Local and dedicated SSL/TLS Services - Wesentra 3 … · Local and dedicated SSL/TLS Services...
Transcript of Local and dedicated SSL/TLS Services - Wesentra 3 … · Local and dedicated SSL/TLS Services...
Local and dedicated SSL/TLS Services
Customers
Service
Verification Support
Entrust Datacard
Wesentra
OV and EV SSL Certificates Market Shares in Finland
Growth in number of certificates 2016 - 2019:• DigiCert (incl. Symantec/Thawte/GeoTrust): + 3% (5754 → 5922)
• Entrust: + 122% (1095 → 2428)
The leading provider of trusted identity and
security solutions
The largest distributor of Entrust Datacard
SSL certificates in Europe
Wesentra – Entrust Datacard SSL Partner of the Year EMEA 2018
7
SSL/ TLS
Certificates
What lies ahead?
Chris Bailey
February 2019
8
Copyright Entrust Datacard 8
Chris Bailey’s
Background
• Industry veteran since 1998
• Co-creator of DV and EV certificate types
• Co-creator of the first PDF signing certificate
• Co-founder and CTO, GeoTrust (purchased by
VeriSign now Digicert)
• Co-founder and CEO, AffirmTrust (purchased by
Trend Micro)
• Founding member of CA/Browser Forum
• Founding member of CA Security Counsel (CASC)
• Founding member of the London Protocol
9
CA Agility is increasingly important
9
Year Events
2011• Comodo & DigiNotar are hacked
• DigiNotar distrusted by browsers
2012• CA/B Forum Baseline Requirements (BRs) established
• MITM certificates prohibited (Mozilla)
2014• Minimum Key size Requirements (RSA-2048)
• Heartbleed, Poodle and Shellshock – Massive Revocation and Issuance
2015
• CNNIC distrusted by browser for issuing MITM certs
• 1 yr limit for SHA-1 certificates
• Limit DV/OV validity to 3 years – some CAs issued up to 10 years
2016• SHA-1 certificate issuance banned
• WoSign distrusted for issuing new SHA-1 certificates
2017• Google / Mozilla announce plan to distrust Symantec
• CAA checking now required by all CAs
2018
• Google and Mozilla distrusted Symantec in two phases ending in October 2018
• Limit validity period for all certs to 825 days (2 years)
• Method 1 - domain validation was removed
• Method 5 – domain validation was removed
• Method 9 – domain validation found to be insecure
• Method 10 – domain validation found to be insecure
• Certificate Transparency required for SSL in Chrome as of May 1, 2018
• Chrome 68 / July 2018 – Not Secure for HTTP
• GDPR compliance had a major impact on domain verification – Whois email records
• Underscore ”_” eliminated from SANS in SSL / TLS certificates
Looking Back
10
Copyright Entrust Datacard 10
Google’s Push
for Encryption
Everywhere
• Encryption Everywhere is overriding all
other concerns
• It should be called - Encryption is Everything!
• Why?
• For the Greater Good? - NSA / Snowden
(Privacy)
• Follow the Money - $$$ (Ad Revenue)
• Anything that hurts Google’s revenue will
likely not be supported by Google
11
Copyright Entrust Datacard 11
SSL / TLS Certificates Are Increasing Rapidly
- 77.7% of Global Page Loads are Encrypted
12
Copyright Entrust Datacard 12
SSL / TLS Certificates Are Increasing Rapidly
- 77.7% of Global Page Loads are Encrypted
13
Copyright Entrust Datacard 13
In 2016, DV
certificates made
up 73.4% of the
market and EV
made up 3.4%
Market Share by Certificate Type
2016
DV 73.4%
OV 23.2%
EV 3.4%
Total 100.0%
14
Copyright Entrust Datacard 14
Today, DV
certificates make up
89.1% of the
market
Market Share by Certificate Type
2016 2017 2018 2019
DV 73.4% 90.9% 94.5% 89.1%
OV 23.2% 7.9% 4.8% 10.5%*
EV 3.4% 1.2% 0.7% 0.4%
Total 100.0% 100.0% 100.0% 100.0%
* (Large growth with Cloudflare)
15
Copyright Entrust Datacard 15
Certificate Types by
the Numbers
TLS Units by Certificate Type
2016 2017 2018 2019
DV 3,162,704 12,186,721 25,834,784 44,107,946
OV 999,252 1,055,290 1,322,177 5,191,142 *
EV 144,737 165,089 193,855 214,964
Total 4,306,693 13,407,100 27,350,816 49,514,052
* (1.3M w/out Cloudflare)
16
Copyright Entrust Datacard 16
DV Is growing at a
decreasing rate.
