ION Sri Lanka - TLS for Network Operators
-
Upload
deploy360-programme-internet-society -
Category
Technology
-
view
291 -
download
0
Transcript of ION Sri Lanka - TLS for Network Operators
www.internetsociety.org
Lock It Up: TLS for Network Operators
Chris GrundemannDirector, Deployment & OperationalizationInternet Society
www.internetsociety.org
TLS vs SSL
Secure Sockets Layer (SSL) originally developed by Netscape in the mid-1990s
"Transport Layer Security (TLS)" evolved from SSL 3.0, although "SSL" remains commonly used term
TLS version 1.3 in active development:
• https://tools.ietf.org/html/draft-ietf-tls-tls13
• https://github.com/tlswg/tls13-spec
1/18/2015
1996 SSL 3.0 RFC 6101
1999 TLS 1.0 RFC 2246
2006 TLS 1.1 RFC 4346
2008 TLS 1.2 RFC 5246
2014/15? TLS 1.3 draft-ietf-tls-tls13
www.internetsociety.org
TLS – Not Just For Web Sites
TLS / SSL originally developed for web sites
Now widely used for many other services, including:
• Instant messaging
• File transfer
• Virtual Private Networks (VPNs)
• Voice over IP (VoIP)
• Custom applications
www.internetsociety.org
Snowden Revelations
Revelations by Edward Snowden in 2013 revealed massive amountof surveillance and monitoring.
Prompted global concerns about thesecurity and privacy of our dataand of our communication sessionsover the Internet.
Increased desire to see TLS used more widely across all applicationsand services.
www.internetsociety.org
RFC 7258 – IETF/IAB Response
http://tools.ietf.org/html/rfc7258
"Pervasive Monitoring Is An Attack"
Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.
Has prompted a security/privacy review across all areas of IETF. Expect to see changes over time across all the protocols used for communication on the Internet.
1/18/2015
www.internetsociety.org
IETF Activity - UTA
New Working Group: UTA – Using TLS in Applications
• http://tools.ietf.org/wg/uta/
• Goals
• Update the definitions for using TLS over a set of representative application protocols. This includes communication with proxies, between servers, and between peers, where appropriate, in addition to client/server communication.
• Specify a set of best practices for TLS clients and servers, including but not limited to recommended versions of TLS, using forward secrecy, and one or more ciphersuites and extensions that are mandatory to implement.
• Consider, and possibly define, a standard way for an application client and server to use unauthenticated encryption through TLS when server and/or client authentication cannot be achieved.
• Create a document that helps application protocol developers use TLS in future application definitions.
www.internetsociety.org
IETF – Increased Activity Across Groups
Two examples:
TLS Working Group now defining TLS 1.3 and exploring other ways to secure TLS
• http://tools.ietf.org/wg/tls/
HTTPBIS Working Group defining more secure HTTP 2.0
• http://tools.ietf.org/wg/httpbis/
• will only work with https URLs
www.internetsociety.org
Other Reasons Customers May Request TLS
Ability to use SPDY protocol (requires TLS)
• https://en.wikipedia.org/wiki/SPDY
Improved Google search result ranking
• Deploy360 post: http://wp.me/p4eijv-5eJ
www.internetsociety.org
Other Efforts
On Sept 29, 2014, CloudFlareannounced they would be giving TLS certificates to all customersfor free.
Calling it "Universal SSL", this made2+ million web sites TLS-encryptedin one action.
Similar actions to make TLS more accessible are being seen by other groups and organizations
www.internetsociety.org
Heartbleed and Poodle
Recent attacks have increased desire to strengthen TLS security
Heartbleed (April 2014) vulnerability in OpenSSL highlighted need for security reviews of common libraries – and alsoneed for diversity in library usage
• http://heartbleed.com/
Poodle (September 2014) demonstrated need to completely deprecate usage of SSL v3.0
• https://www.openssl.org/~bodo/ssl-poodle.pdf
www.internetsociety.org
Outcome Of Activity By IETF And Other Groups
You WILL see increased usage of TLS across all applications
Example – Encrypt The Web report from EFF
• https://www.eff.org/encrypt-the-web-report
www.internetsociety.org
How Do You Help Your Customers?
If your customers are using more TLS for their applications, either by their own choice or because the service they are using is now using TLS, how do you help them make their connections over the Internet more secure?
1. Use TLS for your own services and systems
2. Allow TLS-encrypted sessions to flow through your network (i.e. don't block them or try to force them to downgrade to unencrypted connections)
3. Educate your customers about how they can move their own servers and services to support TLS
www.internetsociety.org
But what about….?
"Wait! If application developers run everything over TLS, all we will see are TLS-encrypted streams. We won't be able to see into the traffic and manage our network appropriately."
"We can't use wireshark!"
Unfortunately, the same monitoring capability used by network operators was abused by intelligence agencies and other attackers.
Momentum now is to close all these holes.
Network management must now assume TLS will be there.
www.internetsociety.org
Resources – Deploy360 Programme
http://www.internetsociety.org/deploy360/tls/
Providing:
• Resources to learn more about TLS
• Links to libraries and other tools
• Ongoing coverage on Deploy360 blogof TLS-related issues and news
www.internetsociety.org
Resources – BetterCrypto.org
https://bettercrypto.org/
"This whitepaper arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security specialists saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators."
"This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.)."
www.internetsociety.org
Resources – Mozilla Server Side TLS Doc
https://wiki.mozilla.org/Security/Server_Side_TLS
Great document – and not just for Mozilla
"The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below."
"The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools."
www.internetsociety.org
Resources - NIST SP800-52r1
http://dx.doi.org/10.6028/NIST.SP.800-52r1
"Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
Document from U.S. National Institute ofStandards and Technologies (NIST) revised in April 2014 (post-Snowden)
Aimed at US government agencies butprovides a useful tutorial and set ofguidelines for other organizations
www.internetsociety.org
One Challenge With TLS
How do you ensure that the TLS certificate the client is receiving is the correct TLS certificate that the server operator wants the client to receive?
This brings us to back to our last talk here at ION Sri Lanka about DANE…
www.internetsociety.org
But Before That…
Questions?
How can we help you with deploying TLS within your network and with your customers?
What additional assistance do you need?
Thank you for helping make the Internet more secure!
www.internetsociety.org
www.isoc.org/do
Chris Grundemann
Director, Deployment & OperationalizationInternet Society
http://www.internetsociety.org/deploy360/
Thank You!