&imgrefurl=http://planetidentity.org/&h=158&w=158&sz=4&tbnid=Siq1K5_NTEwtgM:&tbnh=97&tbnw=97&prev=/images?q=gm+logo&hl=ja&usg=__eGXzbuvbE5KAdiNERHYkYwT-TAQ=&ei=brsySufhE4P0MvSbjf8J&sa=X&oi=image_result&resnum=1&ct=image

http://images.google.com/imgres?imgurl=http://www.bruindentistry.org/images/ucla_logo.bmp&imgrefurl=http://www.bruindentistry.org/composites&usg=__1xsSJI05xwXkPcSRU_xuMSaHTvk=&h=296&w=854&sz=742&hl=ja&start=46&sig2=2nxu6L72SspD3uhh05cheg&um=1&tbnid=-Lx6dMM0kTbRyM:&tbnh=50&tbnw=145&prev=/images?q=ucla+logo&ndsp=18&hl=ja&lr=lang_ja&sa=N&start=36&um=1&ei=YrwySpK9B5eEmAeBtuGICg

http://images.google.co.jp/imgres?imgurl=http://niemannross.com/gottaAsk/templates/adobe/adobe_logo.jpg&imgrefurl=http://niemannross.com/gottaAsk/index.php?sid=27738&lang=en&usg=__xLi1TvWdC31pRJp1KZSPidciFYE=&h=500&w=398&sz=47&hl=ja&start=4&sig2=Ulz06GURxBPI-_QAClVN0g&um=1&tbnid=HwY2yCeT5tDpjM:&tbnh=130&tbnw=103&prev=/images?q=Adobe+logo&hl=ja&lr=lang_ja&rlz=1I7GGLL_ja&sa=X&um=1&ei=IJ06SuiOIqSmmQe_lpDsBA

Identity verification

Digital Certificates in practice

SSL Encryption &

Identity Assurance

Secure Email

Adobe PDF & Microsoft Office

document security

Code Signing

SSL

• A communication protocol that can use several encryption methods to secure the integrity of data between sender and receiver.

• Used to provide a record of identity that is validated by a third party to secure the authenticity of the data.

“The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the

Internet.”

“They're doing it primarily by cheating, not by mathematics”

Bruce Schneier

Is SSL broken?

• SSL is 20 years old and has several known security issues

• TLS is used instead of SSL in the majority of cases

But we keep the door open

• Servers are often configured with a weak configuration by default

• No clear view on compatibility, especially for mobile and embedded devices

TLS support by major browsers

Cipher security – known feasible attacks

“The math is good, but math has no agency. Code has agency, and the code has been

subverted.”

Bruce Schneier

Potential backdoors?

• Dual Elliptic Curve Deterministic Random Bit Generator

• Documents "appear to confirm" that the backdoor was real, and had been deliberately inserted by the National Security Agency (New York Times)

• Would allow NSA to decrypt SSL/TLS encryption

Alexa top 1M has 68 776 sites in Germany

No SSL Certificate

73%

With SSL Certificate

27%

domain.com or subdomain(s)

No SSL Certificate

81%

With SSL Certificate

19%

domain.com / www.domain.com

Requirement for mass SSL deployment

• By 2020 50.000.000.000 ‘Things’ will be connected to the Internet

• Requires a huge number of IP addresses

Slow IPv6 adoption

6.6%

4.83%

0.4%

0.22%

9.18%

1.01%

6.38%

0.08%

1.19%

9.83%

2.2% 1.02%

0.91%

Host multiple SSL certs on a single IP

More on this topic?

Visit the GlobalSign stand A07

From the 36992 sites tested in Germany

SSL2; 7945

SSL3; 35943 TLS1; 36663

TLS1.1; 10446 TLS1.2, 12037

0

5000

10000

15000

20000

25000

30000

35000

40000

SITES

Supported SSL/TLS versions

Improving Server Security

• Enable support for TLS 1.0, 1.1 & 1.2, remove SSL

Apache

SSLProtocol All -SSLv2 -SSLv3

Nginx

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

From the 36992 sites tested in Germany

34990 35312

12173

32552

118 139 1

3935

8368 7628

1 1

7095

106

6650

1

5866 7475

808 3806

85 99 8

4896 7553

0

5000

10000

15000

20000

25000

30000

35000

40000

Support Ciphers

From the 17 311 sites tested in Germany

Yes 67%

No 33%

Prefer TLS Forward Security

Yes 84%

No 16%

Support TLS Forward Security


• Provide strong Cipher Suites preferences

Apache SSLHonorCipherOrder On

SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:...........

Nginx ssl_prefer_server_ciphers on;

ssl_ciphers EDH+CAMELLIA:...........;


• Check your Cipher Suites preferences regularly!

From 12 822 SSL sites (www.)domain.comI

Yes 5%

No 95%

OCSP Stapling


• Enable OCSP Stapling

Apache SSLUseStapling on

SSLStaplingCache “shmcb:logs/stapling_cache(128000)”

Nginx ssl_stapling on;

resolver 192.0.2.1;

From 12 822 SSL sites (www.)domain.com

Yes 1%

[CATEGORY NAME] [PERCENTAGE]

HTTP Strict-Transport-Security


• Enable HTTP Strict-Transport-Security

Apache Header add Strict-Transport-Security "max-age=15768000“

Nginx add_header Strict-Transport-Security max-age=15768000;

Check your configuration regularly

sslcheck.globalsign.com

Questions?