SlideShare una empresa de Scribd logo

Webinar SSL English

SSL247®
SSL247®

Slides of the Webinar "SSL, impact and optimisation" INTRODUCTION What is SSL? The purpose of SSL History of SSL / TLS Overview of a TLS connection PART 1 What is the role of an SSL certificate? Levels of validation Options for certificates: SAN and Wildcard The certificate ordering process Certificate chain SSL algorithms: encryption & authentication Examples PART 2 TLS and IPV4 exhaustion HAProxy and SNI TLS impacts SSL offloading SEO Security of the SSL protocol

Tecnología
1 de 39
Descargar para leer sin conexión
SSL/TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Introduction What is SSL / TLS Part 1 About SSL Certficates Part 2 SSL impact and optimisation With 13/11/2014
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Baptiste Assmann–HAProxy •What is SSL? •The purpose of SSL •History of SSL / TLS •Overview of a TLS connection •Glossary •Timeframe INTRODUCTION What is SSL / TLS ?
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS What is SSL? •SSL(Secured Socket Layers) first released in 1994 •IETF standardized SSL protocol into TLS(Transport Layer Security) in 1999 •People carry on using SSLwhen speaking about TLS •Stands at the layer 5 of the OSI model It’s the ‘s’ in HTTPs, IMAPs, POPs, etc… OSI model Layer 7 –application HTTP, POP, IMAP Layer 6 –presentation Layer 5 –session SSL/ TLS Layer 4 –transport TCP Layer3 –network IP Layer2 –link Layer1 -physical
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Confidentiality: nobody between the peers of a TLS connection can understand the content Integrity: no data are altered when transmitted over a TLS connection Authentication: each peer of a TLS connection can check the other one is the one he says to be (In these slides, we’ll focus only on the server side) peer1 peer2 TLS connection Purposes of the protocol
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS History of SSL / TLS •SSL(Secured Socket Layers) •First version: Netscape in 1994 •SSL 2.0: 1995 •SSL 3.0: 1996 •IETF standardization: TLS(Transport Layer Security) •TLS 1.0: 1999 (based on SSL 3.0) •TLS 1.1: 2006 •TLS 1.2: 2008 •TLS 1.3: 2015
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Overview of a TLS connection Before starting, we need to clarify a few definitions: •Client hello: client side TLS connection initialization •Server hello: server side TLS connection initialization response •TLS handshake: phase where the client and the server negotiate the way the connection is established •Client random: client side random string unique for each TLS session •Server random: server side random string unique for each TLS session •Pre-master secret: binary data provided by client and used to generate the session key •Cipher suite: unique identifier of algorithms describing a TLS connection •Session key: key for symmetric ciphering, result of the TLS handshake •Session ID: TLS session ID associated to the Session Key and which can be used later by both the client and the server (resume) Glossary
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Overview of a TLS connection TLS connection timeframe •Step 1: client hello: clients opens a TCP connection and send the following information: supported ciphers suite. •Step 2: server hello: server selects a cipher suite from the client list. The response also contains the server random the server sends its certificate and public key to the client. •Step 3: client verifies server’s certificate (self signed, expired, etc…) •Step 4: client uses the server’s public key to encrypt its random andpre-master secret. •Step 5: both the client and the server generate the session keyusingclient random, server randomandpre- master secret. •Step 6: afirst message is then exchange over the ciphered connection Client Server (1) Client Hello Supportedciphersuites (2) Server Hello CipherSuite, Server certificate, public key, Server Random (3) Verifyserver certificate (4) Client Key Exchange Client Random, pre-master secret (encryptedwithserver’spublic key) (5) Generatesession key (5) Generatesession key, session ID (6) First message
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Resuming a TLS connection TLS connection timeframe •Step 1: client hello: clients opens a TCP connection and send the following information: supported ciphers suite and a SSL session ID to resume. •Step 2: server hello: server selects a cipher suite from the client list. the server sends its certificate and public key to the client. •Step 3: client verifies server’s certificate (self signed, expired, etc…) •Step 4: a first message is then exchange over the ciphered connection No session keys to compute. Client Server (1) Client Hello Supportedciphersuites, session key ID (2) Server Hello CipherSuite, Server certificate, public key (3) Verifyserver certificate (4) First message
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS François Marien –SSL247® •What is the role of an SSL certificate? •Levels of validation •Options for certificates: SAN and Wildcard •The certificate ordering process •Certificate chain •SSL algorithms: encryption & authentication •Examples PART 1 About SSL Certificates
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS What is the role of an SSL certificate? SSL: Secure Socket Layer An SSL certificate is a data file which binds a public cryptographic key to a domain name. When installed on a server, it activates the SSL/TLS protocol. TLS: Transport Layer Security Replaced in 1999 by 3 main roles Encrypting data during online transactions > Can anyone read the data I am exchanging? Authenticating the server > Am I talking to the server it claims to be? Proving the integrity of a content > Can anyone tamper with the data exchanged? Proving the identity of the organisation controlling the domain! (depending on the validation level…)
