Масштабируя TLS / Артём Гавриченков (Qrator Labs)

Масштабируя TLS
Артём Гавриченков <ximaera@qrator.net>

Краткая история нового времени
• 2010: SPDY w/de-facto mandatory* SSL/TLS
• 2014: “HTTPS as a ranking signal” at Google
• 2015: HTTP/2 w/de-facto mandatory* TLS
• 2016: Let’s Encrypt
* – https://forum.nginx.org/read.php?21,236132,236184
*– https://daniel.haxx.se/blog/2015/03/06/tls-in-http2/

• 2013: NSA story
• 2014:
• 2015:
• 2016:

• 2013: NSA story
• 2014: Heartbleed, POODLE
• 2015: RFC 7457

• 2013: NSA story
• 2014: Heartbleed, POODLE
• 2015: RFC 7457, FREAK, Logjam
• 2016: DROWN

SSL/TLS PKI
• Root certificate authorities, trust chain

SSL/TLS PKI
• 92 CAs in Firefox

SSL/TLS PKI
• Trusted, because they make it for living
• Independent from large corporations, government, etc.

SSL/TLS PKI
Except, some of them ARE government

SSL/TLS PKI
And some of them are large corporations
Except, some of them ARE government

SSL/TLS PKI
• Pursuing their interests as trusted third parties

SSL/TLS PKI
• Pursuing their interests as trusted third parties
• Corporations and government always tend to elevate their own interests

The story of WoSign
• Trusted since 2009
• Aggressive marketing and free certificates
• Passed audit by Ernst&Young

The story of WoSign
https://wiki.mozilla.org/CA:WoSign_Issues
• Issued certificates not requested by domain owner

The story of WoSign
• Allowed using non-privileged ports (>50,000) to verify domain control

The story of WoSign
• Allowed using subdomains to verify 2nd level domain

The story of WoSign
• Allowed using arbitrary files to verify ownership

The story of WoSign
• Allowed to issue certificates for arbitrary domains without verification

The story of WoSign
• Issued backdated SHA-1 certificates

The story of WoSign
• Used unpatched software (such as dig) on the validation server

The story of WoSign
• Used unpatched software (such as dig) on the validation server
• Purchased other CA (StartCom) and attempted to suppress
information about the ownership transfer

The story of WoSign
The aftermath?

The story of WoSign
The aftermath?
• Banned by Google in Chrome
• Banned by Mozilla for a year

The story of WoSign
The aftermath?
• Banned by Google in Chrome
• Banned by Mozilla for a year
• Still trusted by Microsoft
and lots of unpatched equipment

Aftermath
• Go and choose the cheapest CA available
• Bonus points if it provides some kind of API

Aftermath
• Pick multiple CAs

Aftermath
• “Extended validity” certificates?

Aftermath
• “Extended validity” certificates are a security theater
(don’t bother if you are not a bank and auditor doesn’t force you to)

Aftermath
• “Extended validity” certificates are a security theater
(don’t bother if you are not a bank and auditor doesn’t force you to)
• Prefer short-lived certificates

Long-living certificates?
Pros:
• Discount
• Less pain in the #^$ updating all the certs

Pros:
• Discount
• Less pain in the #^$ updating all the certs
Cons:
• Soft-fail CRL and OCSP are not reliable
• Hard-fail CRL and OCSP are never used
(you may do it in your app though)
• Certificate deployment and management must be automated anyway

• CRL and OCSP are not reliable
• Certificate deployment and management must be automated
Long-lived cert is a technical debt. It wouldn’t punish you immediately.
It will hurt you eventually.

Automated certificate management
• Add, remove, change and revoke your certificates real quick
• Manage certificates properly: short lifetime, multiple keys
• Set up a clientside TLS auth

• Add, remove, change and revoke your certificates real quick
• Manage certificates properly: short lifetime, multiple keys
• Set up a clientside TLS auth
• Quickly work around obscure issues like “Intermediate CA was
revoked”

The story of GlobalSign
• During a planned maintenance, accidentally revoked its own certificate
• Used CDN (Cloudflare) for CRL and OCSP
• Undid revocation, but it’s got cached on CDN

