2. Agenda
• What does SSL do?
• Why do we need SSL?
• How do we use SSL today?
• How does SSL Encryption work?
• How does Authentication work?
• Different types of SSL Certificates
• Valid certificates and
• Website Security Solutions
– Moving beyond SSL
• Resources and more information
SSL Explained
2
3. What does SSL do?
• Authentication and Verification
– The SSL Certificate contains information about the authenticity of the
business or individual, which it will display in the browser when the
padlock or certificate is clicked on in a browser
• Data Encryption
– SSL enables encryption, which means that sensitive information
exchanged via a website site cannot be intercepted and read by anyone
other than the intended recipient.
SSL Explained
3
4. First of all…
Lets take a look out how people
purchasing patterns have changed….
With many of us preferring to buy
online versus visiting shops
• GBP91 billion spent online in 2013
in the UK (6% growth from 2012*
• 2013 ‘year of the mobile’: 2x spent
via mobile devices in December
2013 compared to December 2012
Yet….in 2012 one percent of all
online revenues globally was lost to
fraud this equates to GBP2.17BN**
* IMRG.org
** Cyber Source Corp
SSL Explained
4
5. Why do we need SSL?
• Everyone expects web sites to be safe from prying eyes
• We need to clearly demonstrate online security
• PCI compliance demands the encryption of credit card details
• There is a data protection obligation to protect personal data.
• SSL plays a huge part in the worlds of
ecommerce, finance, government, manufacturing and
much, much more….
SSL Explained
5
6. How do we use SSL?
• To secure online transactions (ecommerce, bill payments etc..)
• To secure various online systems (logins, extranets, intranet etc…)
• To secure the connection between Outlook (mail client) and MS Exchange
(mail server)
• To secure webmail and applications such as Outlook Web Access
• To secure cloud based applications
• To secure FTP and file transfer services
• To secure internal and external data transfers (SharePoint, database
connections, HR apps, pay roll etc..)
• To secure remote logins such as SSL VPN
• Securing information sent & received by mobile phones, tablets etc..
SSL Explained
6
7. What do all these applications have in common?
• The data needs confidentiality – the user wants to keep credit
card details, password, and other personal data from prying
eyes
• The data needs to retain integrity – meaning it cannot be
intercepted and changed
• You need to demonstrate clearly that you are you and not
someone else pretending to be you
• Compliance – meet national, local, international regulations
SSL Explained
7
8. Would you send a postcard to
someone through the post
with your bank details written
on the other side….?
SSL Explained
8
9. Would you send a postcard to
someone through the post
with your bank details written
on the other side….
SSL Explained
9
10. How does SSL Encryption work?
• In the same way you use a key to unlock
the door on your car. SSL uses keys to lock
and unlock your information.
• Unless you have the right key, you will not
be able to unlock the information (or car).
• Each SSL sessions consists of two keys:
– The Public key is used to encrypt
– The Private key is used to decrypt
• Once the server and browser have
conducted the SSL handshake – the server
creates a symmetric algorithm to encrypt
the traffic.
SSL Explained
10
11. Moving onto Identity - How Authentication Works…
• Making sure that you are talking to
the person or computer that you
can trust.
• Who to trust
– Company asks a CA (e.g. Symantec for a
Certificate)
– CA creates a certificate and signs it
– Certificate installed on a server
– Browser issued with root certificates
– Browser trusts correctly signed
certificates
SSL Explained
11
12. Different types of SSL Certificates
Some companies, use for authentication, to demonstrate trust, whilst
others need only encryption.
The industry has reacted and formulated three types of SSL certificate
• Domain Validated (DV)
• Organisation Validated (OV) – domain and org validated
• Extended Validation (EV) as OV but with :
– Verifies the legal, physical and operational status of a company
– Verify that the identity of the entity matches official centrally held documents
– Verifying that the entity has the exclusive right to use the domain specified in
the EV certificate
• All certificates issued by Symantec are fully validated at Org level
SSL Explained
12
14. Different types of SSL Certificates
The use of SSL has changed.
Some companies, use for authentication, to demonstrate trust, whilst
others need only encryption.
The industry has reacted and formulated three types of SSL certificate
• Domain Validated (DV)
• Organisation Validated (OV) – domain and org validated
• Extended Validation (EV) as OV but with :
– Verifies the legal, physical and operational status of a company
– Verify that the identity of the entity matches official centrally held documents
– Verifying that the entity has the exclusive right to use the domain specified in
the EV certificate
• All certificates issued by Symantec are fully validated at Org level
SSL Explained
14
15. Different Certificate Technologies
• Individual certificates
– Standard use for an SSL certificate. Used to secure data between website
and webserver (can be used for multiple servers)
• Wildcard SSL Certificates
– A Wildcard certificate – use one certificate to secure multiple subdomains
under one domain.