Market Share by Certificate Type
2016 2017 2018 2019
DV 285% 112% 71%
OV 6% 25% 293% *
EV 14% 17% 11%
Total 211% 104% 81%
* (9% w/out) Cloudflare)
17
• This table shows breakdown of encrypted phishing sites by
certificate type for the month of September 2018
Incidence of encrypted phishing by cert type
17
Certificate
Type
London Protocol Dataset The Internet
Phishing Sites in
Sample (1)
Percent of Total
Phishing Sites in
Our Sample
Total Internet
Certificate
Population (2)
Percent of Total
Cert Population
EV 0 0.0% 214,964 0.4%
OV 61 1.6% 5,191,142 10.5%
DV 3716 98.4% 44,107,946 89.1%
Total 3777 100.00% 49,514,052 100.0%
(1) Based on 30 days of phishing sites in September 2018 with SSL / TLS – Source Phishbank(2) Based on Netcraft certificate population as of December 2018. https://www.netcraft.com/ssl-survey/
18
The UI is rapidly changing, so it’s is hard to know what any of it
means
Source: CA Security Council (CASC) https://casecurity.org/browser-ui-security-indicators/
18
19
Copyright Entrust Datacard 19
Frequent Browser UI Changes
• Google removed “Secure”
from OV/DV UI with Chrome 69
in Sept. 2018, and green lock
symbol turned to a gray lock
symbol). Google plans to
deprecate the URLs.
• In September, Apple removed
the organization name field from
in OSX Mojave (Mac) and iOS
12 (mobile) EV UI due to
“Stripe” name clash issue, will
only show URL in EV green –
good news, still a distinctive EV
UI. Safari Mobile still shows org
name. Will Apple change back
if “Stripe” issue solved?
• Mozilla moved from “no definite
plans to remove” EV UI last
December to concern about
potential harm from EV UI –
Stripe issue, disambiguation
Apple EV UI iOS 11
Apple EV UI iOS 12:
entrustdatacard.com
Google Chrome 69 UI
20
What if “Stop” signs were always changing?
20
21
It’s time to standardize the security UI across applications
• 1915: There were 2.4 Million cars registered in the US
• 1915 was also the same year the first stop sign originated in Michigan
• Black lettering on a white background – measured 60 by 60 cm (24 x 24 inches)
• 1922: A committee supported by the American Association of State Highway
Officials (AASHO) met to standardize stop sign format – octagonal
• 1968: International standard via Vienna Convention on Road Signs and Signals –
current octagonal red around the world
• We take it for granted that we all know what this means, but it had to start
somewhere
22
Copyright Entrust Datacard 22
A growing
movement that
recognizes this
problem
• Enterprise Customers
• Certain Browsers
• EU / ENISA
• CAs
23
Copyright Entrust Datacard 23
Forrester
Survey of
Enterprises
• Demographics
• Vertical - 50% Financial / 50% Retail
• Titles
• 64% CIO/Office of the CIO/CTO
• 19% Line of business mgmt.