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS 3 possible levels of validation •Data encryption •Validation of the domain name + organisation authentication •Padlock + https appearing in the browser •Details about the organisation are displayed in the certificate information •Issued within 1-2 days Vetting = longer issuance time •Data encryption •Strict authentication, respects industrial norms •Green bar + padlock + https appearing in browsers •Details about the organisation are displayed in the certificate information •Issued within 5-6 days Long and strict vetting = maximum confidence from visitors •Data encryption •Validation of the domain name •Padlock + https appearing in the browser •Certificate issued within less than 10 minutes No vetting = fast issuance time OV (Organisation Validation) EV (Extended Validation) DV (Domain Validation)
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS 2options / add-ons Secures an unlimited number of subdomains. We often refer to a Wildcard certificate by using a «*» (star). Example:*.ssl247.co.ukcan secure blog.ssl247.co.uk, mail.ssl247.co.uk, server.ssl247.co.uk… + Easiertomanage;Cheaperthanbuyingacertificateforeachsinglesudomain;Veryflexible - IftheSSLcertificateiscompromised,thenalltheserversusingtheWildcardcertificatearecompromised;Notcompatiblewithallmobiledeviceoperatingsystems;NotcompatiblewithExtendedValidation Often used for Unified Communications (UC) to secure Microsoft apps or Mobile Device Managers. Example: ssl247.com, exchange.ssl247.com, ssl247.net, new-ssl247.net - TheCAwillstilloperateavettingprocessforeachSAN; RequiresgoodmanagementifyouhaveseveralSANs; MoreexpensivethananormalorWildcardcertificate + UsuallycheapertobuySANsratherthanseveralcertificates;Ifyourwebsitesarehostedonasingleserver,aSANwon’trequiredifferentIPaddressesforeachdomainname
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS The ordering process The request The vetting & issuance The installation 1 2 3 CSR = CertifiateSigning Request Applicant’s information Private key Public key When the CA issues your SSL certificate , they officially guarantee that the public key which was contained in your CSR belongs to www.yourdomain.com , and they also guarantee that www.yourdomain.com is controlled by your organisation(except for DV: no vetting).
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Certificate chain / certification path Root certificate = the CA’s own certificate! A root can become linked to an intermediate by “signing” (authenticating) it. Trust infrastructure Intermediate CA = the root’s delegate. The intermediate is in charge of “signing” (authenticating) SSL certificates. SSL certificate. The SSL certificate is issued by the CA, then signed by an intermediate, which is signed by a root certificate.
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS SSL algorithms: encryption RSA –Authored by Ron Rivest, AdiShamir and Leonard Adleman DSA –DigitalSignatureAlgorithm ECC –EllipticCurveCryptography –NEW! a) Assymetricencryption > 3 main “key exchange algorithms” 2 types of encryption in SSL a) Assymetric encryption: used at the beginning of an encrypted session , during the «key exchange» (needs 2 keys, a public and a private) b) Symmetric encryption: used when the session key has been exchanged (needs one temporary, session key) b) Symmetric encryption > 1 main standard: AES (Advanced Encryption standard) Cipher suite = combination of authentication / key exchange / encryption algorithms
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS SSL algorithms: authentication 1mainalgorithm:SHA(SecureHashAlgorithm) Usedinsecuredconnectionstoprovetheintegrityandauthenticityofamessagetothereceiver. StandardhashalgorithminSSLcertificates. SHA-1 Certificates concerned by Google’s action: •Expiring between 01/06/2016 and 31/12/2016 •Expiring from 01/01/2017 SHA-1phasingout,movingtoSHA-2 SHA-2 = 256-bit fingerprint Vs. 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Google is accelerating the deprecation SHA-1 = 160-bit fingerprint The next 3 releases of Chrome will progressively display warning icons on websites secured with SHA-1 certificates
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Case Studies: typical requests “ I need to secure my Microsoft Exchange server” •mail.contoso.com •mail.contoso-local.com •autodiscover.contoso.com •autodiscover.contoso-local.com •legacy.contoso.com •sip.contoso.com •meet.contoso.com •lyncdiscover.contoso.com •lyncweb.contoso.com •dialin.contoso.com OV certificatewithSAN OV certificatewithWildcard+SAN •shop.contoso.com “ I have a Lync project with 2 servers : Edge + Proxy” Single domainEV certificate Symantec “ I have an e-commerce website”
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Baptiste Assmann–HAProxy •TLS and IPV4 exhaustion •HAProxy and SNI •TLS impacts: •on performance •on clients •on Web applications •SSL offloading •SEO •Security of the SSL protocol PART 2 SSL impact and optimisation
