SlideShare une entreprise Scribd logo

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017

CASCouncil
CASCouncil

The web is moving towards a 100% Encrypted Web—but can we get it, right? Understanding the surge in use of https for malware and phishing, the renewed importance of revocation checking, the role of browser UI design in protecting users, the renewed importance of identity in TLS certificates, and the latest industry studies and initiatives for a safer Internet.

Technologie
1  sur  58
Télécharger pour lire hors ligne
SESSION ID:SESSION ID: #RSAC Kirk Hall 100% Encrypted Web New Challenges for TLS PDAC-W10 Dir Policy & Compliance, Certificate Services Entrust Datacard
#RSAC We are moving toward a 100% encrypted web – but can we get it right? We must leverage certificate identity data for greater user security
#RSAC We Will Discuss… 3 Types of Server Certificates Past and Present Browser UI Security Indicators Positive Developments in Encryption Negative Developments in Encryption Using Identity in Certificates as a Proxy for User Safety How Do We Get to a Common Browser UI That Leverages Identity? Next Steps
#RSAC Types of Server Certificates Digital Certificate Refresher
#RSAC Types of Server Certificates 5 Domain Validated (DV) – No identity information, just a confirmed domain
#RSAC Types of Server Certificates 6 Domain Validated (DV) Close Up: Sample Browser Treatment (Chrome):
#RSAC Types of Server Certificates 7 Organization Validated (OV) – Basic identity confirmation through simple vetting, confirmed customer contact using reliable third party data
#RSAC Types of Server Certificates 8 Organization Validated (OV) Close Up: Sample Browser Treatment (Chrome):
#RSAC Types of Server Certificates 9 Extended Validation (EV) – Strong identity confirmation through extensive vetting using reliable third party data, and government registries
#RSAC Types of Server Certificates 10 Extended Validation (EV) Close Up: Sample Browser Treatment (Internet Explorer):
#RSAC Past and Present Browser UI Security Indicators
#RSAC Past and Present Browser UI Security Indicators 12 1995-2001: Organization Validation (OV) only; two UI security states 2001-2007: Domain Validated (DV) added as alternative to OV; still only two security UI states – no differentiation between DV and OV
#RSAC Past and Present Browser UI Security Indicators 13 2007-Present: Extended Validation (EV) added as alternative to DV and OV Four security UI states, including “problem” state; still no differentiation between DV and OV
#RSAC Positive Developments in Encryption
#RSAC Positive Developments in Encryption 15 Rapid move to encryption – Web now over 50% encrypted Browsers mandating encryption in stages – otherwise receive negative browser UI – “https://” becoming the new normal Encrypted sites receive higher SEO rankings Automated certificate issuance and installation – Boulder, ACME, Certbot – make it easy for small users Free DV certificate services – Let’s Encrypt and others – encourage websites to try it out The PCI Security Standards Council recommends the use of OV/EV certs as part of the Best Practices for Safe E-Commerce Source: https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf
#RSAC Positive Developments in Encryption 16 Encryption is increasing rapidly – now over 50%
#RSAC Positive Developments in Encryption 17 But what good is encryption if you don’t know who you’re talking to…?
#RSAC Negative Developments in Encryption
#RSAC Negative Developments in Encryption 19 Malware exploits are moving to encryption and are harder to block RISING USE OF ENCRYPTION GIVES MALWARE A PERFECT PLACE TO HIDE “Nearly half of cyber-attacks this year have used malware hidden in encrypted traffic to evade detection. In an ironic twist, A10 Networks has announced the results of an international study *** revealing that the risk to financial services, healthcare and other industries stems from growing reliance on encryption technology. A growing number of organizations are turning to encryption to keep their network data safe. But SSL encryption not only hides data traffic from would-be hackers, but also from common security tools.” Source: http://www.infosecurity-magazine.com/news/rising-use-of-encryption-gives/
#RSAC Negative Developments in Encryption 20 DV certificates are now the default choice for fraudsters – “look-alike” names, anonymity, free, the padlock, no UI warnings:
#RSAC Negative Developments in Encryption 21 CERTIFICATE AUTHORITIES ISSUE SSL CERTIFICATES TO FRAUDSTERS “In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks. SSL certificates lend an additional air of authenticity to phishing sites, causing the victims' browsers to display a padlock icon to indicate a secure connection. Despite industry requirements for increased vetting of high-risk requests, many fraudsters slip through the net, obtaining SSL certificates for domain names such as banskfamerica.com ***, ssl-paypai-inc.com ***, and paypwil.com***.” Source: http://news.netcraft.com/archives/2015/10/12/certificate-authorities-issue-hundreds-of-deceptive-ssl-certificates-to-fraudsters.html
#RSAC Negative Developments in Encryption 22 Many browsers no longer do effective revocation checking CONCLUDING DISCUSSION “Overall, our results show that, in today's Web's PKI, there is extensive inaction with respect to certificate revocation. While many certificates are revoked (over 8% of fresh certificates and almost 1% of alive certificates), many web browsers either fail to check certificate revocation information or soft-fail by accepting a certificate if revocation information is unavailable.” Source: https://web.stanford.edu/~aschulm/docs/imc15-revocation.pdf
#RSAC Negative Developments in Encryption 23 Some CAs no longer do certificate revocation for encrypted malware sites Let’s Encrypt believes that “CAs make poor content watchdogs,” and even though phishing and malware sites are bad “we’re not sure that certificate issuance (at least for Domain Validation) is the right level on which to be policing phishing and malware sites in 2015.” So Let’s Encrypt will not revoke for phishing or fraud. “Treating a DV certificate as a kind of ‘seal of approval’ for a site’s content is problematic for several reasons,” including that CAs are not well-positioned to operate anti-phishing and anti-malware operations and would do better to leave those actions to the browser website filters. Source: https://letsencrypt.org/2015/10/29/phishing-and-malware.html