• Multiple domain Certificates
– Subject Alternative Names. Similar to a Wildcard certificate, but more
versatile, the SAN (Subject Alternative Name) SSL certificate allows for
more than one domain to be added to a single SSL certificate. These are
particularly useful for Unified Communications – for use with Microsoft
Exchange/Office Service
SSL Explained
15
16. The value of Symantec Website Security Solutions
Norton Secured Seal
Seal In Search
Extended Validation
Daily Malware Scanning
(All certs)
SGC Premium SSL
Weekly Vulnerability
Assessment (Pro and EV)
Domain1.com
Domain2.com
Domain3.com
SSL Explained
SANs (all
certs bar
Wildcard)
Algorithm Agility
RSA/ECC/DSA (ECC
available for Pro and
Pro EV)
16
17. Our Websites are Being Used Against Us
53%
61%
of web sites serving
malware are legitimate sites
of legitimate websites have
unpatched vulnerabilities
25%
have critical vulnerabilities
unpatched
SSL Explained
17
18. Symantec SSL Algorithm Agility
• Elliptic Curve Cryptography (ECC) Algorithm
• 12 times faster than RSA
– 256 bit ECC key provides the same level of security
as 3,072 RSA key
• 7-10% faster using less CPU power
– Directorz Co. Ltd - 46 percent lower CPU burden and a 7 percent
reduction in response time, enabling more total simultaneous
connections to a single site.
• Available with:
– Symantec Secure Site Pro
– Symantec Secure Site Pro with EV
SSL Explained
18
23. SSL and Trust
• Certificate authorities such as Symantec undergo extremely
rigorous audits in order to be recognised as a trusted issuer of
digital certificates
• All certificates that Symantec issue are vetted prior to issuing.
We do not let partners or third parties do this verification on
our behalf.
• Certificate Authorities need to ensure that its certificates have
root ubiquity. The Symantec certificate root is recognised in
most browsers and devices.
• Choosing a CA is key – you need to know that its root is trusted
in browsers and that it has reputation that will enhance your
trust to the wider world. If the root is not include in IE6 (10% of
the market) what do you do?
SSL Explained
23
24. SSL Explained
• UK English
– http://bit.ly/LAbN4R
• German
– http://bit.ly/1aHoNw1
• France
– http://bit.ly/1e9DEjq
• Italy
– http://bit.ly/1dLTB4r
• Spain
– http://bit.ly/KxsIFd
• PCI Security Standards Council’s ecommerce
– http://bit.ly/1einKWU
SSL Explained
24
25. More information
• Monthly Website Security Threat Update
– https://www.brighttalk.com/channel/6331
– 13 Feb 2014, 9.30 GMT/10.30 CET
• Follow us
– @nortonsecured
– https://www.facebook.com/SymantecWebsiteSecuritySolutions
SSL Explained
25
29. Ecommerce Turnover and Growth in EMEA in 2012
• UK, Germany, France are still
the top 3 performers in regards
to ecommerce turnover
• However good opportunity
exists in markets like
Spain, Russia, Holland and Italy.
• The countries with the highest
growth percentage in 2012
were Turkey, Greece and
Ukraine – overall Eastern
European countries show the
most growth
SSL Explained
29
Notas del editor
Good morning thanks for joining me today. I’d like to welcome you to todaysBrightTALK webinar. My name is Andrew Horbury and I’m a product marketing manager for Symantec’s Website Security Solutions. As you can see on screen todays’ subject is SSL Explained.
And here is the agenda for today. I’ll go through what SSL does, why we need it, how we use it; I’ll talk about encryption and authentication, some of the different types of certificates available and then I’ll finish up by talking about going beyond ssl to website security solutions and finally I’ll tie up and share a few useful resources with you. Todays webinar will last no more than 30 mins and if you have questions please submit via the console and I’ll take these offline and answer then.
What is SSL?Established by Netscape in 1994, the SSL protocol is now widely accepted as a method of providing confidentiality, authentication and integrity for on-line transactions. The original concept from Netscape stated:-"Third-party CAs are critical for some applications. For example, a bank that wishes to put a server on the Internet for online banking cannot just issue its own certificate to that server and ask customers to believe that it really is the bank's server. Instead, the bank will purchase a server certificate from a third-party CA. The third-party CA takes responsibility for performing due diligence and ensuring that the company requesting the certificate really is the company it says it is before issuing the certificate. "The use SSL certificates is a critical building block for secure electronic commerce and one of the most ubiquitous uses of public key infrastructure (PKI). SSL certificates enable a user to: Communicate securely with a web site (HTTPS)- Information which the user then provides cannot be intercepted in transit (confidentiality) or altered without detection (integrity). And they verify that the site is actually the company's web site and not an imposter's site (authentication).Think about it as IdentificationMaking sure that the computer you are speaking to on the other end is what you think it isandEncryptionTypical use case is credit card details being entered into a PC and then to a web server. Without SSL this information can be intercepted SSL puts a barrier around the information so it cannot be intercepted by a third party
So before we look at why we need SSL…lets look at how purchasing patterns have changed with today many of us preferring to shop online ratherthan visit shops.I teased out a few stats to illustrate the market (I also have some interesting local European stats in the appendix to this deck) and how it is growing but also to highlight that as opportunity grows so does the threat from cybercriminals and anyone engaging in online commerce has to watch out for scams and fraudsters eating into their profits. Online fraud cost e-retailers well over 2bn GBP in 2012 according to CyberSource’s annual report.