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Deployment modes HAProxy server •SSL pass through or forward •SSL offloading •SSL cut through or bridging client SSL SSL HAProxy server client SSL clear HAProxy server client SSL SSL Encrypteddata Cleardata Cleardata •HAProxy can be used in 3 different modes in front of services requiring SSL There is no ‘good’ neither ‘bad’ way. There is a mode which meet your requirements. •Requirements are dictated by the application, the servers, the hardware capacity, etc..
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS server client SSL SSL HAProxy Encrypteddata HAProxy and SSL pass through or SSL forward frontend ft_www mode tcp bind 10.0.0.1:443 default_backendbk_www backend bk_www mode tcp server s1 10.0.0.11:443 Deployment modes
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS HAProxy server client SSL clear Cleardata HAProxy and SSL offloading frontend ft_www mode http bind 10.0.0.1:443 sslcrtmycrt.pem default_backendbk_www backend bk_www mode http server s1 10.0.0.11:80 Deployment modes
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS HAProxy server client SSL SSL Cleardata HAProxy and SSL cut through or bridging frontend ft_www mode http bind 10.0.0.1:443 sslcrtmycrt.pem default_backendbk_www backend bk_www mode http server s1 10.0.0.11:443 ssl Deployment modes
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS and IPv4 exhaustion TLS extension: SNI •The certificate presented by the server must match the hostname, otherwise the client sends a warning •Lessons learned until now: •When the server has to send the certificate, it doesn’t know which service the client is trying to browse •The service host name is an HTTP information, not available at TLS layer Since it is impossible for the server to create a relation between one of its certificates and the service reached by the client, a best practice was to affect one IP address per certificate. Wildcard certificates, SAN, multi domain helps, but this is not scalable.
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS and IPv4 exhaustion TLS extension: SNI •In April 2006, the RFC 4366 is published and introduces TLS Extensions. •One of this extension is named Server Name Indication, shortened as SNI. •Basically, during the client hello, the client sends a string containing the name of the service the above layer (IE HTTP) is trying to reach. •Based on this string, the server can now select the appropriate certificate •Both client and server must support SNI Client Server (1) Client Hello Supportedciphersuites, Server Name Indication (2) Server Hello CipherSuite, Server certificate, public key, Server Random (3) Verifyserver certificate Server chooses the certificate based on SNI sent by the client
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS and IPv4 exhaustion HAProxy and SNI Working as a TLS endpoint •Tell HAProxy to load all the certificates available in a directory: (validated at 50000 certificates in production) •Path to a default certificate, used when clients don’t send SNI: •To Log SNI information, use the ssl_fc_snisample fetch in a log-formatdirective: Working in TLS passthroughmode •Route TLS connections to different server farms frontend ft_www bind 10.0.0.1:443 sslcrt/etc/haproxy/certs/ frontend ft_www bind 10.0.0.1:443 sslcrt/etc/haproxy/certs/default.pemcrt/etc/haproxy/certs/ log-format ...%[ssl_fc_sni]... frontend ft_ssl bind 10.0.0.1:443 tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type1 } use_backendbk_webmailif { req.ssl_sni–iowa.domain.com mail.domain.com } use_backendbk_sharepointif { req.ssl_sni–isharepoint.domain.com }
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on performance CPU •CPU usage: •Key computation is very expensive, furthermore with 2048 RSA keys. Scales very well with number of processes •TLS resume is cheaper. Scales well up to 3 processes •Ciphering a request on an established connection is cheap with modern CPU and AES- NI instruction •HAProxy/OpenSSLperformance on a single core of a i7 CPU @3.4GHz: •key computation: around 600/s (2048 bits) •TLS resume per second (TLS 1.2): around 12000/s •TLS bandwidth: 4.3Gb/s •Now, you know why it is important to be able to resume a TLS connection!!!! (x20 gain of performance!) The choice of the cipher suiteis very important!!! Read: https://wiki.mozilla.org/Security/Server_Side_TLS
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on performance CPU •Use HAProxy’sglobal section to manage SSL parameters (HAProxy 1.5.8 and above) •Log client User-Agent and negotiated cipher suite •Example of log output: ...{TLSv1/ECDHE-RSA-AES128-SHA}... •Adapt your cipher suite to your client pattern and not to make SSLlabshappy!!! •In case of trouble, HAProxy will log TLS handshake error, without any other information. This part is handled by OpenSSL library •Tune HAProxySSL session key cache: global ssl-default-bind-ciphers <copy paste the intermediary SSL cipher suite> tune.ssl.default-dh-param2048 ssl-default-bind-options no-sslv3 capture request header User-Agent len128 log-format ...{sslv/sslc}... global tune.ssl.cachesize50000 # default to 20000 tune.ssl.lifetime600 # default to 300 seconds
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on performance Memory •Memory usage (no tuning, system and HAProxy defaults): •Raw TCP connection passing through HAProxy requires 50K of memory •With OpenSSL, add 64K of memory per TLS connection. •Memory requirements for a peak of 1000 TLS connections: Deploymentmode Computation Total memory required TLS pass through 1000 * 50K 50 MBytes TLS offloading 1000 * (50K + 64K) 114 MBytes TLS cutthrough 1000 * (50K + 64K + 64K) 178 MBytes
