SlideShare una empresa de Scribd logo

QualysGuard InfoDay 2012 - SSL LABS

Risk Analysis Consultants, s.r.o.
Risk Analysis Consultants, s.r.o.
TecnologíaEmpresariales
1 de 13
Descargar para leer sin conexión
Risk Analysis Consultants V060420 www.rac.cz SSL LABS RAC QualysGuard InfoDay 2012 1
Risk Analysis Consultants V060420 www.rac.cz Qualys & SSL RAC QualysGuard InfoDay 2012
SSL Labs SSL Labs: www.rac.cz  A non-commercial security research effort focused on SSL, Risk Analysis Consultants TLS, and friends Projects:  Assessment tool  SSL Rating Guide  Passive SSL client fingerprinting tool V060420  SSL Threat Model  SSL Survey RAC QualysGuard InfoDay 2012
SSL Implementation Ecosystem The SSL ecosystem includes many players: www.rac.cz  Basic cryptographic algorithms  SSL and TLS encryption protocols Risk Analysis Consultants  IETF TLS Working Group  Public Key Infrastructure (PKI) standards  SSL library developers  SSL Client vendors (esp. major browser vendors)  SSL Server vendors  Certificate Authorities and their resellers  CA/Browser Forum V060420  System administrators  Consumers RAC QualysGuard InfoDay 2012
Free SSL Lab Audit Service www.rac.cz Audit implementation of SSL protocol on you Web Risk Analysis Consultants Projects:  Certificate Validity and Trust  SSL Protocol version support  Encryption Cipher Strength  Encryption Key Exchange  SOLUTION description V060420  Risk of Attack description Register here: http://www.ssllabs.com RAC QualysGuard InfoDay 2012
SSL Assessment Details Highlights: www.rac.cz  Renegotiation vulnerability  Cipher suite preference  TLS version intolerance Risk Analysis Consultants  Session resumption  Firefox 3.6 trust base Every assessment consists of about:  2000 packets  200 connections V060420  250 KB data RAC QualysGuard InfoDay 2012
SSL Assessment Details www.rac.cz Risk Analysis Consultants V060420 RAC QualysGuard InfoDay 2012
Countries Overview Countries with over 5,000 certificates: www.rac.cz Risk Analysis Consultants V060420 RAC QualysGuard InfoDay 2012
How Many Certs Failed Validation and Why? www.rac.cz 32,642 (3.76%) have incomplete chains Risk Analysis Consultants Remember that the methodology excludes hostname mismatch problems V060420 Trusted versus untrusted Validation failures certificates RAC QualysGuard InfoDay 2012
Protocol Support Half of all trusted servers www.rac.cz support the insecure SSL v2 protocol  Modern browsers won’t use Risk Analysis Consultants it, but wide support for SSL v2 demonstrates how we neglect to give any attention to SSL configuration  Virtually all servers support SSLv3 and TLS v1.0 Protocol Support Best protocol  Virtually no support for TLS SSL v2.0 625,484 - v1.1 (released in 2006) or TLS v1.2 (released in 2008) SSL v3.0 1,156,033 13,471 V060420  At least 18,111 servers will TLS v1.0 1,143,673 1,141,458 accept SSLv2 but only deliver a user-friendly error TLS v1.1 2,191 2,007 message over HTTP TLS v1.2 211 211 RAC QualysGuard InfoDay 2012
Ciphers, Key Exchange and Hash Functions Cipher Servers Percentage Triple DES and RC4 www.rac.cz 3DES_EDE_CBC 1,139,215 98.42% rule in the cipher space RC4_128 1,129,315 97.56%  There is also good support AES_128_CBC 713,188 61.61% Risk Analysis Consultants AES_256_CBC 703,320 60.76% for AES, DES and RC2 DES_CBC 666,185 57.55% RC4_40 624,294 53.93% Key exchange Servers Percentage RC2_CBC_40 600,048 51.84% RSA 1,157,434 99.99% RC2_128_CBC 518,803 44.82% RSA_EXPORT 623,914 53.90% RC4_56 414,396 35.80% DHE_RSA 478,694 41.35% DES_CBC_40 297,783 25.72% RSA_EXPORT_1024 418,707 36.17% IDEA_CBC 80,405 6.94% DHE_RSA_EXPORT 250,337 21.62% RC2_CBC_56 73,491 6.34% Hash Servers Percentage CAMELLIA_256_CB 33,287 2.87% C V060420 SHA 1,154,171 99.71% CAMELLIA_128_CB 33,287 2.87% MD5 1,103,240 95.31% C SHA256 77 - SEED_CBC 13,406 1.15% SHA384 423 - NULL 7,513 0.64% AES_256_GCM 3 - AES_128_GCM 1 - FORTEZZA_CBC 1 - RAC QualysGuard InfoDay 2012
Cipher Strength All servers support strong and most www.rac.cz support very strong ciphers  But there is also wide support Risk Analysis Consultants for weak ciphers V060420 Best cipher strength support Cipher strength support RAC QualysGuard InfoDay 2012
SSL Labs Score Distribution Most servers not configured www.rac.cz well Key length Score A >= 80  Only 31.24% got an A B >= 65 Risk Analysis Consultants  68.76% got a B or worse C >= 50 D >= 35  Most probably just use the E >= 20 default settings of their web F < 20 server V060420 Score distribution Grade distribution RAC QualysGuard InfoDay 2012

