universal ssl
play

Universal SSL Nick Sullivan @grittygrease Real Real World Crypto: - PowerPoint PPT Presentation

Nov 29, 2023 •249 likes •1.07k views

January 9th 2015 Universal SSL Nick Sullivan @grittygrease Real Real World Crypto: HTTPS 2 HTTPS Myths Only for banking Only for authentication Too hard 3 HTTPS is used for Visitor privacy Invasive

  1. January 9th 2015 Universal SSL Nick Sullivan @grittygrease

  2. Real Real World Crypto: HTTPS 2

  3. HTTPS Myths • Only for banking • Only for authentication • Too hard 3

  4. HTTPS is used for • Visitor privacy • Invasive intermediaries • SEO? 4

  5. First some good news… realworldcrypto.com does not have any TLS vulnerabilities 5

  6. The bad news 6

  7. Who else is not using HTTPS? 7

  8. And at the low end… • Personal sites • Small businesses • Shared hosting (Github pages, etc.) 8

  9. WHY U NO HTTPS? 9

  10. Reasons at high end • Sysadmin time/training • Business process and risk • Vendor cost (CDN, Hardware) • Third party liability • Mixed content warnings from ads 10

  11. Reasons at low end • Certi fi cates cost money • Hosting provider capabilities • Setting up HTTPS is complicated • Fixing vulnerabilities 11

  12. Goal Get more sites on HTTPS 12

  13. How? HTTPS as a service 13

  14. CloudFlare Reverse Proxy 14

  15. Potential issues • Certi fi cate Management • Scaling • Performance 15

  16. Problem Certi fi cate Management 16

  17. Solution Automated Certi fi cate Issuance 17

  18. How does a CA validate a site? • Domain validation (DV) • Organization validation (OV) • Extended validation (EV) 18

  19. How does a CA validate a site? • Domain validation (DV) • WHOIS email • DNS • HTTP 19

  20. Whois email $ whois realworldcrypto.com The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: realworldcrypto.com Registry Domain ID: 1839854081_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.register.com Registrar URL: http://www.register.com Updated Date: 2013-12-20T05:00:00Z Creation Date: 2013-12-20T16:52:54Z Registrar Registration Expiration Date: 2023-12-20T05:00:00Z Registrar: Register.com, LLC. Registrar IANA ID: 9 Admin Name: Dan Boneh … Admin Email: dabo@cs.stanford.edu 20

  21. DNS Validation • If you control DNS, you control the site • Add a TXT record to DNS with token from CA $ dig realworldcrypto.com TXT realworldcrypto.com. 14399 IN TXT "google-site- verification=8-V5SmsK-pBf9PLCE49ACqFCX4qymWylbNVFaIDbtXc" 21

  22. HTTP Validation • If you control page content, you control the site • Add a meta-tag to HTML <meta name=“validator” content=“...”> 22

  23. CloudFlare Edge DNS Proof Proof CloudFlare CA 23

  24. Proof CloudFlare Edge TXT? DNS TXT? Proof CSR Certi fi cate CloudFlare CA 24

  25. CloudFlare CDN CA Proof Proof CloudFlare 25

  26. Proof CloudFlare CDN CA HTTP GET CSR Certi fi cate CloudFlare 26

  27. Problem ✓ Certi fi cate Management 27

  28. Problem Scaling 28

  29. Customer Power Law High-end enterprises 1,000s Businesses with budgets 10,000s Cost sensitive sites 100,000s Free customers 1,000,000s All numbers approximate for illustration 29

  30. Assumptions • One IP address per site • Web server can handle around 10,000 certi fi cates • Service owns 10,000 IPv4 addresses 30

  31. High-end enterprises • 1,000 sites • 1,000 certi fi cates • Easy to handle 31

  32. Third party liability? • Keyless SSL • Keep private key on premises • Open signing oracle to proxy • Proxy splits handshake 32

  33. 33

  34. Keyless SSL Example handshake performance No proxy: 895ms Proxy with keyless: 346ms Proxy with key: 149ms 34

  35. Businesses with budgets • 10,000 sites • 10,000 certi fi cates • Near capacity for stock web server 35

  36. Cost sensitive sites • 100,000 sites • 100,000 certi fi cates • This begins to get tricky 36

  37. Subject Alternative Names • Associate values to a certi fi cate (DNS Name, IP) 37

  38. Solution to certi fi cate problem • Put multiple sites on same SAN • ~40 or so SANs before performance is a ff ected • Sites can’t spoof each other: managed key 38

  39. Cost sensitive sites • 100,000 sites • 10,000 multi-SAN certi fi cates • Acceptable web server 39

  40. Free customers • 1,000,000 sites • 100,000 multi-SAN certi fi cates? • Even with SANs, this doesn’t scale 40

  41. Lazy Loading • Load certi fi cates into memory when needed • No need to reload web server • 100,000 certi fi cates are possible 41

  42. How many IP addresses? • Let’s assume one IP per server per site 42

  43. CloudFlare’s Global Network 43

  44. IP addresses needed • 1 certi fi cate per IP per PoP • 100,000 certi fi cates • ~3 million IPs for 30 pops • CloudFlare only has ~1 million IP addresses • Only ~16 million in a Class A network 44

  45. Unicast vs. Anycast Networks • Unicast: each machine gets its own IP • Anycast: each machine gets the same IP • Network handles routing via BGP 45

  46. Source addresses for one IP 46

  47. As seen from Singapore 47

  48. As seen from Santiago 48

  49. Using Anycast • 1 certi fi cate per IP, no matter how many servers • 100,000 certi fi cates • 100,000 IPs • Still not ideal 49

  50. Solution Server Name Indication (SNI) 50

  51. What is it? • TLS extension that adds the hostname to ClientHello • Allows “virtual hosting” • Multiple certi fi cates behind one IP 51

  52. Downside • Not universally supported 52

  53. SNI Support Windows XP Android iOS/MacOS iOS 4+ X OS Browser 3.0+ MacOS 10.5+ ✓ ✓ Chrome 3.0+ ✓ ✓ Firefox 2.0+ 53

  54. But… 54

  55. Meanwhile… • Windows XP end of life • Microsoft and Google dropping support for SHA-1 • POODLE exploit causes SSL v3.0 to be dropped 55

  56. SHA-256 Support Windows XP Android iOS/MacOS iOS 3+ OS Browser SP3 2.3+ MacOS 10.5+ ✓ ✓ Chrome 26.0+ SP3 ✓ ✓ Firefox 1.5+ 56

  57. no SNI support, yes SHA-256 Windows XP Android iOS/MacOS OS Browser XP SP3 2.3 only iOS 3 only 3.0+ SP2 Chrome N/A N/A 3 – 25 SP3 Firefox N/A N/A N/A 57

  58. Use SNI • 1,000,000 sites • 100,000 multi-SAN certi fi cates • 10 certi fi cates per IP • 10,000 IPs • Works on modern browsers 58

  59. Problem ✓ Scaling 59

  60. Problem Performance 60

  61. Potential performance issues • Server CPU usage • Handshake latency • Is the site slower with HTTPS? 61

  62. CPU utilization - bulk crypt • Modern Intel CPUs have instructions for AES • Advanced Encryption Standard Instruction Set (AES-NI) • Carry-less Multiplication (CLMUL) • ChaCha20/Poly1305 for mobile — soon • Encrypt and decrypt at line rate 62

  63. CPU utilization - handshake • Elliptic curve certi fi cates • Assembly implementation of P256 in OpenSSL • 10x less computation than RSA on server side 63

  64. Latency - handshake • Session resumption • Session tickets, globally resumable • Session IDs, resumable within a PoP 64

  65. 65

  66. 66

  67. 67

  68. Latency - HTTP • Use SPDY 68

  69. 69

  70. 70

  71. Problem ✓ Performance 71

  72. Problems ✓ • Certi fi cate Management ✓ • Scaling ✓ • Performance 72

  73. All this results in • Free HTTPS 73

  74. Universal SSL • No-hassle HTTPS • ECDSA certi fi cates • SNI only • Free and automatic • Over a million new sites with HTTPS! 74

  75. Universal SSL • Modern browsers only 75

  76. Some issues left to solve • Back-end encryption • Ad networks and mixed content warnings 76

  77. 77

  78. Automatic Back-end Encryption • Automatic issuance of certi fi cates for origin • CloudFlare Origin CA • Let’s Encrypt ??? 78

  79. 79

  80. Mixed content warnings • Invite me back next year when we’ve fi xed it 80

  81. January 9th 2015 Universal SSL Nick Sullivan @grittygrease

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Universal Credit Universal Credit Universal Credit is for working-age people aged over 18 and

Universal Credit Universal Credit Universal Credit is for working-age people aged over 18 and

Universal Credit Universal Credit Universal Credit is for working-age people aged over 18 and under State Pension age. Universal Credit will replace a number of current benefits: income-based Jobseekers Allowance (JSA);

332 views • 14 slides
Universal Acceptance Quick Guide What Does Universal Acceptance Mean? ACCEPT Universal

Universal Acceptance Quick Guide What Does Universal Acceptance Mean? ACCEPT Universal

Universal Acceptance Quick Guide What Does Universal Acceptance Mean? ACCEPT Universal Acceptance (UA) is the state where all valid domain names and email addresses are accepted, validated, stored, processed and displayed correctly and

122 views • 8 slides
Tech Day: Universal Acceptance Mark van rek Universal Acceptance Todays Objectives

Tech Day: Universal Acceptance Mark van rek Universal Acceptance Todays Objectives

Tech Day: Universal Acceptance Mark van rek Universal Acceptance Todays Objectives Definition of Universal Acceptance Universal Acceptance Steering Group Challenges BiDi Stuff Conclusion 2 Definition of Universal

665 views • 27 slides
A Universal Language A Universal Language Scheme. It contains terms and rules describing

A Universal Language A Universal Language Scheme. It contains terms and rules describing

One-Slide Summary The lambda calculus is a universal, fundamental model of computation. You can view it as the essence of A Universal Language A Universal Language Scheme. It contains terms and rules describing variables, function

82 views • 7 slides
A Universal Language A Universal Language Scheme. It contains terms and rules describing

A Universal Language A Universal Language Scheme. It contains terms and rules describing

One-Slide Summary The lambda calculus is a universal, fundamental model of computation. You can view it as the essence of A Universal Language A Universal Language Scheme. It contains terms and rules describing variables, function

497 views • 10 slides
Universal Usability Ethical, good business, the law SWEN-444 Topics Universal usability and

Universal Usability Ethical, good business, the law SWEN-444 Topics Universal usability and

Universal Usability Ethical, good business, the law SWEN-444 Topics Universal usability and software ethics Visually impaired Deaf and hard of hearing Dexterity and mobility impairments Section 508 the law Universal

593 views • 33 slides
Accessibility and Universal Design Webinar May 31, 2017 11:00am Accessibility &amp; Universal

Accessibility and Universal Design Webinar May 31, 2017 11:00am Accessibility &amp; Universal

Accessibility and Universal Design Webinar May 31, 2017 11:00am Accessibility &amp; Universal Design Universal design principles for online learning environments are based on the idea that a broad range of human ability exists, and this is

467 views • 14 slides
Universal Service, Mobile Broadband and Reverse Auctions (or, Universal Service in a 5G world)

Universal Service, Mobile Broadband and Reverse Auctions (or, Universal Service in a 5G world)

Universal Service, Mobile Broadband and Reverse Auctions (or, Universal Service in a 5G world) (or, or, what can we learn from MF-II challenge process) Agenda: Universal Service: What Needs to be Measured William Lehr Steve Bauer MIT MIT 9th

224 views • 7 slides
UNIVERSAL DESIGN FOR LEARNING (UDL) UNIVERSAL DESIGN FOR LEARNING (UDL) First defined by the

UNIVERSAL DESIGN FOR LEARNING (UDL) UNIVERSAL DESIGN FOR LEARNING (UDL) First defined by the

UNIVERSAL DESIGN FOR LEARNING (UDL) UNIVERSAL DESIGN FOR LEARNING (UDL) First defined by the Center for Applied Special Technology (CAST), UDL is a framework which promotes flexible instructional environments in order to accommodate a wide

609 views • 23 slides
UNIVERSAL ROBOTS RUC 2018 Universal Robots - Evolving the future UNIVERSAL ROBOTS SET THE

UNIVERSAL ROBOTS RUC 2018 Universal Robots - Evolving the future UNIVERSAL ROBOTS SET THE

UNIVERSAL ROBOTS RUC 2018 Universal Robots - Evolving the future UNIVERSAL ROBOTS SET THE STANDARD Fast Set-up Flexible Deployment Easy Programming Safe UNIVERSAL ROBOTS SET THE STANDARD Fast setup Fast Set-up Flexible

585 views • 24 slides
Universal Serial Bus (USB) USB ACRONYMS USB Universal

Universal Serial Bus (USB) USB ACRONYMS USB Universal

Universal Serial Bus (USB) USB ACRONYMS USB Universal Serial Bus OTG On The Go similar concept to Plug and Play

410 views • 36 slides
Lesson 11 Universal Types 2/28 Chapter 23 Universal Types and System F Varieties of

Lesson 11 Universal Types 2/28 Chapter 23 Universal Types and System F Varieties of

Lesson 11: Universal Types Lesson 11 Universal Types 2/28 Chapter 23 Universal Types and System F Varieties of polymorphism System F Examples Basic properties Erasure Evaluation issues Parametricity

551 views • 8 slides
Type theory and Universal Grammar Erkki Luuk CIFMA 2019 Universal Grammar Introduction The

Type theory and Universal Grammar Erkki Luuk CIFMA 2019 Universal Grammar Introduction The