#RSAC Negative Developments in Encryption 24 Users assume all encrypted sites with padlocks are “safe” sites: “The biggest problem with [the display of DV certificates in the browser UI] is that it democratizes access to https for any website. Yes, on the surface, this should in fact be a positive thing that we're celebrating. Unfortunately human nature comes into play here. When most people (non-geeks/non-IT) see https, immediate and unwavering trust is implied. “Even though [DV certificates are] merely providing encryption for your website, most people visiting it will give it the same level of trust as websites with the "green bar" https (Extended Domain Validation), which includes the company name next to the padlock in the address bar.” Fraudsters also sprinkle static “padlocks” all over the page to fool users. Source: http://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html
#RSAC What About Browser Website Filters? 25 Browser website filters expand, but are not a complete solution for user safety – thousands of bad sites are not included Microsoft SmartScreen problems: Only protects users in Windows Users can’t report phishing URLs – must visit bad site first to report, click on button SmartScreen filters can be bypassed by fraudster email / click-throughs to bad site Google Safe Browsing: Only works on Google search results / Google properties Privacy issues – cookies, retains browsing records on same device Relies on proprietary Google algorithms, not transparent to users Both SmartScreen and Safe Browsing must be turned on to work Reactive systems –back to the ‘90s Like cops solving a crime after it happens – but not preventing the crime
#RSAC Many Bad Sites Missed by Browser Filters 26 [URLs modified for safety] Source: Comodo Valkyrie malware analysis system More phishing links: http://cdn.download.comodo.com/intelligence/ctrl-06-02-url.txt More malware file links: http://cdn.download.comodo.com/intelligence/ctrl-06-01-url.txt Thousands of Malware / Phishing sites not detected SmartScreen Safe Browsing usbbackup.com/cgi-biin/update.apple- id.com/4bebac1b93b057sjgurnm94a6b06c59b7/login.ph p 0760mly.com/js/wwwpaypalcom/IrelandPayPal/signing 38CountryIE/ieLogIn.html aggelopoulos.com/wp-content/uploads/2008/ 07/ www.paypal.com/beta.entab9387.net/wp- theme/image/img/DHL/tracking.php https://gallery.mailchimp.com/2724801a312bda1123d55 4199/files/Electronic_Shipping_Document.zip http://121.134.15.63/www.paypal.com/websc-login.php http://alfssp.net/www.confirm.paypal.com/websc- login.php http://aquaseryis.marag.pl/wp- includes/random_compat/apple.co.uk/ https://gallery.mailchimp.com/2724801a312bda1123d55 4199/files/Electronic_Shipping_Document.zip
#RSAC What more can be done? 27 So what more can we do to protect users in 100% encrypted environment…?
#RSAC Using Identity in Certificates as a Proxy for User Safety
#RSAC Confirming Identity – How It’s Done 29 Organization Vetting (OV) Find the customer in a reliable third party database, such as Dun & Bradstreet or Hoover’s Call the customer representative through a number found on the third party data source, confirm order is legitimate: +1-425-882-8080 for Microsoft Confirm domain ownership or control (using CA/Browser Forum Methods)
#RSAC Confirming Identity – How It’s Done 30 Extended Validation Vetting (EV) – All that and more: Confirm active status of corporation with government agency Check authority of customer rep with company HR Department Check against blacklists, prohibited lists, etc.
#RSAC What’s the Problem With Current Browser UIs? 31 No consistency among browser UIs as to four states: unencrypted, DV, OV, and EV Individual browsers frequently change their own UI, users can’t keep up Adding array of other warnings to UI (minor problems, major problems) that the average user doesn’t understand Most mobile devices don’t even show any symbol for encryption As a result, users are confused about how to read browser UIs TAKE A LOOK…
#RSAC What Does This Mean? Universal - “STOP!” 32
#RSAC What if “Stop” Signs Were Always Changing? 33 That’s what browser UI security indicators have done – user confusion!
#RSAC What Does Any of This Mean? What a Mess! 34 Source: Rethinking Connection Security Indicators, https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-porter-felt.pdf
#RSAC More Examples of Confusing Browser UIs 35 Source: CA Security Council (CASC)
#RSAC Plus, What Do All These Warnings Mean? 36 Source: CA Security Council (CASC)
#RSAC Help Is On The Way! …Or is it? 37 June 2016 Google UI paper proposed standardizing around only three security states – but basically a binary, two-state “secure/not secure” UI. Plus, EV UI may be disappearing:
#RSAC Google Binary UI Proposal 38 Good: Bad: No more EV? DV, OV, EV all the same?
#RSAC Here’s What This Can Mean Phishing site: paypal.com.summary-spport.com Here’s how it looks as an http site today – just a gray circle-i: Soon, Chrome will treat http sites as “Not Secure”:
#RSAC Phishers will move to DV certs for “Secure” UI Phishing site: paypal.com.summary-spport.com gets anonymous, free DV cert: Chrome gives “Secure” https browser UI to phishing site:
#RSAC Is This the Future? If EV green bar display is lost in Chrome, and real and phishing PayPal Login pages look the same (“Secure”) – Can’t tell the difference!
#RSAC 2016 Study – https alone no longer effective for anti-phishing, EV indicators can be improved “In the past, HTTPS was viewed as a sign of website trustworthiness; getting a valid HTTPS certificate was too difficult for typical phishing websites. *** Subsequently, HTTPS has ceased to be a useful signal for identifying phishing websites because it is no longer unusual to find malicious websites that support HTTPS. *** “EV is an anti-phishing defense, although its use is limited by lack of support from popular websites and some major mobile browsers. All major desktop browsers display EV information, but some mobile browsers (including Chrome and Opera for Android) do not display EV information. Older literature suggests that EV indicators may need improvement. *** Improving EV indicators are out of scope for our current work.” Source: Rethinking Connection Security Indicators, https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-porter-felt.pdf