Recomendados

Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaVasiliy Suvorov
 
INTER-Mediator 5.1の新機能
INTER-Mediator 5.1の新機能INTER-Mediator 5.1の新機能
INTER-Mediator 5.1の新機能Atsushi Matsuo
 
INTER-MediatorによるWebアプリケーション開発入門(2014年版)
INTER-MediatorによるWebアプリケーション開発入門(2014年版)INTER-MediatorによるWebアプリケーション開発入門(2014年版)
INTER-MediatorによるWebアプリケーション開発入門(2014年版)Atsushi Matsuo
 
Exifの画像方向情報
Exifの画像方向情報Exifの画像方向情報
Exifの画像方向情報Atsushi Matsuo
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...HostedbyConfluent
 
CACert Presentation
CACert PresentationCACert Presentation
CACert PresentationTanner Lovelace
 

Recomendados

Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaVasiliy Suvorov
 
INTER-Mediator 5.1の新機能
INTER-Mediator 5.1の新機能INTER-Mediator 5.1の新機能
INTER-Mediator 5.1の新機能Atsushi Matsuo
 
INTER-MediatorによるWebアプリケーション開発入門(2014年版)
INTER-MediatorによるWebアプリケーション開発入門(2014年版)INTER-MediatorによるWebアプリケーション開発入門(2014年版)
INTER-MediatorによるWebアプリケーション開発入門(2014年版)Atsushi Matsuo
 
Exifの画像方向情報
Exifの画像方向情報Exifの画像方向情報
Exifの画像方向情報Atsushi Matsuo
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...HostedbyConfluent
 
CACert Presentation
CACert PresentationCACert Presentation
CACert PresentationTanner Lovelace
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12Rahul Sule
 
How to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsHow to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsShain Singh
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLSKarri Huhtanen
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
Introduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityIntroduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityAlibaba Cloud
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldMartin Georgiev
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldMartin Georgiev
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12Hai Nguyen
 
Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?AWS Germany
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Bangladesh Network Operators Group
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsPriyanka Aash
 
BMS Consulting internship program
BMS Consulting internship programBMS Consulting internship program
BMS Consulting internship programDmytro Petrashchuk
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Cryptoecosystem ranks_v05.pdf
Cryptoecosystem ranks_v05.pdfCryptoecosystem ranks_v05.pdf
Cryptoecosystem ranks_v05.pdfHacken
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 
Excuse me, your Crypto is showing!
Excuse me, your Crypto is showing!Excuse me, your Crypto is showing!
Excuse me, your Crypto is showing!Siddharth Mathur
 
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2
 
Application scan
Application scanApplication scan
Application scanrvamana
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Best practice v testování zranitelností
Best practice v testování zranitelnostíBest practice v testování zranitelností
Best practice v testování zranitelnostíRisk Analysis Consultants, s.r.o.
 
Shadow IT
Shadow ITShadow IT
Shadow ITRisk Analysis Consultants, s.r.o.
 