You need SSL if ….you have an online store or accept online orders and credit cardsyou offer a login or sign in on your siteyou process sensitive data such as address, birth date, drivers license, or ID numbersyou need to comply with privacy and security requirementsyou value privacy and expect others to trust you.In January 2013, the PCI Security Standards Council (PCI SCC) published its ‘E-Commerce Guidelines’*, detailing the technical and operational requirements set by the council to protect cardholder data. This will almost certainly become the reference point from here in for merchants and customers alike. Most importantly, PCI stipulates that adequate encryption of a cardholder’s sensitive data is imperative while it is being transmitted, insisting on nothing less than 128-bit encryption. It also calls for crypto keys – their storage and transmission – to be effectively managed.For more on the PCI Security Standards Council’s guidelines, go to: http://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf
Read slide and paraphrase
And what do all these have in common? The data needs confidentiality the user wants to keep their details secure from prying eyes
How Encryption WorksImagine sending a post card. Anyone with access to it can see the data. If it looks valuable, they might take it or change it. An SSL Certificate establishes a private communication channel enabling encryption of the data during transmission. Encryption scrambles the data, essentially creating an envelope for message privacy. Slide
The answer I would hope is no btw!
SO lets have a brief look at how SSL Encryption Work?Every SSL certificate that is issued for a CA-verified entity is issued for a specific server and website domain (website address). When a person uses their browser to navigate to the address of a website with an SSL certificate, an SSL handshake ( lets call it a greeting) occurs between the browser and server. Information is requested from the server – which is then made visible to the person in their browser window. You will notice changes to indicate that a secure session has been initiated – for example, a trust mark will appear. If you click on the trust mark, you will see additional information such as the validity period of the SSL certificate, the domain secured, the type of SSL certificate, and the issuing CA. All of this means that a secure link is established for that session, with a unique session key, and secure communications can begin….
When you send information using SSL online you can usually tell who you are sending it to. By either by clicking on the padlock or the green bar in the web page you are visiting. And by double clicking these identifiers you can tell who has issued the cert and who the certificate is issued to. A company asks a Certification Authority (e.g. Symantec) for a CertificateThe company needs to provide a whole load of information about the web serverWho the company isWhere they are locatedThe web server platform The CA checks this information and checks the validity and authenticity of the company. By going through public records, and independently checking that the company is who they say they are. An analogy here is when you apply for a passport – and you have to go through similar process to demonstrate your identity.Why Authentication MattersWell just like a passport an SSL Certificate is issued by a trusted source, known as the Certificate Authority (CA). Many CAs simply verify the domain name and issue the certificate. Symantec verifies the existence of your business, the ownership of your domain name, and your authority to apply for the certificate, we apply a higher standard of authentication.Yet Why is it important for Symantec to verify my business identity during enrollment?To protect against fraud and phishing sites, Web visitors look for evidence of encryption and third-party authentication of the Web site’s business identity. When you purchase an SSL Certificate Symantec verifies the existence of your business, the ownership of your domain name, and your employment status. We may require official documentation proving your right to do business. Our authentication and verification procedures are based on years of practice authenticating commercial businesses. And our procedures are audited annually by KPMG.
So that’s what an SSL certificate does and why you need one. There are a number of different SSL certificates on the market today. Some companies, use for authentication, to demonstrate trust, whilst others need only encryption.When you just have a need for encryption many people use a self-signed certificate. As the name implies, this is a certificate that is typically generated for internal purposes and is not issued by a CA. Since the website owner generates their own certificate, it does not hold the same weight as a fully authenticated and verified SSL certificate issued by a CA and importantly it is not trusted by web browsers.SLIDE
As we can see on screen now – therefore its not suitable for ecommerce etc… Anyone can create a certificate claiming to be whatever website they choose, which is why certificates must be verified by a trusted third party. It’s a fact that without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with the website you hoped to visit or the website of an attacker who generated a certificate to impersonate the website you wanted to visit.