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on clients Forward proxies •Some companies may forbid HTTPs on their forward proxies •Web sites should be available over both HTTP and HTTPs (public data only) •Web applications should be available over HTTPs only •Some forward proxies does SSL inspection, making SSL useless: https://www.google.fr/search?&q=SSL+inspection+appliance Low capacity devices •Low CPU resource means huge impact on performance •Battery consumption increased •Add latency and delay printing •Usually, they support only outdated SSL protocols and can’t be updated •The choice of the cipher suite is very important!!!
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on clients Disabling TLSv1.0 or not ??? •Compatibility matrix errors without TLSv1.0: (non exhaustive list)
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on clients Disabling TLSv1.0 or not ??? •Compatibility matrix with TLSv1.0: (non exhaustive list)
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on Web applications •In order to support the switch to TLS, a web application must be “agile”. •Links must be adapted to scheme (http or https). Prefer using relative links. •HTTP responses should match the right scheme (http or https) and port (80 or 443) Sometimes we must switch to SSL bridging mode •What should be ciphered: •Pages with sensitive / personal information •All content of a page must be ciphered •Application cookies should never be sent over a plain connection •Mixing 2 host headers on a single page to download static content and over HTTP and dynamic content over HTTPs may lead to warnings in the browser
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on Web applications •HAProxy can enforce the Secure flag on application cookies: The ‘Secure’ flag tells the browser to never send this cookie over a clear connection •Force a logout if the cookie has been sent over a clear connection: Protect application cookie Backendmyapp aclhttpsssl_fc aclsecured_cookieres.hdr(Set-Cookie),lower-m subsecure rspirep^(set-cookie:.*) 1;Secure if https !secured_cookie aclhttpsssl_fc aclapp_cookiereq.cook(JSESSIONID) -m found aclpath_logoutpath–i /logout.jsp http-requestredirect/logout.jspif !https app_cookie!path_logout
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Impact of SSL offloading •The main difficulty of SSL offloading is that clients browse over HTTPs and application server is reached over HTTP: •Check list: •HAProxy must inform the server which protocol is being used by the client •Server must adapt responses (Location, Set-Cookie, etc…) •Links from the body of the page must be adapted too HAProxy server client SSL clear Cleardata
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Impact of SSL offloading •tell HAProxy to log some useful information: •Tell the application server which protocol was used on the client side: Application server should adapt content based on this header •Track errors and adapt server’s responses to client side connection type: •Don’t forget the Secure flag (see a few slide above) capture responseheader Locationlen32 capture responseheader Set-Cookie len32 http-requestset-header X-Forwarded-Proto https if{ ssl_fc} http-requestset-header X-Forwarded-Proto httpif !{ ssl_fc} rspirep^Location:http://(.*):80(.*) Location:https://1:4432 if { ssl_fc} rspirep^Location:http://(.*) Location:https://1 if { ssl_fc}
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Search Engine Optimisation •Lately, Google has announced that protocol scheme (HTTP / HTTPs) from web sites will be used in their ranking algorithm: HTTPs will get more points Important to move to SSL if your business relies on google ranking •If your business doesn’t rely on google ranking, then no worries!!!
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Security of the SSL protocol SSL / TLS weaknesses •Lately, some vulnerabilities on SSL has been reported •OpenSSL Library: ensure you’re running the latest OpenSSL library available for your operating system •Heartblead •CCS (CVE 2014-0224) •SSL protocol: •Beast attack: use an up to date SSL librairy •SSLv3 Poodle: disable SSLv3: •Downgrade attack prevention (TLS_FALLBACK_SCSV) •TLS compression global ssl-default-bind-options no-sslv3
SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Conclusion Moving to SSL •Moving to SSL is not straight forward: •if the application is SSL-ready, then no problem •If the application is not SSL-ready, then it may work (worst case, use SSL bridging mode) •In rare cases, an update of the application may be needed •Don’t forget to run an audit before •Bear in mind that the type of client can also have an impact on your SSL stack (backward compatibility, limited features and ciphers, etc..) •HAProxy’sflexibility, reporting and performance is your best friend during this move! Choosing the right SSL certificate •An SSL certificate provides more than encryption •You need to find the right balance between the levels of validation, the levels of encryption and the add-ons (Wildcard / SAN) you need •SSL247®can help you choose the right certificate(s) for all your needs
info@SSL247.co.uk +44(0)207 060 3775 www.SSL247.co.uk contact@haproxy.com +1-857-366-5050 www.haproxy.com USEFUL LINKS -https://www.ssl247.com/ssl-tools/certificate-decoder> decode anSSL certificate -https://www.ssllabs.com/ssltest/> test your SSL server -https://istlsfastyet.com/> info about moving to TLS -https://www.ssl247.com/?wizard#> choose the right certificate -https://www.ssl247.com/ssl-certificates/brands/GeoTrust/geotrust-trial> use a 30-day free SSL certificate to run tests on your servers

