100 encrypted web
play

100% Encrypted Web New Challenges for TLS Kirk Hall Dir Policy - PowerPoint PPT Presentation

May 07, 2023 •271 likes •857 views

#RSAC P D AC-W10 SESSION ID: SESSION ID: 100% Encrypted Web New Challenges for TLS Kirk Hall Dir Policy & Compliance, Certificate Services Entrust Datacard #RSAC We are moving toward a 100% encrypted web but can we get it right?

  1. #RSAC P D AC-W10 SESSION ID: SESSION ID: 100% Encrypted Web New Challenges for TLS Kirk Hall Dir Policy & Compliance, Certificate Services Entrust Datacard

  2. #RSAC We are moving toward a 100% encrypted web – but can we get it right? We must leverage certificate identity data for greater user security

  3. #RSAC We Will Discuss… Types of Server Certificates Past and Present Browser UI Security Indicators Positive Developments in Encryption Negative Developments in Encryption Using Identity in Certificates as a Proxy for User Safety How Do We Get to a Common Browser UI That Leverages Identity? Next Steps 3

  4. #RSAC Types of Server Certificates Digital Certificate Refresher

  5. #RSAC Types of Server Certificates Domain Validated (D (DV) – No identity information, just a confirmed domain 5

  6. #RSAC Types of Server Certificates Domain Validated (D (DV) Close Up: Sample Browser Treatment (Chrome): 6

  7. #RSAC Types of Server Certificates Org rganization Validated (O (OV) – Basic identity confirmation through simple vetting, confirmed customer contact using reliable third party data 7

  8. #RSAC Types of Server Certificates Org rganization Validated (O (OV) Close Up: Sample Browser Treatment (Chrome): 8

  9. #RSAC Types of Server Certificates Exte tended Vali lidation (E (EV) – Strong identity confirmation through extensive vetting using reliable third party data, and government registries 9

  10. #RSAC Types of Server Certificates Exte tended Vali lidation (E (EV) Close Up: Sample Browser Treatment (Internet Explorer): 10

  11. #RSAC Past and Present Browser UI Security Indicators

  12. #RSAC Past and Present Browser UI Security Indicators 1995 1995-2001: Organization Validation (OV) only; two UI security states 2001 2001-2007: Domain Validated (DV) added as alternative to OV; still only two security UI states – no differentiation between DV and OV 12

  13. #RSAC Past and Present Browser UI Security Indicators 2007 2007-Present: Extended Validation (EV) added as alternative to DV and OV Four security UI I sta tates, including “problem” state; still no differentiation between DV and OV 13

  14. #RSAC Positive Developments in Encryption

  15. #RSAC Positive Developments in Encryption Rapid move to to encryption – Web now over 50% encrypted Bro rowsers mandating encryption in in sta tages – otherwise receive negative browser UI – “https://” becoming the new normal Encrypted sites receive hig igher SEO ra rankings Automated certificate is issuance and in installation – Boulder, ACME, Certbot – make it easy for small users Fre ree DV certificate services – Let’s Encrypt and others – encourage websites to try it out The PCI I Security Sta tandards Council recommends the use of f OV/EV certs as part of the Best Practices for Safe E-Commerce Source: https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf 15

  16. #RSAC Positive Developments in Encryption Encryption is increasing rapidly – now over 50% 16

  17. #RSAC Positive Developments in Encryption But what good is encryption if you don’t know who you’re talking to…? 17

  18. #RSAC Negative Developments in Encryption

  19. #RSAC Negative Developments in Encryption Malw lware exploits are re moving to to encryption and are harder to block R IS ING U SE OF E NCRYPTION G IV IVES M ALWARE A P ER ERFECT P LACE TO TO H ID ISIN SE OF IDE “Nearly half lf of cyber-attacks this year have used malware hidden in encrypted traffic to evade detection. In an ironic twist, A10 Networks has announced the results of an international study *** revealing that the risk to financial services, healthcare and other industries stems from growing reliance on encryption technology. A growing number of organizations are turning to encryption to keep their network data safe. But SSL encryption not only hides data traffic from would-be hackers, but also from common security tools.” Source: http://www.infosecurity-magazine.com/news/rising-use-of-encryption-gives/ 19

  20. #RSAC Negative Developments in Encryption DV certificates are now the default choice for fraudsters – “look - alike” names, anonymity, free, the padlock, no UI warnings: 20