SO the industry has reacted and formulated three types of commercially validated SSL certificates.Domain Validated certificates which are considered to be an entry-level SSL certificate and can be issued quickly. The only verification check performed is to ensure that the applicant owns the domain (website address) where they plan to use the certificate. No additional checks are done to ensure that the owner of the domain is a valid business entity. Consider what you need to provide in order to buy a domain name and then to issue a certificate against this might not give you as much trust in a website as you would hope….An OV or Organization Validated SSL certificate is the first step to true online security and confidence building. Taking slightly longer to issue, these certificates are only granted once the organization passes a number of validation procedures and checks to confirm the existence of the business, the ownership of the domain, and the user’s authority to apply for the certificate.Then finally you get to the gold standard wrg to SSL the third type of commercially available SSL is called Extended Validation (EV) SSL certificates which offer the highest industry standard for authentication and provide the best level of customer trust available. When consumers visit a website secured with an EV SSL certificate, the address bar turns green and a special field appears with the name of the legitimate website owner along with the name of the security provider that issued the EV SSL certificate. It also displays the name of the certificate holder and issuing CA in the address bar. This visual reassurance has helped increase consumer confidence in e-commerce.
Lets look at a few different types of certificates….If you have a single domain that you want to secure then a regular SSL certificate is fine and where you have the same domain you can license it across multiple servers.Wildcard certs are for protecting multiple subdomains on a single domain.. However if you need to protect multiple domain names, then a SAN certificate might be the right choice. Protecting alternative domains with the same website e.g..net and .com is a great example. One caveat – you need to define the additional domains and add them to the certificate for it to work.The caveat particularly where Wildcards are involved extending a single certificate to subdomains rather than purchasing separate individual certificates can save money and make administration easier. The disadvantage, however, is that if a certificate has to be revoked or if the private key becomes compromised on one subdomain, it has to be revoked on all the others as well. If a subdomain like payment.domain.com is compromised, for example, so are the mail and blogsubdomains. Purchasing separate certificates may cost a bit more and require more administration, but it also ensures that each subdomain is individually protected and consequently less risky.
So far we’ve spoken about SSL – in the context of Symantec we talk about going beyond SSL and talk about Website Security solutions. And when you buy from Symantec you get more than the SSL piece.Each of our certificates come with the Norton secured seal which is displayed over a billion times a day.They come with seal in search which is a functionality whereby customers can see the Norton Seal in search results before they even reach your site – and in a crowded internet this can help your site stand out from the crowd.I mentioned EV SSL earlier – EV looks different in your web browser and turns the address bar green – definitely showing your customers that your site is safe and secured. This type of SSL have increased conversion rates for websites across the world.All our certificates come with a daily malware scan and the EV and Pro products come with a weekly vulnerability assessment….
And why is this important? Well the thing is webservers can be attacked by malware just like desktop PCs. In 2012, Symantec scanned over 1.5 million websites for malware and over 130,000 URLs were scanned for malware each day, with 1 in 532 websites found to be infected with malwareApproximately 53 percent of websites scanned were found to have unpatched, potentially exploitable vulnerabilities (36 percent in 2011), of which 25 percent were deemed to be critical. The most common vulnerability found was for cross-site scripting vulnerabilities.With all these unpatched vulnerabilities in legitimate websites there is no need for malware author to set up their own. In fact 61% of all malicious web sites are legitimate sites – so as we can see this is a significant issue.
Before I move on I want to talk about our alternative Algorithms.Since 1976, public key cryptography has become the foundation on which secure communications online. The public key algorithm and infrastructure revolutionized cryptography, and formed the basis for secure e-mail, e-commerce, and many other information exchanges. Throughout the development of PKI, new algorithms have been developed and refined which offer higher security and better performance, resulting in improved ability to defend against the growing sophistication of the modern security threat. And we're evolving with them.Any EV or Pro SSL certificate has theincluded option of the ECC algorithm, for improved production and performance connections. ECC offers greater security as compared to other prevalent algorithms. As an example, Symantec ECC-256 certificates will offer equivalent security of a 3072-bit RSA certificate. Compared to a 2048 RSA key (which is the industry norm), ECC-256 keys are 10,000 times harder to crack. ECC can handle more users and more connections simultaneously with lower latency increases than the RSA alternative at the same mid-range CPU volumes. On screen you can see that some numbers – we are talking that ECC can be as much as 12 times faster than traditionalSSL using RSA keys, it can use less CPU power. So again if you are considering SSL then this is something to bear in mind.
Coming to the end of the webinar today I want opt share a few resources with you….we’ve put together this Infographic
Coming to the end of the webinar today I want opt share a few resources with you….we’ve put together this Infographicthat highlights many of the points I’ve spoken about today. But it takes it further and explains ha little bit more about the history, how you can buy a certificate, what's best of you if you are a large or small company. And then once you’ve decided on what you need how you can set up and install.