Local and dedicated SSL/TLS Services - Wesentra 3 … · Local and dedicated SSL/TLS Services...

Local and dedicated SSL/TLS Services

Customers

Service

Verification Support

Entrust Datacard

Wesentra

OV and EV SSL Certificates Market Shares in Finland

Growth in number of certificates 2016 - 2019:• DigiCert (incl. Symantec/Thawte/GeoTrust): + 3% (5754 → 5922)

• Entrust: + 122% (1095 → 2428)

The leading provider of trusted identity and

security solutions

The largest distributor of Entrust Datacard

SSL certificates in Europe

Wesentra – Entrust Datacard SSL Partner of the Year EMEA 2018

7

SSL/ TLS

Certificates

What lies ahead?

Chris Bailey

February 2019

8

Copyright Entrust Datacard 8

Chris Bailey’s

Background

• Industry veteran since 1998

• Co-creator of DV and EV certificate types

• Co-creator of the first PDF signing certificate

• Co-founder and CTO, GeoTrust (purchased by

VeriSign now Digicert)

• Co-founder and CEO, AffirmTrust (purchased by

Trend Micro)

• Founding member of CA/Browser Forum

• Founding member of CA Security Counsel (CASC)

• Founding member of the London Protocol

9

CA Agility is increasingly important

9

Year Events

2011• Comodo & DigiNotar are hacked

• DigiNotar distrusted by browsers

2012• CA/B Forum Baseline Requirements (BRs) established

• MITM certificates prohibited (Mozilla)

2014• Minimum Key size Requirements (RSA-2048)

• Heartbleed, Poodle and Shellshock – Massive Revocation and Issuance

2015

• CNNIC distrusted by browser for issuing MITM certs

• 1 yr limit for SHA-1 certificates

• Limit DV/OV validity to 3 years – some CAs issued up to 10 years

2016• SHA-1 certificate issuance banned

• WoSign distrusted for issuing new SHA-1 certificates

2017• Google / Mozilla announce plan to distrust Symantec

• CAA checking now required by all CAs

2018

• Google and Mozilla distrusted Symantec in two phases ending in October 2018

• Limit validity period for all certs to 825 days (2 years)

• Method 1 - domain validation was removed

• Method 5 – domain validation was removed

• Method 9 – domain validation found to be insecure

• Method 10 – domain validation found to be insecure

• Certificate Transparency required for SSL in Chrome as of May 1, 2018

• Chrome 68 / July 2018 – Not Secure for HTTP

• GDPR compliance had a major impact on domain verification – Whois email records

• Underscore ”_” eliminated from SANS in SSL / TLS certificates

Looking Back

10


Google’s Push

for Encryption

Everywhere

• Encryption Everywhere is overriding all

other concerns

• It should be called - Encryption is Everything!

• Why?

• For the Greater Good? - NSA / Snowden

(Privacy)

• Follow the Money - $$$ (Ad Revenue)

• Anything that hurts Google’s revenue will

likely not be supported by Google

11


SSL / TLS Certificates Are Increasing Rapidly

- 77.7% of Global Page Loads are Encrypted

12


SSL / TLS Certificates Are Increasing Rapidly

- 77.7% of Global Page Loads are Encrypted

13


In 2016, DV

certificates made

up 73.4% of the

market and EV

made up 3.4%

Market Share by Certificate Type

2016

DV 73.4%

OV 23.2%

EV 3.4%

Total 100.0%

14


Today, DV

certificates make up

89.1% of the

market


2016 2017 2018 2019

DV 73.4% 90.9% 94.5% 89.1%

OV 23.2% 7.9% 4.8% 10.5%*

EV 3.4% 1.2% 0.7% 0.4%

Total 100.0% 100.0% 100.0% 100.0%

* (Large growth with Cloudflare)

15


Certificate Types by

the Numbers

TLS Units by Certificate Type

2016 2017 2018 2019

DV 3,162,704 12,186,721 25,834,784 44,107,946

OV 999,252 1,055,290 1,322,177 5,191,142 *

EV 144,737 165,089 193,855 214,964

Total 4,306,693 13,407,100 27,350,816 49,514,052

* (1.3M w/out Cloudflare)

16


DV Is growing at a

decreasing rate.


2016 2017 2018 2019

DV 285% 112% 71%

OV 6% 25% 293% *

EV 14% 17% 11%

Total 211% 104% 81%

* (9% w/out) Cloudflare)

17

• This table shows breakdown of encrypted phishing sites by

certificate type for the month of September 2018

Incidence of encrypted phishing by cert type

17

Certificate

Type

London Protocol Dataset The Internet

Phishing Sites in

Sample (1)

Percent of Total

Phishing Sites in

Our Sample

Total Internet

Certificate

Population (2)

Percent of Total

Cert Population

EV 0 0.0% 214,964 0.4%

OV 61 1.6% 5,191,142 10.5%

DV 3716 98.4% 44,107,946 89.1%

Total 3777 100.00% 49,514,052 100.0%

(1) Based on 30 days of phishing sites in September 2018 with SSL / TLS – Source Phishbank(2) Based on Netcraft certificate population as of December 2018. https://www.netcraft.com/ssl-survey/

https://www.netcraft.com/ssl-survey/

18

The UI is rapidly changing, so it’s is hard to know what any of it

means

Source: CA Security Council (CASC) https://casecurity.org/browser-ui-security-indicators/

18

https://casecurity.org/browser-ui-security-indicators/

19


Frequent Browser UI Changes

• Google removed “Secure”

from OV/DV UI with Chrome 69

in Sept. 2018, and green lock

symbol turned to a gray lock

symbol). Google plans to

deprecate the URLs.