  21. #RSAC Negative Developments in Encryption C ERTIF ICATE A UTHORITIES I SSUE SSL C ERTIFIC TO F RAUDSTERS IFIC ICATES TO “ In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks. SSL certificates lend an additional air of authenticity to phishing sites, causing the victims' browsers to display a padlock ic icon to indicate a secure connection. Despite industry requirements for increased vetting of high-risk requests, many fraudsters slip through the net, obtaining SSL certificates for domain names such as banskfamerica.com ***, ssl ssl-paypai-inc.com ***, and paypwil il.com ***.” Source: http://news.netcraft.com/archives/2015/10/12/certificate-authorities-issue-hundreds-of-deceptive-ssl-certificates-to-fraudsters.html 21

  22. #RSAC Negative Developments in Encryption Many browsers no longer do effective revocation checking C ONCLUDIN ING D IS ISCUSSIO ION “ Overall, our results show that, in today's Web's PKI, there is extensive in inactio ion with respect to certificate revocation. While many certificates are revoked (over 8% of fresh certificates and almost 1% of alive certificates), many web browsers either fail to check certificate revocation information or soft-fail by accepting a certificate if revocation information is unavailable .” Source: https://web.stanford.edu/~aschulm/docs/imc15-revocation.pdf 22

  23. #RSAC Negative Developments in Encryption Some CAs no longer do certificate revocation for encrypted malware sites Let’s Encrypt believes that “CAs make poor content watchdogs,” and even though phishing and malware sites are bad “we’re not sure that certificate issuance (at least for Domain Validation) is the right level on which to be policing phishing and malware sites in 2015 .” So Let’s Encrypt will not revoke for phishing or fraud. “Treating a DV certificate as a kind of ‘seal of approval’ for a site’s content is problematic for several reasons,” including that CAs are not well-positioned to operate anti-phishing and anti-malware operations and would do better to leave those actions to the browser website filters. Source: https://letsencrypt.org/2015/10/29/phishing-and-malware.html 23

  24. #RSAC Negative Developments in Encryption Users assume all encrypted sites with padlocks are “safe” sites: “ The biggest problem with [the display of DV certificates in the browser UI] is that it democratizes access to https for any website. Yes, on the surface, this should in fact be a positive thing that we're celebrating. Unfortunately human nature comes into play here. When mos ost people le (non-geeks/non-IT IT) ) se see htt ttps, im immedia iate te an and unwaverin ing tr trust is is im implie ied. “ Even though [DV certificates are] merely providing encryption for your website, most people le vis isit itin ing it it will ill give ive it it th the sa same lev level of of tr trust as as websit ites wit ith th the "g "green bar ar" htt ttps (Extended Domain Validation), which includes the company name next to the padlock in the address bar .” Fraudsters also sprinkle static “padlocks” all over the page to fool users. Source: http://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html 24

  25. #RSAC What About Browser Website Filters? Browser websit ite fi filt lters expand, but are not a co comple lete solu lutio ion fo for user safe fety – th thousands of f bad sit ites are not in incl cluded Micr icrosoft t Sm SmartScreen prob oblems: Only protects users in Windows Users can’t report phishing URLs – must visit bad site first to report, click on button SmartScreen filters can be bypassed by fraudster email / click-throughs to bad site Goo oogle Sa Safe Brow owsin ing: : Only works on Google search results / Google properties Privacy issues – cookies, retains browsing records on same device Relies on proprietary Google algorithms, not transparent to users Both SmartScreen and Safe Browsing must be turned on to work Reactive systems –back to the ‘ 90s Lik Like co cops so solv lvin ing a a cr crim ime afte fter it it hap appens – but t not ot pre reventin ing th the cr crim ime 25

  26. #RSAC Many Bad Sites Missed by Browser Filters Thousands of Malware / Phishing sites not detected SmartScreen Safe Browsing usbbackup.com/cgi-biin/update.apple- http://121.134.15.63/www.paypal.com/websc-login.php id.com/4bebac1b93b057sjgurnm94a6b06c59b7/login.ph p http://alfssp.net/www.confirm.paypal.com/websc- login.php 0760mly.com/js/wwwpaypalcom/IrelandPayPal/signing 38CountryIE/ieLogIn.html http://aquaseryis.marag.pl/wp- includes/random_compat/apple.co.uk/ aggelopoulos.com/wp-content/uploads/2008/ 07/ www.paypal.com/beta.entab9387.net/wp- https://gallery.mailchimp.com/2724801a312bda1123d55 theme/image/img/DHL/tracking.php 4199/files/Electronic_Shipping_Document.zip https://gallery.mailchimp.com/2724801a312bda1123d55 4199/files/Electronic_Shipping_Document.zip [URLs modified for safety] Source : Comodo Valkyrie malware analysis system More phishing links: http://cdn.download.comodo.com/intelligence/ctrl-06-02-url.txt More malware file links: http://cdn.download.comodo.com/intelligence/ctrl-06-01-url.txt 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted

Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted

Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted Applications Learnings From Etesync Applications Learnings From Etesync stosb.com/talks Tom Hacohen tom@stosb.com FOSDEM 2019 @TomHacohen

361 views • 32 slides
Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov Claudio Orlandi Aarhus University RWC 2018 Agenda I A Threat Model for Encrypted Cloud Storage (ECS). I A high-level look into a modern ECS service

770 views • 47 slides
Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted]

Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted]

Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted] [encrypted] Who uses it? https://freedom.press/securedrop/directory Threat Model Assets Sources identity Confidentiality & integrity

782 views • 35 slides
Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical Order-Revealing Encryption Nate Chenette ICERM conference on Encrypted Search June 12, 2019 Project Background Baffle Inc. https://baffle.io/

407 views • 23 slides
Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, Carmela Troncoso NDSS, 25 February 2020 Encrypted DNS > Privacy? Can encrypting DNS protect users from tra ffi

533 views • 40 slides
Traceback for End-to-End Encrypted Messaging Nirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1

Traceback for End-to-End Encrypted Messaging Nirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1

Traceback for End-to-End Encrypted Messaging Nirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging Hello Alice Bob Platform 2 Setting: End-to-end encrypted (E2EE) messaging Hello > 2

1.03k views • 73 slides
Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security

Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security

Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security (600/650.624) Introduction Searching usually done over plaintext But what if we could search encrypted data? Bloom Filters Efficient

459 views • 30 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
CRYPTDB:PROTECTING CONFIDENTIALITY WITH ENCRYPTED QUERY PROCESSING Why

CRYPTDB:PROTECTING CONFIDENTIALITY WITH ENCRYPTED QUERY PROCESSING Why

RALUCA ADA POPA, CATHERINE M. S. REDFIELD, NICKOLAI ZELDOVICH, AND HARI BALAKRISHNAN MIT CSAIL CRYPTDB:PROTECTING CONFIDENTIALITY WITH ENCRYPTED QUERY PROCESSING Why

1.45k views • 123 slides
Why Encrypt Data? We have already discussed authentication and access control as means to

Why Encrypt Data? We have already discussed authentication and access control as means to

Security in Outsourced Databases II Outsourced Databases II (Query Processing on Encrypted Data) Disks replaced Data worthless if encrypted Customer Credit for maintenance Card Number Laptops stolen Backups lost p 1 Why Encrypt Data?

759 views • 19 slides
Automated Key Management for End-To-End Encrypted Email Communication Intermediate talk for the

Automated Key Management for End-To-End Encrypted Email Communication Intermediate talk for the

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Automated Key Management for End-To-End Encrypted Email Communication Intermediate talk for the Guided Research by Thomas Maier advised by

463 views • 10 slides
Improving the Performance and Endurance of Encrypted Non-volatile Main Memory through

Improving the Performance and Endurance of Encrypted Non-volatile Main Memory through

Improving the Performance and Endurance of Encrypted Non-volatile Main Memory through Deduplicating Writes Pengfei Zuo, Yu Hua, Ming Zhao*, Wen Zhou, Yuncheng Guo Huazhong University of Science and Technology (HUST), China *Arizona State

702 views • 41 slides
DATA RECOVERY Reconstructed Values 400 ON ENCRYPTED DATABASES 350 WITH 300 k-NEAREST

DATA RECOVERY Reconstructed Values 400 ON ENCRYPTED DATABASES 350 WITH 300 k-NEAREST

DATA RECOVERY Reconstructed Values 400 ON ENCRYPTED DATABASES 350 WITH 300 k-NEAREST NEIGHBOR 250 QUERY LEAKAGE 200 EVGENIOS M. KORNAROPOULOS 150 CHARALAMPOS PAPAMANTHOU ROBERTO TAMASSIA 100 50 0 0 100 200 300 400 Full

777 views • 52 slides
Fast and Secure H T Y T O H Laptop Backups F G R E U D B I N with Encrypted