• 17% Security
24
Forrester Survey of Enterprises
Hint: “Ultrabank” is spelled wrong in first example – it’s missing the letter “l”
URLs alone are not enough for user security – even Google agrees
25
Forrester Survey of Enterprises
25
26
Forrester Survey of Enterprises
26
27
Copyright Entrust Datacard 27
Current Microsoft Edge UI
28
HIGHShould I trust this site?
Site is operated by:JPMorgan Chase and Co.New York, New YorkUS
A private corporation registered inDelaware, US
Identity of this site was confirmed by Symantec Corporation
Certificate ValidityFrom: July 25, 2017To: August 18, 2018
View Certificate
What if this side panel had rich EV data?
Single click pulls up
the sidebar with user
focused information
Still can pull
technical information
Only confirmed data is
in bold
29Proprietary and Confidential / Copyright Entrust Datacard 29
Qualified Web Authentication Certificates (QWACs)
• What: Qualified Web Authentication Certificates (QWACs) – EV certs with EU authorization special identifier (VAT or PSD
number) issued by Qualified Trust Service Provider (QTSP). **More identity for users**
• Why: Required by eIDAS (electronic IDentification Authentication and trust Services Directive - 2014) and PSD2 (Payment
Services Directive 2 - 2015) – deadline Sept. 2019
• Goals: (1) eIDAS - To facilitate secure and seamless electronic transactions within the European Union, (2) PSD2 - To
increase pan-European competition and participation in the payments industry and create a level playing field for payment
providers and users
• How: CAs (“TSPs”) must become a Qualified Trust Service Provider (“QTSP”) under ETSI EN 309 411-2 and then be added
to EU Member Trust List to issue QWACs
30
Copyright Entrust Datacard 30
EU Push for a
Standard
• “Towards Global Acceptance of eIDAS Audits” –
ENISA, December 2018
• “It appears that some browsers will change their
UI and not indicate the use of EV certificates
anymore.”
• “What we have now: No industry consensus on
standards for UI security indicators.”
• “The TSP (Trusted Service Providers)
community and representatives from other
leading browsers have been public and vocal
against this latest measure …. to simplify the UI
in such a way that they claim undermines long-
vetted and practiced public understanding of
web security features like the padlock and green
URL bar.”
Source: https://www.enisa.europa.eu/news/enisa-news/acceptance-of-eidas-audits-global-or-local
31
Copyright Entrust Datacard 31
“London
Protocol”
What’s the
objective?
OV and EV sites are already more secure for users than DV sites.
Objective of London Protocol: To improve identity assurance and
minimize the possibility of phishing activity on websites encrypted by
OV (organization validated) and EV (extended validation) certificates
(together referred to as “Identity Websites”).
Reinforces the distinction between Identity Websites (OV and EV) by
making them even more secure for users than websites encrypted by
DV (domain validated) certificates.
That extra security feature can then be utilized by others for their own
security purposes, including
Informing users as to the type of website they are visiting, and
Use by antiphishing engines and browser filters in their security algorithms
(otherwise, they just have DV certs – no identity data to follow).
32
Copyright Entrust Datacard 32
“London
Protocol”
What will
CAs do?
The London Protocol will be implemented through voluntary
action by public Certification Authorities (CAs) working jointly
to take the following steps:
1. Actively monitor phishing reports for websites encrypted
by the CA’s own OV and EV certificates.
2. Notify the affected website owner that phishing content
was found and provide remediation instructions as well as
prevention methods.
3. Each CA will contribute to a common database (flag list) to
help reduce future phishing content. This data will be
available to other participating CAs so that each CA can
conduct additional due diligence before issuing new OV or
EV certificates to the website.
33
Copyright Entrust Datacard 33
“London
Protocol”
Voluntary Protocol open to all CAs who want to make
OV and EV websites that are secured by their
certificates as free from phishing as possible.
Founding Participants in the London Protocols:
34
Copyright Entrust Datacard 34
Questions?
35
Copyright Entrust Datacard 35
Thank You
36