#RSAC Chain of Logic 43 Browsers are pushing website owners to 100% encryption (good) Fraudsters are rushing to free DV certs to hide (bad) DV certs are free, allow anonymity, no identity, no recourse OV and EV certs include identity, allow recourse – almost no fraud or phishing has been recorded for OV, none for EV But, users can’t tell the difference between DV and OV certs – both receive the same UI in the browsers; EV may be downgraded to same level as DV and OV by Chrome in future release Conclusion: We are wasting valuable identity information already inside OV and EV certs – should use as a proxy for user safety
#RSAC Let’s Use the Data We Already Have There is so much identity data in certificates today – but most of it’s hidden Why aren’t we using identity data to block phishing and malware sites? Source: Frost and Sullivan 2016 Data Type Number (000s) Percent Combined DV 7,503 75% OV 2,353 24% 25% EV 243 1%
#RSAC How Do We Get to a Common Browser UI That Leverages Identity?
#RSAC Five Principles of TLS Certificate Identity 46 First, adopt the Five Principles of TLS Certificate Identity: 1. Identity in TLS server certs should be used by browsers as a proxy for greater user safety 2. CAs should vet their customers to the highest identity level possible 3. OV certs should receive their own browser UI different from DV certs to show user safety 4. EV certs should continue to receive a separate browser UI from OV and DV certs to show greater user safety 5. Browsers should agree on common UI security indicators, avoid changes to UI, and work with others to educate users about the meaning of the common UI security indicators for greater user safety.
#RSAC Here’s Who Has Endorsed the Five Principles 47 Current endorsers of the Five Principles of TLS Certificate Identity and adoption of a new “Universal” browser UI: More CA endorsers to come…
#RSAC Do website owners care about identity? You bet they do! (No one asked them before…) PUBLIC ENDORSEMENT OF WEBSITE IDENTITY PRINCIPLES We, the undersigned organizations, strongly support the display of website identity for user security, and we specifically endorse the following website identity principles: 1. Website identity is important for user security. 2. TLS certificate types that are used to secure websites – Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) certificates – should each receive a distinct, clearly-defined browser UI security indicator showing users when a website’s identity has been independently confirmed. 3. Browsers should adopt a common set of browser UI security indicators for each certificate type, and should educate users on what the differences are to promote user security. The following enterprises endorse these Website Identity Principles:
#RSAC Website owners who support Website Identity Principles Source: Comodo and Entrust Datacard Plus many more enterprise endorsers! Sign up to support the Website Identity Principles at CASC site: casecurity.org/identity
#RSAC Adopt a “Universal” UI for all Browsers 50 Here is a proposal that would work for desktop and mobile environments. This is just a starting point for discussion… Design by: Chris Bailey
#RSAC Obstacles and Responses to “Universal” UI 51 “Users don’t understand the difference among DV, OV, and EV” Response: That’s because browsers keep changing UIs, and there’s no user education = user confusion “OV vetting isn’t rigorous enough for its own UI” Response: CAs standardized OV vetting in 2012, and can strengthen further “We browsers will decide safety for our users – maybe just a binary UI” Google approach – but totally wastes available identity information in certs “It’s too hard to transition from current DV/OV single UI to new OV UI” Response: announce a year ahead – customers will migrate to OV to get the better UI
#RSAC User Education will be Based on Cert Guidelines 52 To help develop user education, start by defining when to use each type of certificate:
#RSAC How Do We Educate Users on the New UI? 53 Here’s the simple message for users: “Look for the warnings” and insist on encryption as a minimum requirement (i.e., follow the browser warnings to avoid http, broken https) “Look for the padlock in the address bar” (OV or EV) before providing any personal information (password, credit card number) to a website “Look for the green bar” (EV) for high security transactions, such as banking or health care matters We successfully trained users to look for a padlock ten years ago – we can train them again with new, common UI security indicators
#RSAC Next Steps
#RSAC Next Steps for User Security 55 Browsers should collaborate and adopt a common “Universal” UI Browsers should announce a transition date to new Universal UI Padlock will disappear for DV, which will become the new “normal” state OV certs will receive a new, distinct UI symbol EV certs will continue with an enhanced EV UI symbol Start an education program to prepare users, website owners CAs should work on strengthening OV vetting, improved common standards Collect and respond to data on the use of certs by fraudsters (DV, OV, EV) RESULT: a safer Internet for users within 1-2 years; fraud prevention
#RSAC Summary 56 Fraudsters are moving to DV certificates Fraudsters hate identity – they avoid OV and EV certificates Therefore, OV and EV certs (25% of sites) represent much safer sites for users – prevent crime On this basis, OV and EV certs deserve their own distinct browser UIs for user safety DON’T eliminate EV UI, DON’T create binary UI of “secure” vs. “not secure”- that hides identity Browsers should work together to create a common Universal UI All should work together to educate users on the new Universal UI
#RSAC Thank you! Questions? Download White Paper “Use of Identity in SSL-TLS Certs for User Safety” and sign petition at: casecurity.org/identity
#RSAC The First Draft of a “Universal” UI Design by: Chris Bailey

