www.internetsociety.org

Lock It Up: TLS for Network Operators

Chris GrundemannDirector, Deployment & OperationalizationInternet Society

www.internetsociety.org

TLS vs SSL

Secure Sockets Layer (SSL) originally developed by Netscape in the mid-1990s

"Transport Layer Security (TLS)" evolved from SSL 3.0, although "SSL" remains commonly used term

TLS version 1.3 in active development:

• https://tools.ietf.org/html/draft-ietf-tls-tls13

• https://github.com/tlswg/tls13-spec

1/18/2015

1996 SSL 3.0 RFC 6101

1999 TLS 1.0 RFC 2246

2006 TLS 1.1 RFC 4346

2008 TLS 1.2 RFC 5246

2014/15? TLS 1.3 draft-ietf-tls-tls13

www.internetsociety.org

TLS – Not Just For Web Sites

TLS / SSL originally developed for web sites

Now widely used for many other services, including:

• Email

• Instant messaging

• File transfer

• Virtual Private Networks (VPNs)

• Voice over IP (VoIP)

• Custom applications

www.internetsociety.org

Snowden Revelations

Revelations by Edward Snowden in 2013 revealed massive amountof surveillance and monitoring.

Prompted global concerns about thesecurity and privacy of our dataand of our communication sessionsover the Internet.

Increased desire to see TLS used more widely across all applicationsand services.

www.internetsociety.org

Response by larger Internet community

1/18/2015

www.internetsociety.org

RFC 7258 – IETF/IAB Response

http://tools.ietf.org/html/rfc7258

"Pervasive Monitoring Is An Attack"

Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.

Has prompted a security/privacy review across all areas of IETF. Expect to see changes over time across all the protocols used for communication on the Internet.

1/18/2015

www.internetsociety.org

IETF Activity - UTA

New Working Group: UTA – Using TLS in Applications

• http://tools.ietf.org/wg/uta/

• Goals

• Update the definitions for using TLS over a set of representative application protocols. This includes communication with proxies, between servers, and between peers, where appropriate, in addition to client/server communication.

• Specify a set of best practices for TLS clients and servers, including but not limited to recommended versions of TLS, using forward secrecy, and one or more ciphersuites and extensions that are mandatory to implement.

• Consider, and possibly define, a standard way for an application client and server to use unauthenticated encryption through TLS when server and/or client authentication cannot be achieved.

• Create a document that helps application protocol developers use TLS in future application definitions.

www.internetsociety.org

IETF – Increased Activity Across Groups

Two examples:

TLS Working Group now defining TLS 1.3 and exploring other ways to secure TLS

• http://tools.ietf.org/wg/tls/

HTTPBIS Working Group defining more secure HTTP 2.0

• http://tools.ietf.org/wg/httpbis/

• will only work with https URLs

www.internetsociety.org

Other Reasons Customers May Request TLS

Ability to use SPDY protocol (requires TLS)

• https://en.wikipedia.org/wiki/SPDY

Improved Google search result ranking

• Deploy360 post: http://wp.me/p4eijv-5eJ

www.internetsociety.org

Other Efforts

On Sept 29, 2014, CloudFlareannounced they would be giving TLS certificates to all customersfor free.

Calling it "Universal SSL", this made2+ million web sites TLS-encryptedin one action.

Similar actions to make TLS more accessible are being seen by other groups and organizations

www.internetsociety.org

Heartbleed and Poodle

Recent attacks have increased desire to strengthen TLS security

Heartbleed (April 2014) vulnerability in OpenSSL highlighted need for security reviews of common libraries – and alsoneed for diversity in library usage

• http://heartbleed.com/

Poodle (September 2014) demonstrated need to completely deprecate usage of SSL v3.0

• https://www.openssl.org/~bodo/ssl-poodle.pdf

www.internetsociety.org

Outcome Of Activity By IETF And Other Groups

You WILL see increased usage of TLS across all applications

Example – Encrypt The Web report from EFF

• https://www.eff.org/encrypt-the-web-report

www.internetsociety.org

How Do You Help Your Customers?

If your customers are using more TLS for their applications, either by their own choice or because the service they are using is now using TLS, how do you help them make their connections over the Internet more secure?

1. Use TLS for your own services and systems

2. Allow TLS-encrypted sessions to flow through your network (i.e. don't block them or try to force them to downgrade to unencrypted connections)

3. Educate your customers about how they can move their own servers and services to support TLS

www.internetsociety.org

But what about….?

"Wait! If application developers run everything over TLS, all we will see are TLS-encrypted streams. We won't be able to see into the traffic and manage our network appropriately."

"We can't use wireshark!"

Unfortunately, the same monitoring capability used by network operators was abused by intelligence agencies and other attackers.

Momentum now is to close all these holes.

Network management must now assume TLS will be there.

www.internetsociety.org

Resources – Deploy360 Programme

http://www.internetsociety.org/deploy360/tls/

Providing:

• Resources to learn more about TLS

• Links to libraries and other tools

• Ongoing coverage on Deploy360 blogof TLS-related issues and news

www.internetsociety.org

Resources – BetterCrypto.org

https://bettercrypto.org/

"This whitepaper arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security specialists saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators."

"This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.)."

www.internetsociety.org

Resources – Mozilla Server Side TLS Doc

https://wiki.mozilla.org/Security/Server_Side_TLS

Great document – and not just for Mozilla

"The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below."

"The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools."

www.internetsociety.org

Resources - NIST SP800-52r1

http://dx.doi.org/10.6028/NIST.SP.800-52r1

"Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations

Document from U.S. National Institute ofStandards and Technologies (NIST) revised in April 2014 (post-Snowden)

Aimed at US government agencies butprovides a useful tutorial and set ofguidelines for other organizations

www.internetsociety.org

One Challenge With TLS

How do you ensure that the TLS certificate the client is receiving is the correct TLS certificate that the server operator wants the client to receive?

This brings us to back to our last talk here at ION Sri Lanka about DANE…

www.internetsociety.org

But Before That…

Questions?

How can we help you with deploying TLS within your network and with your customers?

What additional assistance do you need?

Thank you for helping make the Internet more secure!

www.internetsociety.org

www.isoc.org/do

grundemann@isoc.org

Chris Grundemann

Director, Deployment & OperationalizationInternet Society

http://www.internetsociety.org/deploy360/

Thank You!