Upload
norton-secured
View
409
Download
1
Embed Size (px)
DESCRIPTION
Find out more about Symantec SSL and the subjects of encryption and authentication.
Citation preview
SSL Explained……
Andrew HorburySenior Product Marketing ManagerSymantec Website Security Solutions
SSL Explained 1
Agenda• What does SSL do?• Why do we need SSL?• How do we use SSL today?• How does SSL Encryption work?• How does Authentication work?• Different types of SSL Certificates• Valid certificates and • Website Security Solutions– Moving beyond SSL
• Resources and more information
2SSL Explained
What does SSL do?• Authentication and Verification– The SSL Certificate contains information about the authenticity of the
business or individual, which it will display in the browser when the padlock or certificate is clicked on in a browser
• Data Encryption– SSL enables encryption, which means that sensitive information
exchanged via a website site cannot be intercepted and read by anyone other than the intended recipient.
3SSL Explained
First of all…
Lets take a look out how people purchasing patterns have changed…. With many of us preferring to buy online versus visiting shops
• GBP91 billion spent online in 2013 in the UK (6% growth from 2012*
• 2013 ‘year of the mobile’: 2x spent via mobile devices in December 2013 compared to December 2012
Yet….in 2012 one percent of all online revenues globally was lost to fraud this equates to GBP2.17BN**
* IMRG.org
** Cyber Source Corp
4SSL Explained
Why do we need SSL?
• Everyone expects web sites to be safe from prying eyes• We need to clearly demonstrate online security• PCI compliance demands the encryption of credit card details• There is a data protection obligation to protect personal data.
• SSL plays a huge part in the worlds of ecommerce, finance, government, manufacturing and much, much more….
5SSL Explained
How do we use SSL?
• To secure online transactions (ecommerce, bill payments etc..)• To secure various online systems (logins, extranets, intranet etc…)• To secure the connection between Outlook (mail client) and MS Exchange
(mail server)• To secure webmail and applications such as Outlook Web Access• To secure cloud based applications• To secure FTP and file transfer services• To secure internal and external data transfers (SharePoint, database
connections, HR apps, pay roll etc..)• To secure remote logins such as SSL VPN• Securing information sent & received by mobile phones, tablets etc..
6SSL Explained
What do all these applications have in common?
• The data needs confidentiality – the user wants to keep credit card details, password, and other personal data from prying eyes
• The data needs to retain integrity – meaning it cannot be intercepted and changed
• You need to demonstrate clearly that you are you and not someone else pretending to be you
• Compliance – meet national, local, international regulations
7SSL Explained
Would you send a postcard to someone through the post with your bank details written on the other side….?
8SSL Explained
Would you send a postcard to someone through the post with your bank details written on the other side….NO
9SSL Explained
How does SSL Encryption work?• In the same way you use a key to unlock
the door on your car. SSL uses keys to lock and unlock your information.
• Unless you have the right key, you will not be able to unlock the information (or car).
• Each SSL sessions consists of two keys:– The Public key is used to encrypt
– The Private key is used to decrypt
• Once the server and browser have conducted the SSL handshake – the server creates a symmetric algorithm to encrypt the traffic.
10
SSL Explained
Moving onto Identity - How Authentication Works…• Making sure that you are talking to
the person or computer that you can trust.
• Who to trust– Company asks a CA (e.g. Symantec for a
Certificate)
– CA creates a certificate and signs it
– Certificate installed on a server
– Browser issued with root certificates
– Browser trusts correctly signed certificates
11
SSL Explained
Different types of SSL Certificates
Some companies, use for authentication, to demonstrate trust, whilst others need only encryption.
The industry has reacted and formulated three types of SSL certificate• Domain Validated (DV) • Organisation Validated (OV) – domain and org validated• Extended Validation (EV) as OV but with :– Verifies the legal, physical and operational status of a company
– Verify that the identity of the entity matches official centrally held documents
– Verifying that the entity has the exclusive right to use the domain specified in the EV certificate
• All certificates issued by Symantec are fully validated at Org level
12
SSL Explained
Website warnings for self signed certificates
Chrome
IE8
Firefox 10
Different types of SSL Certificates
The use of SSL has changed.