Recommandé

New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
 
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseData Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseDavid Freeman
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSDeploy360 Programme (Internet Society)
 

Recommandé

New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
 
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseData Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseDavid Freeman
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSDeploy360 Programme (Internet Society)
 
How does ssl work
How does ssl workHow does ssl work
How does ssl workDana Tierney
 
A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment Victor Oluwajuwon Badejo
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsWeak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsOilPriceInformationService
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersCompromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersAndrey Apuhtin
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security RightPhilippe De Ryck
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoVictor Oluwajuwon Badejo
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachSarah R. Dowlath
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceSmart Coders
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyPriyanka Aash
 
Unified log-meetup-20160420
Unified log-meetup-20160420Unified log-meetup-20160420
Unified log-meetup-20160420Oli Deakin
 
3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...Robert Parker
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Kubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковKubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковAvitoTech
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Automation and ansible
Automation and ansibleAutomation and ansible
Automation and ansibleBoaventura Rodrigues Neto
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5Irsandi Hasan
 
Docker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanDocker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanjbminn
 
oyene safety cv
oyene safety cvoyene safety cv
oyene safety cvoyene zacharias abiranyah
 

Contenu connexe

Tendances

A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment Victor Oluwajuwon Badejo
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsWeak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsOilPriceInformationService
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersCompromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersAndrey Apuhtin
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security RightPhilippe De Ryck
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 

Tendances (9)

How does ssl work
How does ssl workHow does ssl work
How does ssl work
 
A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsWeak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersCompromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggers
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security Right
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
 

En vedette

Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachSarah R. Dowlath
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceSmart Coders
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyPriyanka Aash
 
Unified log-meetup-20160420
Unified log-meetup-20160420Unified log-meetup-20160420
Unified log-meetup-20160420Oli Deakin
 
3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...Robert Parker
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Kubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковKubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковAvitoTech
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5Irsandi Hasan
 
Docker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanDocker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanjbminn
 
Miten markkinoinnin automaation käyttöönotto aloitti tekijöitään suuremman mu...
Miten markkinoinnin automaation käyttöönotto aloitti tekijöitään suuremman mu...Miten markkinoinnin automaation käyttöönotto aloitti tekijöitään suuremman mu...
Miten markkinoinnin automaation käyttöönotto aloitti tekijöitään suuremman mu...Tarja Röytiö
 
1.1.7 Система огнестойких проходок Vulcan
1.1.7 Система огнестойких проходок Vulcan1.1.7 Система огнестойких проходок Vulcan
1.1.7 Система огнестойких проходок VulcanIgor Golovin
 
Betaleadership De Gestores de Recursos Humanos a Makers de Interacciones Humanas
Betaleadership De Gestores de Recursos Humanos a Makers de Interacciones HumanasBetaleadership De Gestores de Recursos Humanos a Makers de Interacciones Humanas
Betaleadership De Gestores de Recursos Humanos a Makers de Interacciones HumanasSylvain Loubradou
 
1.1.9 Система Angara и дренажные трубы
1.1.9 Система Angara и дренажные трубы 1.1.9 Система Angara и дренажные трубы
1.1.9 Система Angara и дренажные трубы Igor Golovin
 
Auto del Tribunal Supremo. Sala Cuarta.
Auto del Tribunal Supremo. Sala Cuarta.Auto del Tribunal Supremo. Sala Cuarta.
Auto del Tribunal Supremo. Sala Cuarta.Juan Segura Aguiló
 

En vedette (20)

Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approach
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a service
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecy
 
Unified log-meetup-20160420
Unified log-meetup-20160420Unified log-meetup-20160420
Unified log-meetup-20160420
 
3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxying
 
Kubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковKubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений Ольков
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Automation and ansible
Automation and ansibleAutomation and ansible
Automation and ansible
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5
 
Docker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanDocker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihan
 
oyene safety cv
oyene safety cvoyene safety cv
oyene safety cv
 
Miten markkinoinnin automaation käyttöönotto aloitti tekijöitään suuremman mu...
Miten markkinoinnin automaation käyttöönotto aloitti tekijöitään suuremman mu...Miten markkinoinnin automaation käyttöönotto aloitti tekijöitään suuremman mu...
Miten markkinoinnin automaation käyttöönotto aloitti tekijöitään suuremman mu...
 