Más contenido relacionado

Similar a QualysGuard InfoDay 2012 - SSL LABS

How to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsHow to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsShain Singh
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
Introduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityIntroduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityAlibaba Cloud
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldMartin Georgiev
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldMartin Georgiev
 
Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?AWS Germany
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsPriyanka Aash
 
BMS Consulting internship program
BMS Consulting internship programBMS Consulting internship program
BMS Consulting internship programDmytro Petrashchuk
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Cryptoecosystem ranks_v05.pdf
Cryptoecosystem ranks_v05.pdfCryptoecosystem ranks_v05.pdf
Cryptoecosystem ranks_v05.pdfHacken
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 
Excuse me, your Crypto is showing!
Excuse me, your Crypto is showing!Excuse me, your Crypto is showing!
Excuse me, your Crypto is showing!Siddharth Mathur
 
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2
 
Application scan
Application scanApplication scan
Application scanrvamana
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 

Similar a QualysGuard InfoDay 2012 - SSL LABS (20)

Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
How to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsHow to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted Threats
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLS
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
Introduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityIntroduction to WAF and Network Application Security
Introduction to WAF and Network Application Security
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-world
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-world
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of Things
 
BMS Consulting internship program
BMS Consulting internship programBMS Consulting internship program
BMS Consulting internship program
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Cryptoecosystem ranks_v05.pdf
Cryptoecosystem ranks_v05.pdfCryptoecosystem ranks_v05.pdf
Cryptoecosystem ranks_v05.pdf
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
Excuse me, your Crypto is showing!
Excuse me, your Crypto is showing!Excuse me, your Crypto is showing!
Excuse me, your Crypto is showing!
 
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
 
Application scan
Application scanApplication scan
Application scan
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 

Más de Risk Analysis Consultants, s.r.o.

RAC DEAS - Univerzální SW nástroj k zajištění digitálních stop
RAC DEAS - Univerzální SW nástroj k zajištění digitálních stopRAC DEAS - Univerzální SW nástroj k zajištění digitálních stop
RAC DEAS - Univerzální SW nástroj k zajištění digitálních stopRisk Analysis Consultants, s.r.o.
 
RAC DEAT - Univerální HW nástroje pro zajištění digitálních stop
RAC DEAT - Univerální HW nástroje pro zajištění digitálních stopRAC DEAT - Univerální HW nástroje pro zajištění digitálních stop
RAC DEAT - Univerální HW nástroje pro zajištění digitálních stopRisk Analysis Consultants, s.r.o.
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...Risk Analysis Consultants, s.r.o.
 
QualysGuard InfoDay 2014 - QualysGuard Continuous Monitoring
QualysGuard InfoDay 2014 - QualysGuard Continuous MonitoringQualysGuard InfoDay 2014 - QualysGuard Continuous Monitoring
QualysGuard InfoDay 2014 - QualysGuard Continuous MonitoringRisk Analysis Consultants, s.r.o.
 
QualysGuard InfoDay 2013 - Případová studie ČNB - QG WAS
QualysGuard InfoDay 2013 - Případová studie ČNB - QG WASQualysGuard InfoDay 2013 - Případová studie ČNB - QG WAS
QualysGuard InfoDay 2013 - Případová studie ČNB - QG WASRisk Analysis Consultants, s.r.o.
 

Más de Risk Analysis Consultants, s.r.o. (20)

Best practice v testování zranitelností
Best practice v testování zranitelnostíBest practice v testování zranitelností
Best practice v testování zranitelností
 
Shadow IT
Shadow ITShadow IT
Shadow IT
 
Představení nástroje Nuix
Představení nástroje NuixPředstavení nástroje Nuix
Představení nástroje Nuix
 
FTK5 - HW požadavky a instalace
FTK5 - HW požadavky a instalaceFTK5 - HW požadavky a instalace
FTK5 - HW požadavky a instalace
 
Použití EnCase EnScript
Použití EnCase EnScriptPoužití EnCase EnScript
Použití EnCase EnScript
 
RAC DEAS - Univerzální SW nástroj k zajištění digitálních stop
RAC DEAS - Univerzální SW nástroj k zajištění digitálních stopRAC DEAS - Univerzální SW nástroj k zajištění digitálních stop
RAC DEAS - Univerzální SW nástroj k zajištění digitálních stop
 
