Embed Size (px)
Citation preview
Amazon Web Services Japan K.K.Security Solutions Architect
Hayato Kiriyama
Amazon CloudFront Seminar
Accelerated TLS/SSL Adoption
2016.8.4
History and Transition of TLS/SSL
Session Agenda
Past
Present
Future
Recent Trends in Web Traffic Encryption
The Future of Web Services
History and Transition of TLS/SSL
Session Agenda
Past
Present
Future
Recent Trends in Web Traffic Encryption
The Future of Web Services
History of TLS/SSL
Evolution of Web Encryption Technologies
1995
SSL2.0
1996
SSL3.0
2006
TLS1.1
2008
TLS1.2
2013
Planning of
TLS1.3 starts
1999
TLS1.0
Evolution of TLS/SSLSSL2.0 SSL3.0 TLS1.0 TLS1.1 TLS1.2
Resistance to Attack Vectors
Downgrade Attacks(Forced Downgrade of Encryption Strength)
Weak Secure Secure Secure Secure
Version Rollback Attacks(Forced revert to SSL2.0)
Weak Secure Secure Secure Secure
CBC Mode Vulnerability Attacks(BEAST/POODLE Attacks)
Weak WeakPatch
RequiredSecure Secure
Supported Encryption Alogorithms
128bit Block Cipher (AES, Camellia) No Support No Support Supported Supported Supported
Authenticated Encryption (GCM, CCM) No Support No Support No Support No Support Supported
Elliptic Curve Cryptography (ECC) No Support No Support Supported Supported Supported
SHA-2 Hash Algorithms (SHA-256, SHA-384) No Support No Support No Support No Support Supported
Source: SSL/TLS Encryption Guidelines v1.1, IPA
http://www.ipa.go.jp/files/000045645.pdf
History of TLS/SSL
Evolution of Web Encryption Technologies
1995
SSL2.0
1996
SSL3.0
2006
TLS1.1
2008
TLS1.2
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Battle Against Vulnerabilities
1999
TLS1.0
2015
FREAK
2013
Planning of
TLS1.3 starts
History and Transition of TLS/SSL
Session Agenda
Past
Present
Future
Recent Trends in Web Traffic Encryption
The Future of Web Services
Google Webmaster Central Blog (Dec. 17, 2015)
https://webmasters.googleblog.com/2015/12/indexing-https-pages-by-default.html
Indexing of HTTPS Pages by Default
PCI DSS v3.2 Requirements
By 2016 June 30
PCI DSS Requirements and Security Assessment Procedures Version 3.2 (April 2016)
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
All service providers must provide a
secure service offering
By 2018 June 30After June 30, 2018, all entities
must have stopped use of SSL/early
TLS as a security control, and use only secure versions of the protocol
Apple will require HTTPS connections for iOS apps by the end of 2016 (June 14, 2016)
https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/324759/
By end of 2016App Transport Security(ATS) Required
HTTP Strict Transport Security(HSTS)Enforces HTTPS on google.com
Google's HSTS rollout: Forced HTTPS for google.com aims to help block attacks (August 1, 2016)
http://www.zdnet.com/article/googles-hsts-rollout-forced-https-for-google-com-aims-to-help-block-attacks/
* Gmail, Inbox, Google Play, Hangouts, Docs
Upgrade to TLS 1.2 and HTTP/1.1 (PayPal)
Source: TLS 1.2 and HTTP/1.1 Upgrade Microsite, PayPal
https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1914
Greater Enforcement by Industry/Vendors
Battle Against Vulnerabilities
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Industry Enforcement
2015
FREAK
2015/12
Indexing
HTTPS Pages
by Default
2016/04
PCI DSS v3.2
2016/07
Mandatory
ATS
2016/08
HTTP Strict
Transport
Security (HSTS)
2017/06/30
Mandatory
TLS1.2
History and Transition of TLS/SSL
Session Agenda
Past
Present
Future
Recent Trends in Web Traffic Encryption
The Future of Web Services
Survey of the SSL Implementation of the Most Popular Web Sites, SSL Pulse
https://www.trustworthyinternet.org/ssl-pulse/
Survey of Most Popular Websites
HTTP Archive Trends
http://httparchive.org/trends.php#perHttps
HTTPS Adoption RatePercentage of Requests to Top 1,000,000 URLs in Alexa
Web Sites with Always On SSL
Top Page
Service
Introduction
Case
StudiesSeminar
Registration
Top Page
Partial SSL Always On SSL
Seminar
Registration
Case
Studies
Service
Introduction
Benefits of Always On SSL
Item Effects Business Benefits
Search Engine Optimization Higher rankings in Google search results
Increase in marketing presence
Obtain referrer data Access analytics of web sites Analyze user behavior
Web site development and operation
Protect and maintain contents,urls, and configurations files
Lower development and operational costs
Eavesdropping onvulnerable access points
Prevent man-in-the-middleand spoofing attacks
Protect users from damages
Use of HTTP/2 Faster web pages Better user experience
HTTPS for Maximizing Business Value
Industry Enforcement Business Benefits
2016/04
PCI DSS v3.2
Increase in
Marketing Benefits
Lower Costs
Increase in
User Benefits
2015/12
Indexing
HTTPS Pages
by Default
2016/07
Mandatory
ATS
2017/06/30
Mandatory
TLS1.2
2016/08
HTTP Strict
Transport
Security (HSTS)
Business Benefits
Complete HTTPS
Evolution of Web Encryption
Battle Against Vulnerabilities
Industry Enforcement
Shifting to the Era of Complete HTTPS
Battle Against Vulnerabilities: Security
Conclusion: Behind Accelerated TLS/SSL Adoption
Past
Present
Future
Industry Enforcement: Trust and Reliability
Business Benefits: Greater Business Value