Recomendados

TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS OptimizationNate Lawson
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSDr Anjan Krishnamurthy
 

Recomendados

TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS OptimizationNate Lawson
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSDr Anjan Krishnamurthy
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerAbhishek Gupta
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
OpenSSL
OpenSSLOpenSSL
OpenSSLTimbal Mayank
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 
SSL
SSLSSL
SSLDuy Do Phan
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSpavansmiles
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Sandeep Gupta
 
SSL overview
SSL overviewSSL overview
SSL overviewTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.pptssuserec53e73
 

Más contenido relacionado

La actualidad más candente

Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Sandeep Gupta
 

La actualidad más candente (20)

Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
 
SSL
SSLSSL
SSL
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSL
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
 
SSL overview
SSL overviewSSL overview
SSL overview
 

Similar a Webinar SSL English

Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfGumanSingh10
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLLesa Cote
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measuresMaarten Smeets
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )Monodip Singha Roy
 
How does TLS work?
How does TLS work?How does TLS work?
How does TLS work?Hyeonsu Lee
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 

Similar a Webinar SSL English (20)

Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
The last picks
The last picksThe last picks
The last picks
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
ssl
sslssl
ssl
 
SSL
SSLSSL
SSL
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdf
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQL
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measures
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
How does TLS work?
How does TLS work?How does TLS work?
How does TLS work?
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 

Más de SSL247®

Webinar March 2015 - Migrate to SHA-2: implications & next steps
Webinar March 2015 - Migrate to SHA-2: implications & next stepsWebinar March 2015 - Migrate to SHA-2: implications & next steps
Webinar March 2015 - Migrate to SHA-2: implications & next stepsSSL247®
 