RAC DEAT - Univerální HW nástroje pro zajištění digitálních stop
RAC DEAT - Univerální HW nástroje pro zajištění digitálních stopRAC DEAT - Univerální HW nástroje pro zajištění digitálních stop
RAC DEAT - Univerální HW nástroje pro zajištění digitálních stop
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
 
QualysGuard InfoDay 2014 - QualysGuard Continuous Monitoring
QualysGuard InfoDay 2014 - QualysGuard Continuous MonitoringQualysGuard InfoDay 2014 - QualysGuard Continuous Monitoring
QualysGuard InfoDay 2014 - QualysGuard Continuous Monitoring
 
QualysGuard InfoDay 2014 - Asset management
QualysGuard InfoDay 2014 - Asset managementQualysGuard InfoDay 2014 - Asset management
QualysGuard InfoDay 2014 - Asset management
 
QualysGuard InfoDay 2014 - WAS
QualysGuard InfoDay 2014 - WASQualysGuard InfoDay 2014 - WAS
QualysGuard InfoDay 2014 - WAS
 
QualysGuard InfoDay 2014 - Policy compliance
QualysGuard InfoDay 2014 - Policy complianceQualysGuard InfoDay 2014 - Policy compliance
QualysGuard InfoDay 2014 - Policy compliance
 
QualysGuard InfoDay 2014 - Vulnerability management
QualysGuard InfoDay 2014 - Vulnerability managementQualysGuard InfoDay 2014 - Vulnerability management
QualysGuard InfoDay 2014 - Vulnerability management
 
Použití hashsetů v EnCase Forensic v7
Použití hashsetů v EnCase Forensic v7Použití hashsetů v EnCase Forensic v7
Použití hashsetů v EnCase Forensic v7
 
Analýza elektronické pošty v EnCase Forensic v7
Analýza elektronické pošty v EnCase Forensic v7Analýza elektronické pošty v EnCase Forensic v7
Analýza elektronické pošty v EnCase Forensic v7
 
Vybrané funkce Forensic Toolkit 5 + RAC Forensic Imager
Vybrané funkce Forensic Toolkit 5 + RAC Forensic ImagerVybrané funkce Forensic Toolkit 5 + RAC Forensic Imager
Vybrané funkce Forensic Toolkit 5 + RAC Forensic Imager
 
QualysGuard InfoDay 2013 - Případová studie ČNB - QG WAS
QualysGuard InfoDay 2013 - Případová studie ČNB - QG WASQualysGuard InfoDay 2013 - Případová studie ČNB - QG WAS
QualysGuard InfoDay 2013 - Případová studie ČNB - QG WAS
 
QualysGuard InfoDay 2013 - Qualys Questionnaire
QualysGuard InfoDay 2013 - Qualys QuestionnaireQualysGuard InfoDay 2013 - Qualys Questionnaire
QualysGuard InfoDay 2013 - Qualys Questionnaire
 
QualysGuard InfoDay 2013 - Nové funkce QG
QualysGuard InfoDay 2013 - Nové funkce QGQualysGuard InfoDay 2013 - Nové funkce QG
QualysGuard InfoDay 2013 - Nové funkce QG
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 