1.1.7 Система огнестойких проходок Vulcan
1.1.7 Система огнестойких проходок Vulcan1.1.7 Система огнестойких проходок Vulcan
1.1.7 Система огнестойких проходок Vulcan
 
Betaleadership De Gestores de Recursos Humanos a Makers de Interacciones Humanas
Betaleadership De Gestores de Recursos Humanos a Makers de Interacciones HumanasBetaleadership De Gestores de Recursos Humanos a Makers de Interacciones Humanas
Betaleadership De Gestores de Recursos Humanos a Makers de Interacciones Humanas
 
Brochure eventos Spiwak
Brochure eventos SpiwakBrochure eventos Spiwak
Brochure eventos Spiwak
 
1.1.9 Система Angara и дренажные трубы
1.1.9 Система Angara и дренажные трубы 1.1.9 Система Angara и дренажные трубы
1.1.9 Система Angara и дренажные трубы
 
Auto del Tribunal Supremo. Sala Cuarta.
Auto del Tribunal Supremo. Sala Cuarta.Auto del Tribunal Supremo. Sala Cuarta.
Auto del Tribunal Supremo. Sala Cuarta.
 
Active Procrastination
Active ProcrastinationActive Procrastination
Active Procrastination
 

Similaire à 100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017

DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!Priyanka Aash
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
 
Cheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funCheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funSSIMeetup
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Siena Perry
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateRapidSSLOnline.com
 
Thawte EV SSL: A New Revolution for Trust
Thawte EV SSL: A New Revolution for TrustThawte EV SSL: A New Revolution for Trust
Thawte EV SSL: A New Revolution for TrustRapidSSLOnline.com
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL AttacksAkash Mahajan
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Website Security Certification The Key to Keeping Your Website Safe
Website Security Certification The Key to Keeping Your Website SafeWebsite Security Certification The Key to Keeping Your Website Safe
Website Security Certification The Key to Keeping Your Website SafePixlogix Infotech
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
Reducing Fraud with the Right SSL Certificate in E-Commerce
Reducing Fraud with the Right SSL Certificate in E-CommerceReducing Fraud with the Right SSL Certificate in E-Commerce
Reducing Fraud with the Right SSL Certificate in E-CommerceRapidSSLOnline.com
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Adwebtech ssl presentation_beyond_https
Adwebtech ssl presentation_beyond_httpsAdwebtech ssl presentation_beyond_https
Adwebtech ssl presentation_beyond_httpsAnju Gigoo
 
Symantec-CWS_Brochure
Symantec-CWS_BrochureSymantec-CWS_Brochure
Symantec-CWS_BrochureJustyna Majek
 
Hidden Dangers Lurking in E-Commerce and Reducing Fraud with the Right SSL Ce...
Hidden Dangers Lurking in E-Commerce and Reducing Fraud with the Right SSL Ce...Hidden Dangers Lurking in E-Commerce and Reducing Fraud with the Right SSL Ce...
Hidden Dangers Lurking in E-Commerce and Reducing Fraud with the Right SSL Ce...CheapSSLsecurity
 

Similaire à 100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017 (20)

DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
 
Cheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funCheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials fun
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
 
Thawte EV SSL: A New Revolution for Trust
Thawte EV SSL: A New Revolution for TrustThawte EV SSL: A New Revolution for Trust
Thawte EV SSL: A New Revolution for Trust
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Website Security Certification The Key to Keeping Your Website Safe
Website Security Certification The Key to Keeping Your Website SafeWebsite Security Certification The Key to Keeping Your Website Safe
Website Security Certification The Key to Keeping Your Website Safe
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Reducing Fraud with the Right SSL Certificate in E-Commerce
Reducing Fraud with the Right SSL Certificate in E-CommerceReducing Fraud with the Right SSL Certificate in E-Commerce
Reducing Fraud with the Right SSL Certificate in E-Commerce
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbas
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Adwebtech ssl presentation_beyond_https
Adwebtech ssl presentation_beyond_httpsAdwebtech ssl presentation_beyond_https
Adwebtech ssl presentation_beyond_https
 
Symantec-CWS_Brochure
Symantec-CWS_BrochureSymantec-CWS_Brochure
Symantec-CWS_Brochure
 
Hidden Dangers Lurking in E-Commerce and Reducing Fraud with the Right SSL Ce...
Hidden Dangers Lurking in E-Commerce and Reducing Fraud with the Right SSL Ce...Hidden Dangers Lurking in E-Commerce and Reducing Fraud with the Right SSL Ce...
Hidden Dangers Lurking in E-Commerce and Reducing Fraud with the Right SSL Ce...
 
Tech t18
Tech t18Tech t18
Tech t18
 

Plus de CASCouncil

Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowCASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor RollCASCouncil
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumCASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds TrustCASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements CASCouncil
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesCASCouncil
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!CASCouncil
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCASCouncil
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self RegulationCASCouncil
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of OpportunityCASCouncil
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI CASCouncil
 

Plus de CASCouncil (20)

Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
State of the Web
State of the WebState of the Web
State of the Web
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
 

Dernier

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017

  • 1. SESSION ID:SESSION ID: #RSAC Kirk Hall 100% Encrypted Web New Challenges for TLS PDAC-W10 Dir Policy & Compliance, Certificate Services Entrust Datacard
  • 2. #RSAC We are moving toward a 100% encrypted web – but can we get it right? We must leverage certificate identity data for greater user security
  • 3. #RSAC We Will Discuss… 3 Types of Server Certificates Past and Present Browser UI Security Indicators Positive Developments in Encryption Negative Developments in Encryption Using Identity in Certificates as a Proxy for User Safety How Do We Get to a Common Browser UI That Leverages Identity? Next Steps
  • 4. #RSAC Types of Server Certificates Digital Certificate Refresher
  • 5. #RSAC Types of Server Certificates 5 Domain Validated (DV) – No identity information, just a confirmed domain
  • 6. #RSAC Types of Server Certificates 6 Domain Validated (DV) Close Up: Sample Browser Treatment (Chrome):
  • 7. #RSAC Types of Server Certificates 7 Organization Validated (OV) – Basic identity confirmation through simple vetting, confirmed customer contact using reliable third party data
  • 8. #RSAC Types of Server Certificates 8 Organization Validated (OV) Close Up: Sample Browser Treatment (Chrome):
  • 9. #RSAC Types of Server Certificates 9 Extended Validation (EV) – Strong identity confirmation through extensive vetting using reliable third party data, and government registries
  • 10. #RSAC Types of Server Certificates 10 Extended Validation (EV) Close Up: Sample Browser Treatment (Internet Explorer):
  • 11. #RSAC Past and Present Browser UI Security Indicators
  • 12. #RSAC Past and Present Browser UI Security Indicators 12 1995-2001: Organization Validation (OV) only; two UI security states 2001-2007: Domain Validated (DV) added as alternative to OV; still only two security UI states – no differentiation between DV and OV
  • 13. #RSAC Past and Present Browser UI Security Indicators 13 2007-Present: Extended Validation (EV) added as alternative to DV and OV Four security UI states, including “problem” state; still no differentiation between DV and OV
  • 15. #RSAC Positive Developments in Encryption 15 Rapid move to encryption – Web now over 50% encrypted Browsers mandating encryption in stages – otherwise receive negative browser UI – “https://” becoming the new normal Encrypted sites receive higher SEO rankings Automated certificate issuance and installation – Boulder, ACME, Certbot – make it easy for small users Free DV certificate services – Let’s Encrypt and others – encourage websites to try it out The PCI Security Standards Council recommends the use of OV/EV certs as part of the Best Practices for Safe E-Commerce Source: https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf
  • 16. #RSAC Positive Developments in Encryption 16 Encryption is increasing rapidly – now over 50%
  • 17. #RSAC Positive Developments in Encryption 17 But what good is encryption if you don’t know who you’re talking to…?
  • 19. #RSAC Negative Developments in Encryption 19 Malware exploits are moving to encryption and are harder to block RISING USE OF ENCRYPTION GIVES MALWARE A PERFECT PLACE TO HIDE “Nearly half of cyber-attacks this year have used malware hidden in encrypted traffic to evade detection. In an ironic twist, A10 Networks has announced the results of an international study *** revealing that the risk to financial services, healthcare and other industries stems from growing reliance on encryption technology. A growing number of organizations are turning to encryption to keep their network data safe. But SSL encryption not only hides data traffic from would-be hackers, but also from common security tools.” Source: http://www.infosecurity-magazine.com/news/rising-use-of-encryption-gives/
  • 20. #RSAC Negative Developments in Encryption 20 DV certificates are now the default choice for fraudsters – “look-alike” names, anonymity, free, the padlock, no UI warnings:
  • 21. #RSAC Negative Developments in Encryption 21 CERTIFICATE AUTHORITIES ISSUE SSL CERTIFICATES TO FRAUDSTERS “In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks. SSL certificates lend an additional air of authenticity to phishing sites, causing the victims' browsers to display a padlock icon to indicate a secure connection. Despite industry requirements for increased vetting of high-risk requests, many fraudsters slip through the net, obtaining SSL certificates for domain names such as banskfamerica.com ***, ssl-paypai-inc.com ***, and paypwil.com***.” Source: http://news.netcraft.com/archives/2015/10/12/certificate-authorities-issue-hundreds-of-deceptive-ssl-certificates-to-fraudsters.html
  • 22. #RSAC Negative Developments in Encryption 22 Many browsers no longer do effective revocation checking CONCLUDING DISCUSSION “Overall, our results show that, in today's Web's PKI, there is extensive inaction with respect to certificate revocation. While many certificates are revoked (over 8% of fresh certificates and almost 1% of alive certificates), many web browsers either fail to check certificate revocation information or soft-fail by accepting a certificate if revocation information is unavailable.” Source: https://web.stanford.edu/~aschulm/docs/imc15-revocation.pdf
  • 23. #RSAC Negative Developments in Encryption 23 Some CAs no longer do certificate revocation for encrypted malware sites Let’s Encrypt believes that “CAs make poor content watchdogs,” and even though phishing and malware sites are bad “we’re not sure that certificate issuance (at least for Domain Validation) is the right level on which to be policing phishing and malware sites in 2015.” So Let’s Encrypt will not revoke for phishing or fraud. “Treating a DV certificate as a kind of ‘seal of approval’ for a site’s content is problematic for several reasons,” including that CAs are not well-positioned to operate anti-phishing and anti-malware operations and would do better to leave those actions to the browser website filters. Source: https://letsencrypt.org/2015/10/29/phishing-and-malware.html