Webinar SSL Français
Webinar SSL FrançaisWebinar SSL Français
Webinar SSL FrançaisSSL247®
 
Ssl247® SHA-2 timeline and compatibility
Ssl247® SHA-2 timeline and compatibilitySsl247® SHA-2 timeline and compatibility
Ssl247® SHA-2 timeline and compatibilitySSL247®
 
Flyer domains names English
Flyer domains names EnglishFlyer domains names English
Flyer domains names EnglishSSL247®
 
Flyer noms de domaine
Flyer noms de domaineFlyer noms de domaine
Flyer noms de domaineSSL247®
 
Flyer certificats ssl
Flyer certificats sslFlyer certificats ssl
Flyer certificats sslSSL247®
 
Flyer MySSL
Flyer MySSLFlyer MySSL
Flyer MySSLSSL247®
 
Noms de Domaine
Noms de DomaineNoms de Domaine
Noms de DomaineSSL247®
 
Signatures Electroniques
Signatures ElectroniquesSignatures Electroniques
Signatures ElectroniquesSSL247®
 
SSL247 - Symantec Partner Success
SSL247 - Symantec Partner SuccessSSL247 - Symantec Partner Success
SSL247 - Symantec Partner SuccessSSL247®
 

Más de SSL247® (10)

Webinar March 2015 - Migrate to SHA-2: implications & next steps
Webinar March 2015 - Migrate to SHA-2: implications & next stepsWebinar March 2015 - Migrate to SHA-2: implications & next steps
Webinar March 2015 - Migrate to SHA-2: implications & next steps
 
Webinar SSL Français
Webinar SSL FrançaisWebinar SSL Français
Webinar SSL Français
 
Ssl247® SHA-2 timeline and compatibility
Ssl247® SHA-2 timeline and compatibilitySsl247® SHA-2 timeline and compatibility
Ssl247® SHA-2 timeline and compatibility
 
Flyer domains names English
Flyer domains names EnglishFlyer domains names English
Flyer domains names English
 
Flyer noms de domaine
Flyer noms de domaineFlyer noms de domaine
Flyer noms de domaine
 
Flyer certificats ssl
Flyer certificats sslFlyer certificats ssl
Flyer certificats ssl
 
Flyer MySSL
Flyer MySSLFlyer MySSL
Flyer MySSL
 
Noms de Domaine
Noms de DomaineNoms de Domaine
Noms de Domaine
 
Signatures Electroniques
Signatures ElectroniquesSignatures Electroniques
Signatures Electroniques
 
SSL247 - Symantec Partner Success
SSL247 - Symantec Partner SuccessSSL247 - Symantec Partner Success
SSL247 - Symantec Partner Success
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 