Último

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

QualysGuard InfoDay 2012 - SSL LABS

  • 1. Risk Analysis Consultants V060420 www.rac.cz SSL LABS RAC QualysGuard InfoDay 2012 1
  • 2. Risk Analysis Consultants V060420 www.rac.cz Qualys & SSL RAC QualysGuard InfoDay 2012
  • 3. SSL Labs SSL Labs: www.rac.cz  A non-commercial security research effort focused on SSL, Risk Analysis Consultants TLS, and friends Projects:  Assessment tool  SSL Rating Guide  Passive SSL client fingerprinting tool V060420  SSL Threat Model  SSL Survey RAC QualysGuard InfoDay 2012
  • 4. SSL Implementation Ecosystem The SSL ecosystem includes many players: www.rac.cz  Basic cryptographic algorithms  SSL and TLS encryption protocols Risk Analysis Consultants  IETF TLS Working Group  Public Key Infrastructure (PKI) standards  SSL library developers  SSL Client vendors (esp. major browser vendors)  SSL Server vendors  Certificate Authorities and their resellers  CA/Browser Forum V060420  System administrators  Consumers RAC QualysGuard InfoDay 2012
  • 5. Free SSL Lab Audit Service www.rac.cz Audit implementation of SSL protocol on you Web Risk Analysis Consultants Projects:  Certificate Validity and Trust  SSL Protocol version support  Encryption Cipher Strength  Encryption Key Exchange  SOLUTION description V060420  Risk of Attack description Register here: http://www.ssllabs.com RAC QualysGuard InfoDay 2012
  • 6. SSL Assessment Details Highlights: www.rac.cz  Renegotiation vulnerability  Cipher suite preference  TLS version intolerance Risk Analysis Consultants  Session resumption  Firefox 3.6 trust base Every assessment consists of about:  2000 packets  200 connections V060420  250 KB data RAC QualysGuard InfoDay 2012
  • 7. SSL Assessment Details www.rac.cz Risk Analysis Consultants V060420 RAC QualysGuard InfoDay 2012
  • 8. Countries Overview Countries with over 5,000 certificates: www.rac.cz Risk Analysis Consultants V060420 RAC QualysGuard InfoDay 2012
  • 9. How Many Certs Failed Validation and Why? www.rac.cz 32,642 (3.76%) have incomplete chains Risk Analysis Consultants Remember that the methodology excludes hostname mismatch problems V060420 Trusted versus untrusted Validation failures certificates RAC QualysGuard InfoDay 2012
  • 10. Protocol Support Half of all trusted servers www.rac.cz support the insecure SSL v2 protocol  Modern browsers won’t use Risk Analysis Consultants it, but wide support for SSL v2 demonstrates how we neglect to give any attention to SSL configuration  Virtually all servers support SSLv3 and TLS v1.0 Protocol Support Best protocol  Virtually no support for TLS SSL v2.0 625,484 - v1.1 (released in 2006) or TLS v1.2 (released in 2008) SSL v3.0 1,156,033 13,471 V060420  At least 18,111 servers will TLS v1.0 1,143,673 1,141,458 accept SSLv2 but only deliver a user-friendly error TLS v1.1 2,191 2,007 message over HTTP TLS v1.2 211 211 RAC QualysGuard InfoDay 2012
  • 11. Ciphers, Key Exchange and Hash Functions Cipher Servers Percentage Triple DES and RC4 www.rac.cz 3DES_EDE_CBC 1,139,215 98.42% rule in the cipher space RC4_128 1,129,315 97.56%  There is also good support AES_128_CBC 713,188 61.61% Risk Analysis Consultants AES_256_CBC 703,320 60.76% for AES, DES and RC2 DES_CBC 666,185 57.55% RC4_40 624,294 53.93% Key exchange Servers Percentage RC2_CBC_40 600,048 51.84% RSA 1,157,434 99.99% RC2_128_CBC 518,803 44.82% RSA_EXPORT 623,914 53.90% RC4_56 414,396 35.80% DHE_RSA 478,694 41.35% DES_CBC_40 297,783 25.72% RSA_EXPORT_1024 418,707 36.17% IDEA_CBC 80,405 6.94% DHE_RSA_EXPORT 250,337 21.62% RC2_CBC_56 73,491 6.34% Hash Servers Percentage CAMELLIA_256_CB 33,287 2.87% C V060420 SHA 1,154,171 99.71% CAMELLIA_128_CB 33,287 2.87% MD5 1,103,240 95.31% C SHA256 77 - SEED_CBC 13,406 1.15% SHA384 423 - NULL 7,513 0.64% AES_256_GCM 3 - AES_128_GCM 1 - FORTEZZA_CBC 1 - RAC QualysGuard InfoDay 2012
  • 12. Cipher Strength All servers support strong and most www.rac.cz support very strong ciphers  But there is also wide support Risk Analysis Consultants for weak ciphers V060420 Best cipher strength support Cipher strength support RAC QualysGuard InfoDay 2012
  • 13. SSL Labs Score Distribution Most servers not configured www.rac.cz well Key length Score A >= 80  Only 31.24% got an A B >= 65 Risk Analysis Consultants  68.76% got a B or worse C >= 50 D >= 35  Most probably just use the E >= 20 default settings of their web F < 20 server V060420 Score distribution Grade distribution RAC QualysGuard InfoDay 2012