  • 24. #RSAC Negative Developments in Encryption 24 Users assume all encrypted sites with padlocks are “safe” sites: “The biggest problem with [the display of DV certificates in the browser UI] is that it democratizes access to https for any website. Yes, on the surface, this should in fact be a positive thing that we're celebrating. Unfortunately human nature comes into play here. When most people (non-geeks/non-IT) see https, immediate and unwavering trust is implied. “Even though [DV certificates are] merely providing encryption for your website, most people visiting it will give it the same level of trust as websites with the "green bar" https (Extended Domain Validation), which includes the company name next to the padlock in the address bar.” Fraudsters also sprinkle static “padlocks” all over the page to fool users. Source: http://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html
  • 25. #RSAC What About Browser Website Filters? 25 Browser website filters expand, but are not a complete solution for user safety – thousands of bad sites are not included Microsoft SmartScreen problems: Only protects users in Windows Users can’t report phishing URLs – must visit bad site first to report, click on button SmartScreen filters can be bypassed by fraudster email / click-throughs to bad site Google Safe Browsing: Only works on Google search results / Google properties Privacy issues – cookies, retains browsing records on same device Relies on proprietary Google algorithms, not transparent to users Both SmartScreen and Safe Browsing must be turned on to work Reactive systems –back to the ‘90s Like cops solving a crime after it happens – but not preventing the crime
  • 26. #RSAC Many Bad Sites Missed by Browser Filters 26 [URLs modified for safety] Source: Comodo Valkyrie malware analysis system More phishing links: http://cdn.download.comodo.com/intelligence/ctrl-06-02-url.txt More malware file links: http://cdn.download.comodo.com/intelligence/ctrl-06-01-url.txt Thousands of Malware / Phishing sites not detected SmartScreen Safe Browsing usbbackup.com/cgi-biin/update.apple- id.com/4bebac1b93b057sjgurnm94a6b06c59b7/login.ph p 0760mly.com/js/wwwpaypalcom/IrelandPayPal/signing 38CountryIE/ieLogIn.html aggelopoulos.com/wp-content/uploads/2008/ 07/ www.paypal.com/beta.entab9387.net/wp- theme/image/img/DHL/tracking.php https://gallery.mailchimp.com/2724801a312bda1123d55 4199/files/Electronic_Shipping_Document.zip http://121.134.15.63/www.paypal.com/websc-login.php http://alfssp.net/www.confirm.paypal.com/websc- login.php http://aquaseryis.marag.pl/wp- includes/random_compat/apple.co.uk/ https://gallery.mailchimp.com/2724801a312bda1123d55 4199/files/Electronic_Shipping_Document.zip
  • 27. #RSAC What more can be done? 27 So what more can we do to protect users in 100% encrypted environment…?
  • 28. #RSAC Using Identity in Certificates as a Proxy for User Safety
  • 29. #RSAC Confirming Identity – How It’s Done 29 Organization Vetting (OV) Find the customer in a reliable third party database, such as Dun & Bradstreet or Hoover’s Call the customer representative through a number found on the third party data source, confirm order is legitimate: +1-425-882-8080 for Microsoft Confirm domain ownership or control (using CA/Browser Forum Methods)
  • 30. #RSAC Confirming Identity – How It’s Done 30 Extended Validation Vetting (EV) – All that and more: Confirm active status of corporation with government agency Check authority of customer rep with company HR Department Check against blacklists, prohibited lists, etc.
  • 31. #RSAC What’s the Problem With Current Browser UIs? 31 No consistency among browser UIs as to four states: unencrypted, DV, OV, and EV Individual browsers frequently change their own UI, users can’t keep up Adding array of other warnings to UI (minor problems, major problems) that the average user doesn’t understand Most mobile devices don’t even show any symbol for encryption As a result, users are confused about how to read browser UIs TAKE A LOOK…
  • 32. #RSAC What Does This Mean? Universal - “STOP!” 32
  • 33. #RSAC What if “Stop” Signs Were Always Changing? 33 That’s what browser UI security indicators have done – user confusion!
  • 34. #RSAC What Does Any of This Mean? What a Mess! 34 Source: Rethinking Connection Security Indicators, https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-porter-felt.pdf
  • 35. #RSAC More Examples of Confusing Browser UIs 35 Source: CA Security Council (CASC)
  • 36. #RSAC Plus, What Do All These Warnings Mean? 36 Source: CA Security Council (CASC)
  • 37. #RSAC Help Is On The Way! …Or is it? 37 June 2016 Google UI paper proposed standardizing around only three security states – but basically a binary, two-state “secure/not secure” UI. Plus, EV UI may be disappearing:
  • 38. #RSAC Google Binary UI Proposal 38 Good: Bad: No more EV? DV, OV, EV all the same?
  • 39. #RSAC Here’s What This Can Mean Phishing site: paypal.com.summary-spport.com Here’s how it looks as an http site today – just a gray circle-i: Soon, Chrome will treat http sites as “Not Secure”:
  • 40. #RSAC Phishers will move to DV certs for “Secure” UI Phishing site: paypal.com.summary-spport.com gets anonymous, free DV cert: Chrome gives “Secure” https browser UI to phishing site:
  • 41. #RSAC Is This the Future? If EV green bar display is lost in Chrome, and real and phishing PayPal Login pages look the same (“Secure”) – Can’t tell the difference!
  • 42. #RSAC 2016 Study – https alone no longer effective for anti-phishing, EV indicators can be improved “In the past, HTTPS was viewed as a sign of website trustworthiness; getting a valid HTTPS certificate was too difficult for typical phishing websites. *** Subsequently, HTTPS has ceased to be a useful signal for identifying phishing websites because it is no longer unusual to find malicious websites that support HTTPS. *** “EV is an anti-phishing defense, although its use is limited by lack of support from popular websites and some major mobile browsers. All major desktop browsers display EV information, but some mobile browsers (including Chrome and Opera for Android) do not display EV information. Older literature suggests that EV indicators may need improvement. *** Improving EV indicators are out of scope for our current work.” Source: Rethinking Connection Security Indicators, https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-porter-felt.pdf
  • 43. #RSAC Chain of Logic 43 Browsers are pushing website owners to 100% encryption (good) Fraudsters are rushing to free DV certs to hide (bad) DV certs are free, allow anonymity, no identity, no recourse OV and EV certs include identity, allow recourse – almost no fraud or phishing has been recorded for OV, none for EV But, users can’t tell the difference between DV and OV certs – both receive the same UI in the browsers; EV may be downgraded to same level as DV and OV by Chrome in future release Conclusion: We are wasting valuable identity information already inside OV and EV certs – should use as a proxy for user safety
  • 44. #RSAC Let’s Use the Data We Already Have There is so much identity data in certificates today – but most of it’s hidden Why aren’t we using identity data to block phishing and malware sites? Source: Frost and Sullivan 2016 Data Type Number (000s) Percent Combined DV 7,503 75% OV 2,353 24% 25% EV 243 1%
  • 45. #RSAC How Do We Get to a Common Browser UI That Leverages Identity?
  • 46. #RSAC Five Principles of TLS Certificate Identity 46 First, adopt the Five Principles of TLS Certificate Identity: 1. Identity in TLS server certs should be used by browsers as a proxy for greater user safety 2. CAs should vet their customers to the highest identity level possible 3. OV certs should receive their own browser UI different from DV certs to show user safety 4. EV certs should continue to receive a separate browser UI from OV and DV certs to show greater user safety 5. Browsers should agree on common UI security indicators, avoid changes to UI, and work with others to educate users about the meaning of the common UI security indicators for greater user safety.
  • 47. #RSAC Here’s Who Has Endorsed the Five Principles 47 Current endorsers of the Five Principles of TLS Certificate Identity and adoption of a new “Universal” browser UI: More CA endorsers to come…
  • 48. #RSAC Do website owners care about identity? You bet they do! (No one asked them before…) PUBLIC ENDORSEMENT OF WEBSITE IDENTITY PRINCIPLES We, the undersigned organizations, strongly support the display of website identity for user security, and we specifically endorse the following website identity principles: 1. Website identity is important for user security. 2. TLS certificate types that are used to secure websites – Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) certificates – should each receive a distinct, clearly-defined browser UI security indicator showing users when a website’s identity has been independently confirmed. 3. Browsers should adopt a common set of browser UI security indicators for each certificate type, and should educate users on what the differences are to promote user security. The following enterprises endorse these Website Identity Principles:
  • 49. #RSAC Website owners who support Website Identity Principles Source: Comodo and Entrust Datacard Plus many more enterprise endorsers! Sign up to support the Website Identity Principles at CASC site: casecurity.org/identity
  • 50. #RSAC Adopt a “Universal” UI for all Browsers 50 Here is a proposal that would work for desktop and mobile environments. This is just a starting point for discussion… Design by: Chris Bailey
  • 51. #RSAC Obstacles and Responses to “Universal” UI 51 “Users don’t understand the difference among DV, OV, and EV” Response: That’s because browsers keep changing UIs, and there’s no user education = user confusion “OV vetting isn’t rigorous enough for its own UI” Response: CAs standardized OV vetting in 2012, and can strengthen further “We browsers will decide safety for our users – maybe just a binary UI” Google approach – but totally wastes available identity information in certs “It’s too hard to transition from current DV/OV single UI to new OV UI” Response: announce a year ahead – customers will migrate to OV to get the better UI
  • 52. #RSAC User Education will be Based on Cert Guidelines 52 To help develop user education, start by defining when to use each type of certificate:
  • 53. #RSAC How Do We Educate Users on the New UI? 53 Here’s the simple message for users: “Look for the warnings” and insist on encryption as a minimum requirement (i.e., follow the browser warnings to avoid http, broken https) “Look for the padlock in the address bar” (OV or EV) before providing any personal information (password, credit card number) to a website “Look for the green bar” (EV) for high security transactions, such as banking or health care matters We successfully trained users to look for a padlock ten years ago – we can train them again with new, common UI security indicators
  • 55. #RSAC Next Steps for User Security 55 Browsers should collaborate and adopt a common “Universal” UI Browsers should announce a transition date to new Universal UI Padlock will disappear for DV, which will become the new “normal” state OV certs will receive a new, distinct UI symbol EV certs will continue with an enhanced EV UI symbol Start an education program to prepare users, website owners CAs should work on strengthening OV vetting, improved common standards Collect and respond to data on the use of certs by fraudsters (DV, OV, EV) RESULT: a safer Internet for users within 1-2 years; fraud prevention
  • 56. #RSAC Summary 56 Fraudsters are moving to DV certificates Fraudsters hate identity – they avoid OV and EV certificates Therefore, OV and EV certs (25% of sites) represent much safer sites for users – prevent crime On this basis, OV and EV certs deserve their own distinct browser UIs for user safety DON’T eliminate EV UI, DON’T create binary UI of “secure” vs. “not secure”- that hides identity Browsers should work together to create a common Universal UI All should work together to educate users on the new Universal UI
  • 57. #RSAC Thank you! Questions? Download White Paper “Use of Identity in SSL-TLS Certs for User Safety” and sign petition at: casecurity.org/identity
  • 58. #RSAC The First Draft of a “Universal” UI Design by: Chris Bailey