Some companies, use for authentication, to demonstrate trust, whilst others need only encryption.
The industry has reacted and formulated three types of SSL certificate• Domain Validated (DV) • Organisation Validated (OV) – domain and org validated• Extended Validation (EV) as OV but with :– Verifies the legal, physical and operational status of a company
– Verify that the identity of the entity matches official centrally held documents
– Verifying that the entity has the exclusive right to use the domain specified in the EV certificate
• All certificates issued by Symantec are fully validated at Org level
14
SSL Explained
Different Certificate Technologies• Individual certificates
– Standard use for an SSL certificate. Used to secure data between website and webserver (can be used for multiple servers)
• Wildcard SSL Certificates– A Wildcard certificate – use one certificate to secure multiple subdomains
under one domain.
• Multiple domain Certificates
– Subject Alternative Names. Similar to a Wildcard certificate, but more versatile, the SAN (Subject Alternative Name) SSL certificate allows for more than one domain to be added to a single SSL certificate. These are particularly useful for Unified Communications – for use with Microsoft Exchange/Office Service
15
SSL Explained
The value of Symantec Website Security Solutions
SGC Premium SSL
Extended Validation
Seal In Search Norton Secured Seal
Daily Malware Scanning (All certs)
Weekly Vulnerability Assessment (Pro and EV)
Domain1.comDomain2.comDomain3.com
SANs (all certs bar Wildcard)
Algorithm AgilityRSA/ECC/DSA (ECC available for Pro and Pro EV)
16
SSL Explained
Our Websites are Being Used Against Us
61%of web sites serving
malware are legitimate sites 25%
have critical vulnerabilities unpatched
53%of legitimate websites have unpatched vulnerabilities
17
SSL Explained
• Elliptic Curve Cryptography (ECC) Algorithm• 12 times faster than RSA– 256 bit ECC key provides the same level of security
as 3,072 RSA key
• 7-10% faster using less CPU power– Directorz Co. Ltd - 46 percent lower CPU burden and a 7 percent
reduction in response time, enabling more total simultaneous connections to a single site.
• Available with:– Symantec Secure Site Pro
– Symantec Secure Site Pro with EV
Symantec SSL Algorithm Agility
18
SSL Explained
SSL Explained
19
SSL Explained
SSL Explained
20
SSL Explained
SSL Explained
21
SSL Explained
SSL Explained
22
SSL Explained
SSL and Trust• Certificate authorities such as Symantec undergo extremely
rigorous audits in order to be recognised as a trusted issuer of digital certificates
• All certificates that Symantec issue are vetted prior to issuing. We do not let partners or third parties do this verification on our behalf.
• Certificate Authorities need to ensure that its certificates have root ubiquity. The Symantec certificate root is recognised in most browsers and devices.
• Choosing a CA is key – you need to know that its root is trusted in browsers and that it has reputation that will enhance your trust to the wider world. If the root is not include in IE6 (10% of the market) what do you do?
23
SSL Explained
SSL Explained• UK English– http://bit.ly/LAbN4R
• German– http://bit.ly/1aHoNw1
• France– http://bit.ly/1e9DEjq
• Italy– http://bit.ly/1dLTB4r
• Spain– http://bit.ly/KxsIFd
• PCI Security Standards Council’s ecommerce– http://bit.ly/1einKWU
24
SSL Explained
More information• Monthly Website Security Threat Update – https://www.brighttalk.com/channel/6331
– 13 Feb 2014, 9.30 GMT/10.30 CET
• Follow us– @nortonsecured
– https://www.facebook.com/SymantecWebsiteSecuritySolutions
25
SSL Explained
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Andrew [email protected]@andyhorburywww.symantec.co.uk/ssl
26
SSL Explained
Appendix
27
SSL Explained
Key Data at a Glance
SSL Explained 28
Ecommerce Turnover and Growth in EMEA in 2012
• UK, Germany, France are still the top 3 performers in regards to ecommerce turnover
• However good opportunity exists in markets like Spain, Russia, Holland and Italy.
• The countries with the highest growth percentage in 2012 were Turkey, Greece and Ukraine – overall Eastern European countries show the most growth
SSL Explained 29