Type theory and Universal Grammar Erkki Luuk CIFMA 2019 Universal Grammar Introduction The idea of Universal Grammar (UG) as the hypothetical linguistic structure shared by all human languages harkens back at least to Roger Bacon in the

298 views • 27 slides
Universal Credit Partner Presentation Progress so far 26 Universal Credit Service Centres

Universal Credit Partner Presentation Progress so far 26 Universal Credit Service Centres

Universal Credit Partner Presentation Progress so far 26 Universal Credit Service Centres 235 Jobcentres operate the Universal Credit full service (as at 24 th January 2018) 700,000 on caseload as at 14 th December 2017 300,000

552 views • 15 slides
1 The case for Universal Design 2 The case for Universal Design It all begins and ends in our

1 The case for Universal Design 2 The case for Universal Design It all begins and ends in our

1 The case for Universal Design 2 The case for Universal Design It all begins and ends in our mind since the majority of our target market is the family group. We wanted to be the preferred resort for families from all walk of life. We

306 views • 6 slides
universal design universal design principles - NCSW equitable use flexibility in use

universal design universal design principles - NCSW equitable use flexibility in use

chapter 10 universal design universal design principles - NCSW equitable use flexibility in use simple and intuitive to use perceptible information tolerance for error low physical effort size and space for

631 views • 9 slides
Independent Sets in Free Groups and Fields Rev. Charles McCoy &amp; Russell Miller Univ. of

Independent Sets in Free Groups and Fields Rev. Charles McCoy &amp; Russell Miller Univ. of

Independent Sets in Free Groups and Fields Rev. Charles McCoy &amp; Russell Miller Univ. of Portland Queens College / CUNY Graduate Center Rutgers Logic Seminar 18 February 2013 McCoy &amp; Miller (UP &amp; CUNY) Free Groups and Fields

530 views • 25 slides
CS6220: DATA MINING TECHNIQUES Mining Sequential and Time Series Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Sequential and Time Series Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Sequential and Time Series Data Instructor: Yizhou Sun yzsun@ccs.neu.edu March 30, 2016 Announcement About course project You can gain bonus points Call for code contribution Sign-up one or

795 views • 68 slides
Getting Started James Lamb Instructor DataCamp Time Series with data.table in R Getting data

Getting Started James Lamb Instructor DataCamp Time Series with data.table in R Getting data

DataCamp Time Series with data.table in R TIME SERIES WITH DATA . TABLE IN R Getting Started James Lamb Instructor DataCamp Time Series with data.table in R Getting data from Quandl Quandl provides an R package for pulling data aluminumDF

662 views • 30 slides
Course Objectives Database Construction Design Construction and Usage SQL DDL and DML

Course Objectives Database Construction Design Construction and Usage SQL DDL and DML

Course Objectives Database Construction Design Construction and Usage SQL DDL and DML Relational Algebra Interfacing Usage Course Objectives Construction When the course is through, you should Given a database schema with related

462 views • 13 slides
Computational Social Choice: Autumn 2012 Ulle Endriss Institute for Logic, Language and

Computational Social Choice: Autumn 2012 Ulle Endriss Institute for Logic, Language and

Judgement Aggregation COMSOC 2012 Computational Social Choice: Autumn 2012 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Judgement Aggregation COMSOC 2012 Plan for Today Preferences are

463 views • 21 slides
Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde,

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde,

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde, Hao Jin, Vyas Sekar, Prateek Saxena, Min Suk Kang July 8, 2019 | Dallas, TX Large-scale volumetric DDoS attacks are common (distributed denial of

569 views • 29 slides
Improved Detection of LSB Steganography in Grayscale Images Andrew Ker adk@comlab.ox.ac.uk

Improved Detection of LSB Steganography in Grayscale Images Andrew Ker adk@comlab.ox.ac.uk

Improved Detection of LSB Steganography in Grayscale Images Andrew Ker adk@comlab.ox.ac.uk Royal Society University Research Fellow at Oxford University Computing Laboratory Information Hiding Workshop 2004 Summary This presentation will

560 views • 32 slides
Playing with AD Domains (not the Windows Way) - SambaXP 2017 Denis Cardon, Vincent Cardon

Playing with AD Domains (not the Windows Way) - SambaXP 2017 Denis Cardon, Vincent Cardon

Tranquil IT Systems Playing with AD Domains (not the Windows Way) - SambaXP 2017 Denis Cardon, Vincent Cardon Tranquil IT Systems Tranquil IT Systems IT support company since 2002, in Nantes, FRANCE 15 employees both small (outsourcing)

804 views • 25 slides

More recommend