Último (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Webinar SSL English

  • 1. SSL/TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Introduction What is SSL / TLS Part 1 About SSL Certficates Part 2 SSL impact and optimisation With 13/11/2014
  • 2. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Baptiste Assmann–HAProxy •What is SSL? •The purpose of SSL •History of SSL / TLS •Overview of a TLS connection •Glossary •Timeframe INTRODUCTION What is SSL / TLS ?
  • 3. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS What is SSL? •SSL(Secured Socket Layers) first released in 1994 •IETF standardized SSL protocol into TLS(Transport Layer Security) in 1999 •People carry on using SSLwhen speaking about TLS •Stands at the layer 5 of the OSI model It’s the ‘s’ in HTTPs, IMAPs, POPs, etc… OSI model Layer 7 –application HTTP, POP, IMAP Layer 6 –presentation Layer 5 –session SSL/ TLS Layer 4 –transport TCP Layer3 –network IP Layer2 –link Layer1 -physical
  • 4. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Confidentiality: nobody between the peers of a TLS connection can understand the content Integrity: no data are altered when transmitted over a TLS connection Authentication: each peer of a TLS connection can check the other one is the one he says to be (In these slides, we’ll focus only on the server side) peer1 peer2 TLS connection Purposes of the protocol
  • 5. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS History of SSL / TLS •SSL(Secured Socket Layers) •First version: Netscape in 1994 •SSL 2.0: 1995 •SSL 3.0: 1996 •IETF standardization: TLS(Transport Layer Security) •TLS 1.0: 1999 (based on SSL 3.0) •TLS 1.1: 2006 •TLS 1.2: 2008 •TLS 1.3: 2015
  • 6. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Overview of a TLS connection Before starting, we need to clarify a few definitions: •Client hello: client side TLS connection initialization •Server hello: server side TLS connection initialization response •TLS handshake: phase where the client and the server negotiate the way the connection is established •Client random: client side random string unique for each TLS session •Server random: server side random string unique for each TLS session •Pre-master secret: binary data provided by client and used to generate the session key •Cipher suite: unique identifier of algorithms describing a TLS connection •Session key: key for symmetric ciphering, result of the TLS handshake •Session ID: TLS session ID associated to the Session Key and which can be used later by both the client and the server (resume) Glossary
  • 7. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Overview of a TLS connection TLS connection timeframe •Step 1: client hello: clients opens a TCP connection and send the following information: supported ciphers suite. •Step 2: server hello: server selects a cipher suite from the client list. The response also contains the server random the server sends its certificate and public key to the client. •Step 3: client verifies server’s certificate (self signed, expired, etc…) •Step 4: client uses the server’s public key to encrypt its random andpre-master secret. •Step 5: both the client and the server generate the session keyusingclient random, server randomandpre- master secret. •Step 6: afirst message is then exchange over the ciphered connection Client Server (1) Client Hello Supportedciphersuites (2) Server Hello CipherSuite, Server certificate, public key, Server Random (3) Verifyserver certificate (4) Client Key Exchange Client Random, pre-master secret (encryptedwithserver’spublic key) (5) Generatesession key (5) Generatesession key, session ID (6) First message
  • 8. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Resuming a TLS connection TLS connection timeframe •Step 1: client hello: clients opens a TCP connection and send the following information: supported ciphers suite and a SSL session ID to resume. •Step 2: server hello: server selects a cipher suite from the client list. the server sends its certificate and public key to the client. •Step 3: client verifies server’s certificate (self signed, expired, etc…) •Step 4: a first message is then exchange over the ciphered connection No session keys to compute. Client Server (1) Client Hello Supportedciphersuites, session key ID (2) Server Hello CipherSuite, Server certificate, public key (3) Verifyserver certificate (4) First message
  • 9. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS François Marien –SSL247® •What is the role of an SSL certificate? •Levels of validation •Options for certificates: SAN and Wildcard •The certificate ordering process •Certificate chain •SSL algorithms: encryption & authentication •Examples PART 1 About SSL Certificates
  • 10. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS What is the role of an SSL certificate? SSL: Secure Socket Layer An SSL certificate is a data file which binds a public cryptographic key to a domain name. When installed on a server, it activates the SSL/TLS protocol. TLS: Transport Layer Security Replaced in 1999 by 3 main roles Encrypting data during online transactions > Can anyone read the data I am exchanging? Authenticating the server > Am I talking to the server it claims to be? Proving the integrity of a content > Can anyone tamper with the data exchanged? Proving the identity of the organisation controlling the domain! (depending on the validation level…)
  • 11. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS 3 possible levels of validation •Data encryption •Validation of the domain name + organisation authentication •Padlock + https appearing in the browser •Details about the organisation are displayed in the certificate information •Issued within 1-2 days Vetting = longer issuance time •Data encryption •Strict authentication, respects industrial norms •Green bar + padlock + https appearing in browsers •Details about the organisation are displayed in the certificate information •Issued within 5-6 days Long and strict vetting = maximum confidence from visitors •Data encryption •Validation of the domain name •Padlock + https appearing in the browser •Certificate issued within less than 10 minutes No vetting = fast issuance time OV (Organisation Validation) EV (Extended Validation) DV (Domain Validation)
  • 12. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS 2options / add-ons Secures an unlimited number of subdomains. We often refer to a Wildcard certificate by using a «*» (star). Example:*.ssl247.co.ukcan secure blog.ssl247.co.uk, mail.ssl247.co.uk, server.ssl247.co.uk… + Easiertomanage;Cheaperthanbuyingacertificateforeachsinglesudomain;Veryflexible - IftheSSLcertificateiscompromised,thenalltheserversusingtheWildcardcertificatearecompromised;Notcompatiblewithallmobiledeviceoperatingsystems;NotcompatiblewithExtendedValidation Often used for Unified Communications (UC) to secure Microsoft apps or Mobile Device Managers. