SSL/TLS Trends, Practices, and FuturesBrian A. McHenry, Security Solutions Architect

bam@f5.com

@bamchenry

© F5 Networks, Inc. 2

1. Global SSL Encryption Trends and Drivers

2. A Few “Best” Practices

3. Solutions

4. What’s Next?

Agenda

© F5 Networks, Inc. 3

• Worldwide spending on information security will reach $71.1 billion in 2014

• Data loss prevention segment recording the fastest growth at 18.9 percent,

• By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud

• Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014

Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014

© F5 Networks, Inc. 4

IoEE-Commerce Privacy Mobility

Snowden

Trajectory and Growth of Encryption

Customer Trends:

• PFS/ECC Demanded

• SSL Labs Application Scoring

Emerging Standards:

• TLS 1.3, HTTP 2.0/SPDY

• RSA -> ECC

Thought Leaders and Influence:

• Google: SHA2, SPDY, Search Ranking by Encryption

• Microsoft: PFS Mandated

MARKET AMPLIFIERS

SSL growing ~30% annually. Entering the Fifth wave of transition (IoE)

1998 2002 2006 2010 20140.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

Source: Netcraft

Million

s o

f C

ert

ificate

s (

CA

)

Years

© F5 Networks, Inc. 5

Timeline of SSL Vulnerabilities & Attacks

February 2010

September 2011

February 2013

March 2013

March 2013… April

2014

RC4 AttacksWeakness in CBC cipher making plaintext guessing possible

BEAST & CRIMEClient-side or MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws

RFC 5746TLS extension for secure renegotiation quickly mainstreamed

Lucky 13Another timing attack.

August 2009

August 2009Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack

TIMEA refinement and variation of CRIME

HeartbleedThe end of the Internet as we know it!

TLS

© F5 Networks, Inc. 6

SSL Intelligence and Visibility (Full Proxy)

Enterprise key & Certificate Management

Advance HSM Support:• High Performing HSM

options• Virtualized low-bandwidth

options• Market Leading HSM

Vendor Support

Flexible & Scalable Encryption: • Optimized SSL in Hardware

and Software• Cipher Diversity (RSA, ECC,

DSA)• SSL Visibility: Proxy SSL &

Forward Proxy• SSL Traffic Intelligence:

• HSTS, HTTP 2.0/SPDY, OCSP Stapling, TLS Server Session Ticket

Fully Automated Key and Certificate Management: • For all BIG-IP platforms• For all vendor platforms• 3rd Party Integration for best-

in-class key encryption: Venafi, Symantec/ VeriSign

• PKI Supported Environments

The Three Pillars of Effective SSL/TLS Encryption

Hardware Security Modules

© F5 Networks, Inc. 7

Data Protection: Microsoft and Google Expands Encryption

© F5 Networks, Inc. 8

Not all curves are considered equalDifferent Authorities:

• US NIST (US National Institute of Standards) with 186-2 (recently superseded in 2009 by the new186-3)

• US ANSI (American National Standard Institute) with X9.62

• US NSA (National Security Agency) Suite-B Cryptography for TOP SECRET information exchange

• International SACG (Standards for efficient cryptography group) with Recommended Elliptic Curve Domain Parameters

• German ECC Brainpool withECC Brainpool with their Strict Security Requirements

• ECC Interoperability Forum composed by Certicom, Microsoft, Redhat, Sun, NSA

If You Thought Encryption was confusing…ECC, PFS and Curves

© F5 Networks, Inc. 9

Not all curves are considered equal

Different Names:• Secp246r1, Prime256v1, NIST

P-256

Different Kinds of Curves:• ECC over Prime Field (Elliptic

Curve)• ECC over Binary Field (Koblitz

Curve)

Other Curves:• Curve25519 (Google)• Mumford (Microsoft)• Brainpool

If You Thought Encryption was confusing…ECC, PFS and Curves

Some SSL Best Practices

© F5 Networks, Inc. 11

• Google has begun adjusting page rank based on SSL implementations

• F5 customers have third-party/B2B requirements for strong encryption

• SSL Labs’ Pulse tool has made testing easy

• Users and businesses are choosing services based on Pulse grades

SSL: Not Just for Security

© F5 Networks, Inc. 12

• Require Secure Renegotiation

• Disable SSLv2 and SSLv3 Use an explicit, strong cipher string, such as:• !SSLv3:!TLSv1:!EXPORT:!DH:!MD5:!

RC4:RSA+AES:RSA+3DES:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:@STRENGTH

• Prefer Perfect Forward Secrecy (PFS)• Done via prioritizing Ephemeral (DHE, ECDHE) ciphers in the string

above

• Enable HTTP Strict Transport Security (HSTS)• RFC 6797

Achieving A+ Grades on SSLLabs.com

© F5 Networks, Inc. 13

HSTS is enabled by the “Strict-Transport-Security” HTTP headere.g.: Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

• When received, browsers will:• Automatically convert HTTP references to HTTPS references• Disallow certificate exemptions (self-signed, etc.)• Cache HSTS information and reuse stored values for new sessions

More detail: HTTP Strict Transport Security

AVAILABLE IN 12.0

© F5 Networks, Inc. 14

What’s Next?

© F5 Networks, Inc. 16

HTTP/2 ratified this month.

• RFC due soon

• ALPN integrates application protocol negotiation into the TLS handshake

• TLS encrypted by default

TLS 1.3 RFC expected in April 2016

• Remove renegotiation

• AEAD ciphers only

TLS 1.3 and HTTP/2 Update

© F5 Networks, Inc. 17

A Quick Primer on Certificate Revocation• If a SSL certificate is stolen or compromised, sites need a way to

revoke the certificate so it will no longer be trusted. Revocation is handled by either CRL or OCSP.

• CRL: Certificate Revocation List• The browser retrieves the list of all revoked certificates from the CA.• The browser then parses the whole list looking for the certificate in

question.• OCSP: Online Certificate Status Protocol• The browser sends the certificate to the CA for validation.• The CA responds that the certificate is good, revoked, or unknown.

• OCSP is more efficient than CRL, but there’s room for improvement!

New Feature: OCSP Stapling

© F5 Networks, Inc. 18

• OCSP and CRL checks add significant overhead:•DNS (1334ms)•TCP handshake (240ms)•SSL handshake (376ms)•Follow certificate chain (1011ms)•DNS to CA (300ms)•TCP to CA (407ms)•OCSP to CA #1 (598ms)•TCP to CA #2 (317ms)•OCSP to CA #2 (444ms)•Finish SSL handshake (1270ms)< T O TA L : 6 . 3 S e c o n d s >

• Add up the time for each step and you'll see that over 30% of the SSL overhead comes from checking whether the certificate has been revoked.

• These checks are serial and block downloads.

OCSP & CRL Checks Hurt Performance

This portion is revocation check overhead.

© F5 Networks, Inc. 19

• OCSP Stapling allows the server to attach CA signed information regarding the certificates validity.

• Processing with OCSP enabled:•DNS (1334ms)•TCP handshake (240ms)•SSL handshake (376ms)•Follow certificate chain (1011ms)•Process OCSP Data (10ms)•Finish SSL handshake (1270ms)< T O TA L : 4 . 2 S e c o n d s >

O C S P S t a p l i n g a l s o e l i m i n a t e s c o m m u n i c a t i o n w i t h a t h i r d p a r t y d u r i n g c e r t i fi c a t e v a l i d a t i o n . T h i s m ay b e c o n s i d e r e d b e t t e r s e c u r i t y s i n c e i t p r e v e n t s i n f o r m a t i o n l e a k a g e .

OCSP Stapling to the Rescue