ION Santiago: Lock It Up: TLS for Network Operators

www.internetsociety.org

Lock It Up: TLS for Network Operators

Chris Grundemann Director, Deployment & Operationalization Internet Society


TLS vs SSL

Secure Sockets Layer (SSL) originally developed by Netscape in the mid-1990s

"Transport Layer Security (TLS)" evolved from SSL 3.0, although "SSL" remains commonly used term

TLS version 1.3 in active development: •  https://tools.ietf.org/html/draft-ietf-tls-tls13 •  https://github.com/tlswg/tls13-spec

10/28/14

1996 SSL 3.0 RFC 6101 1999 TLS 1.0 RFC 2246 2006 TLS 1.1 RFC 4346 2008 TLS 1.2 RFC 5246 2014/15? TLS 1.3 draft-ietf-tls-tls13


TLS – Not Just For Web Sites

TLS / SSL originally developed for web sites

Now widely used for many other services, including:

•  Email

•  Instant messaging

•  File transfer

•  Virtual Private Networks (VPNs)

•  Voice over IP (VoIP)

•  Custom applications


Snowden Revelations

Revelations by Edward Snowden in 2013 revealed massive amount of surveillance and monitoring.

Prompted global concerns about the security and privacy of our data and of our communication sessions over the Internet.

Increased desire to see TLS used more widely across all applications and services.


Response by larger Internet community

10/28/14


RFC 7258 – IETF/IAB Response

http://tools.ietf.org/html/rfc7258

"Pervasive Monitoring Is An Attack"

Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.

Has prompted a security/privacy review across all areas of IETF. Expect to see changes over time across all the protocols used for communication on the Internet.

10/28/14


IETF Activity - UTA

New Working Group: UTA – Using TLS in Applications

•  http://tools.ietf.org/wg/uta/

•  Goals •  Update the definitions for using TLS over a set of representative

application protocols. This includes communication with proxies, between servers, and between peers, where appropriate, in addition to client/server communication.

•  Specify a set of best practices for TLS clients and servers, including but not limited to recommended versions of TLS, using forward secrecy, and one or more ciphersuites and extensions that are mandatory to implement.

•  Consider, and possibly define, a standard way for an application client and server to use unauthenticated encryption through TLS when server and/or client authentication cannot be achieved.

•  Create a document that helps application protocol developers use TLS in future application definitions.


IETF – Increased Activity Across Groups

Two examples:

TLS Working Group now defining TLS 1.3 and exploring other ways to secure TLS

•  http://tools.ietf.org/wg/tls/

HTTPBIS Working Group defining more secure HTTP 2.0 •  http://tools.ietf.org/wg/httpbis/ •  will only work with https URLs


Other Reasons Customers May Request TLS

Ability to use SPDY protocol (requires TLS)

•  https://en.wikipedia.org/wiki/SPDY

Improved Google search result ranking

•  Deploy360 post: http://wp.me/p4eijv-5eJ


Other Efforts

On Sept 29, 2014, CloudFlare announced they would be giving TLS certificates to all customers for free.

Calling it "Universal SSL", this made 2+ million web sites TLS-encrypted in one action.

Similar actions to make TLS more accessible are being seen by other groups and organizations


Heartbleed and Poodle

Recent attacks have increased desire to strengthen TLS security

Heartbleed (April 2014) vulnerability in OpenSSL highlighted need for security reviews of common libraries – and also need for diversity in library usage

•  http://heartbleed.com/

Poodle (September 2014) demonstrated need to completely deprecate usage of SSL v3.0

•  https://www.openssl.org/~bodo/ssl-poodle.pdf


Outcome Of Activity By IETF And Other Groups

You WILL see increased usage of TLS across all applications

Example – Encrypt The Web report from EFF •  https://www.eff.org/encrypt-the-web-report


How Do You Help Your Customers?

If your customers are using more TLS for their applications, either by their own choice or because the service they are using is now using TLS, how do you help them make their connections over the Internet more secure?

1. Use TLS for your own services and systems

2. Allow TLS-encrypted sessions to flow through your network (i.e. don't block them or try to force them to downgrade to unencrypted connections)

3. Educate your customers about how they can move their own servers and services to support TLS


But what about….?

"Wait! If application developers run everything over TLS, all we will see are TLS-encrypted streams. We won't be able to see into the traffic and manage our network appropriately."

"We can't use wireshark!"

Unfortunately, the same monitoring capability used by network operators was abused by intelligence agencies and other attackers.

Momentum now is to close all these holes.

Network management must now assume TLS will be there.


Resources – Deploy360 Programme

http://www.internetsociety.org/deploy360/tls/

Providing:

•  Resources to learn more about TLS

•  Links to libraries and other tools

•  Ongoing coverage on Deploy360 blog of TLS-related issues and news


Resources – BetterCrypto.org

https://bettercrypto.org/

"This whitepaper arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security specialists saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators."

"This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.)."


Resources – Mozilla Server Side TLS Doc

https://wiki.mozilla.org/Security/Server_Side_TLS

Great document – and not just for Mozilla

"The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below."

"The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools."


Resources - NIST SP800-52r1

http://dx.doi.org/10.6028/NIST.SP.800-52r1

"Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations

Document from U.S. National Institute of Standards and Technologies (NIST) revised in April 2014 (post-Snowden)

Aimed at US government agencies but provides a useful tutorial and set of guidelines for other organizations


One Challenge With TLS

How do you ensure that the TLS certificate the client is receiving is the correct TLS certificate that the server operator wants the client to receive?

This brings us to our next talk here at ION Santiago about DANE…


But Before That…

Questions?

How can we help you with deploying TLS within your network and with your customers?

What additional assistance do you need?

Thank you for helping make the Internet more secure!

www.internetsociety.org www.isoc.org/do

[email protected]

Chris Grundemann Director, Deployment & Operationalization Internet Society

http://www.internetsociety.org/deploy360/

Thank You!

ION Santiago: Lock It Up: TLS for Network Operators

Technology

Transcript of ION Santiago: Lock It Up: TLS for Network Operators