• In September, Apple removed

the organization name field from

in OSX Mojave (Mac) and iOS

12 (mobile) EV UI due to

“Stripe” name clash issue, will

only show URL in EV green –

good news, still a distinctive EV

UI. Safari Mobile still shows org

name. Will Apple change back

if “Stripe” issue solved?

• Mozilla moved from “no definite

plans to remove” EV UI last

December to concern about

potential harm from EV UI –

Stripe issue, disambiguation

Apple EV UI iOS 11

Apple EV UI iOS 12:

entrustdatacard.com

Google Chrome 69 UI

20

What if “Stop” signs were always changing?

20

21

It’s time to standardize the security UI across applications

• 1915: There were 2.4 Million cars registered in the US

• 1915 was also the same year the first stop sign originated in Michigan

• Black lettering on a white background – measured 60 by 60 cm (24 x 24 inches)

• 1922: A committee supported by the American Association of State Highway

Officials (AASHO) met to standardize stop sign format – octagonal

• 1968: International standard via Vienna Convention on Road Signs and Signals –

current octagonal red around the world

• We take it for granted that we all know what this means, but it had to start

somewhere

22


A growing

movement that

recognizes this

problem

• Enterprise Customers

• Certain Browsers

• EU / ENISA

• CAs

23


Forrester

Survey of

Enterprises

• Demographics

• Vertical - 50% Financial / 50% Retail

• Titles

• 64% CIO/Office of the CIO/CTO

• 19% Line of business mgmt.

• 17% Security

24

Forrester Survey of Enterprises

Hint: “Ultrabank” is spelled wrong in first example – it’s missing the letter “l”

URLs alone are not enough for user security – even Google agrees

25


25

26


26

27


Current Microsoft Edge UI

28

HIGHShould I trust this site?

Site is operated by:JPMorgan Chase and Co.New York, New YorkUS

A private corporation registered inDelaware, US

Identity of this site was confirmed by Symantec Corporation

Certificate ValidityFrom: July 25, 2017To: August 18, 2018

View Certificate

What if this side panel had rich EV data?

Single click pulls up

the sidebar with user

focused information

Still can pull

technical information

Only confirmed data is

in bold

29Proprietary and Confidential / Copyright Entrust Datacard 29

Qualified Web Authentication Certificates (QWACs)

• What: Qualified Web Authentication Certificates (QWACs) – EV certs with EU authorization special identifier (VAT or PSD

number) issued by Qualified Trust Service Provider (QTSP). **More identity for users**

• Why: Required by eIDAS (electronic IDentification Authentication and trust Services Directive - 2014) and PSD2 (Payment

Services Directive 2 - 2015) – deadline Sept. 2019

• Goals: (1) eIDAS - To facilitate secure and seamless electronic transactions within the European Union, (2) PSD2 - To

increase pan-European competition and participation in the payments industry and create a level playing field for payment

providers and users

• How: CAs (“TSPs”) must become a Qualified Trust Service Provider (“QTSP”) under ETSI EN 309 411-2 and then be added

to EU Member Trust List to issue QWACs

30


EU Push for a

Standard

• “Towards Global Acceptance of eIDAS Audits” –

ENISA, December 2018

• “It appears that some browsers will change their

UI and not indicate the use of EV certificates

anymore.”

• “What we have now: No industry consensus on

standards for UI security indicators.”

• “The TSP (Trusted Service Providers)

community and representatives from other

leading browsers have been public and vocal

against this latest measure …. to simplify the UI

in such a way that they claim undermines long-

vetted and practiced public understanding of

web security features like the padlock and green

URL bar.”

Source: https://www.enisa.europa.eu/news/enisa-news/acceptance-of-eidas-audits-global-or-local

31


“London

Protocol”

What’s the

objective?

OV and EV sites are already more secure for users than DV sites.

Objective of London Protocol: To improve identity assurance and

minimize the possibility of phishing activity on websites encrypted by

OV (organization validated) and EV (extended validation) certificates

(together referred to as “Identity Websites”).

Reinforces the distinction between Identity Websites (OV and EV) by

making them even more secure for users than websites encrypted by

DV (domain validated) certificates.

That extra security feature can then be utilized by others for their own

security purposes, including

Informing users as to the type of website they are visiting, and

Use by antiphishing engines and browser filters in their security algorithms

(otherwise, they just have DV certs – no identity data to follow).

32


“London

Protocol”

What will

CAs do?

The London Protocol will be implemented through voluntary

action by public Certification Authorities (CAs) working jointly

to take the following steps:

1. Actively monitor phishing reports for websites encrypted

by the CA’s own OV and EV certificates.

2. Notify the affected website owner that phishing content

was found and provide remediation instructions as well as

prevention methods.

3. Each CA will contribute to a common database (flag list) to

help reduce future phishing content. This data will be

available to other participating CAs so that each CA can

conduct additional due diligence before issuing new OV or

EV certificates to the website.

33


“London

Protocol”

Voluntary Protocol open to all CAs who want to make

OV and EV websites that are secured by their

certificates as free from phishing as possible.

Founding Participants in the London Protocols:

34


Questions?

35


Thank You

Local and dedicated SSL/TLS Services - Wesentra 3 … · Local and dedicated SSL/TLS Services...

Documents

Transcript of Local and dedicated SSL/TLS Services - Wesentra 3 … · Local and dedicated SSL/TLS Services...