Fast and Secure H T Y T O H Laptop Backups F G R E U D B I N with Encrypted

I V N E U R S E I Fast and Secure H T Y T O H Laptop Backups F G R E U D B I N with Encrypted De-duplication Le Zhang <zhang.le@ed.ac.uk> Paul Anderson <dcspaul@ed.ac.uk> LISA 2010 Laptop Backup Options

390 views • 18 slides
Inference A)acks on Property- Preserving Encrypted Databases Charles

Inference A)acks on Property- Preserving Encrypted Databases Charles

Inference A)acks on Property- Preserving Encrypted Databases Charles V. Wright Portland State University @hackermath Joint work with Muhammad Naveed

1.24k views • 47 slides
PKI Development in Thailand Chaichana Mitrpant Electronic Transactions Development Agency

PKI Development in Thailand Chaichana Mitrpant Electronic Transactions Development Agency

PKI Development in Thailand Chaichana Mitrpant Electronic Transactions Development Agency (Public Organization), Thailand 1 e-Transactions Development model Economy Quality of Life Application e-Trade Government Online e-Commerce Others

465 views • 42 slides
Certificates, Revocation and the new gTLD's Oh My! Dan Timpson sales@digicert.com

Certificates, Revocation and the new gTLD's Oh My! Dan Timpson sales@digicert.com

Certificates, Revocation and the new gTLD's Oh My! Dan Timpson sales@digicert.com www.digicert.com +1 (801) 877-2100 Focus What is a Certificate Authority? Current situation with gTLD's and internal names

246 views • 13 slides
PKI and Certificate Security Introduction Nils Gruschka University Kiel (Diploma in

PKI and Certificate Security Introduction Nils Gruschka University Kiel (Diploma in

COINS Winter School 2018, Finse Nils Gruschka, UiO PKI and Certificate Security Introduction Nils Gruschka University Kiel (Diploma in Computer Science) T-Systems, Hamburg University Kiel (PhD in Computer Science) NEC

1.12k views • 108 slides
COMMISSION ON COMMUNITY INVESTMENT AND INFRASTRUCTURE GOLDEN STATE WARRIORS EVENT CENTER AND

COMMISSION ON COMMUNITY INVESTMENT AND INFRASTRUCTURE GOLDEN STATE WARRIORS EVENT CENTER AND

COMMISSION ON COMMUNITY INVESTMENT AND INFRASTRUCTURE GOLDEN STATE WARRIORS EVENT CENTER AND MIXED USE DEVELOPMENT AT BLOCKS 29-32, MISSION BAY SOUTH TUESDAY, NOVEMBER 3, 2015 AGENDA 1. OCII Commission Actions 2. Project Site &

623 views • 29 slides
A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure

A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure

A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage

248 views • 23 slides
Cothority 1 Introduction Collective Certificate Management (CCM) SUMMARY Cross Platform Mobile

Cothority 1 Introduction Collective Certificate Management (CCM) SUMMARY Cross Platform Mobile

INTEGRATE COLLECTIVE CERTIFICATE MANAGEMENT ON SKIPCHAINS AND ON CROSS PLATFORM MOBILE APPLICATION CLAUDIO LOUREIRO RESPONSIBLE SUPERVISOR PROF. BRYAN FORD MASTER SEMESTER PROJECT LINUS GASSER DEDIS/EPFL DECENTRALIZED AND DISTRIBUTED

541 views • 20 slides
CASS New Members Academy Presentation Teacher and Leadership Excellence Sector September 25,

CASS New Members Academy Presentation Teacher and Leadership Excellence Sector September 25,

CASS New Members Academy Presentation Teacher and Leadership Excellence Sector September 25, 2018 Presentation Focus Teacher Certification Role of a System Leader in Teacher Certification Reporting Teacher Discipline Matters Verifying

476 views • 22 slides
OVERVIEW OF CPARS ACQUISITION HOUR WEBINAR February 21, 2018 1 WEBINAR ETIQUETTE Please

OVERVIEW OF CPARS ACQUISITION HOUR WEBINAR February 21, 2018 1 WEBINAR ETIQUETTE Please

A Procurement Technical Assistance Center (PTAC) OVERVIEW OF CPARS ACQUISITION HOUR WEBINAR February 21, 2018 1 WEBINAR ETIQUETTE Please When logging into go-to-meeting, enter the name that you have registered with Put your phone

900 views • 74 slides

More recommend