• During a planned maintenance, accidentally revoked its own certificate
• Used CDN (Cloudflare) for CRL and OCSP
• Undid revocation, but it’s got cached on CDN
• Four days before cached response will expire in a browser
• Wikipedia, Dropbox, Spotify, Financial Times affected
• Large sites affected more because CRL got cached everywhere
immediately

immediately
• “All is good and yet traffic dropped by 30%”
• Really hard to troubleshoot
• The issue is of distributed nature
• You depend on a vendor

immediately
• “All is good and yet traffic dropped by 30%”
• Multiple different certs from different vendors helped to track down
• tcpdump also of a great help: sessions got stuck at TLS Server Hello

• Multiple different certs from different vendors will help to track down
• tcpdump also of a great help: sessions got stuck at TLS Server Hello
TLS is still bleeding edge of technology.
Unsufficient tools, unsufficient knowledge.

• So, hours wasted before the root cause is found
• The fix must be immediate => cert management automation!

• CA with API

• CA with API
• Let’s Encrypt?

• CA with API
Very good if you don’t need wildcard certificates.

• CA with API
Very good if you don’t need wildcard certificates.
• Tools like SSLMate
• In-house plugins for ansible etc.

What to set up during the deployment?

• Strict Transport Security
• “Opportunistic encryption” simply doesn’t work
• Most users won’t notice if HTTPS is absent
• HTTPS only makes sense if it’s enforced

• Strict Transport Security
• “Opportunistic encryption” simply doesn’t work
• Most users won’t notice if HTTPS is absent
• HTTPS only makes sense if it’s enforced
• Public Key Pinning
• Pin all end-entity public keys
• Create a backup
• Include future leafs
• Rotate often => use automated tools to generate the header

• Ciphers
• https://wiki.mozilla.org/Security/TLS_Configurations

• Ciphers
• https://wiki.mozilla.org/Security/TLS_Configurations outdated
• https://mozilla.github.io/server-side-tls/ssl-config-generator/
• Update frequently (automation?)

The story of Rijndael
(finally it sounds almost like Tolkien)

The story of Rijndael/AES
• Ordered by U.S. federal government
• Approved by NSA, 1998-2001
• Adopted by U.S. DoD and Army

• Military required three distinct security levels,
with less sensitive data to be encrypted using the most weak method
and vice versa

and vice versa
• Crypto designers implemented three key sizes (128, 192, 256),
with the most weak still unbreakable in foreseeable future
(except quantum computers)

and vice versa
• Crypto designers implemented three key sizes (128, 192, 256),
with the most weak still unbreakable in foreseeable future
(except quantum computers)
• So, AES-128 is still good enough
• Not that it matters much with modern AES-NI

The story of Perfect Forward Secrecy
• Present in ephemeral Diffie-Hellman ciphers

• Makes out-of-path analysis impossible
• Makes historic data analysis impossible

• Good catch for an out-of-path DPI and/or WAF
70% HTTPS requests come and go without analysis

• Good catch for an out-of-path DPI and/or WAF
70% HTTP requests go without analysis
60% legitimate
90% malicious

Protocols
• SSLv2 is dead
• SSLv3 is dead*
• TLSv1.0 is dead
* – if you don’t have to serve content to IE6 or a TV set

Protocols
• SSLv2 is dead
• SSLv3 is dead*
• TLSv1.0 is dead
• TLS is alive and growing

Protocols
• SSLv2 is dead
• SSLv3 is dead*
• TLSv1.0 is dead
• TLS is alive and growing
• Maybe too fast: TLSv1.2 allowed DDoSCoin

Misc
• OCSP stapling
• Persistent connections (TLS handshake is expensive)
• Fight unencrypted content!

Sound Bytes
• Use short-lived certificates!
• Automate!
• Trust Mozilla! :-)

Q&A
mailto: ximaera@qrator.net

Bonus track
• Client certificates

Bonus track
• May be combined with 2FA

Bonus track
• May be combined with 2FA
• May be integrated into certain applications as well
• Unsupported by some mobile browsers OOTB :-(

Масштабируя TLS / Артём Гавриченков (Qrator Labs)

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Масштабируя TLS / Артём Гавриченков (Qrator Labs) (20)

More from Ontico (20)

Recently uploaded (20)

Масштабируя TLS / Артём Гавриченков (Qrator Labs)

Editor's Notes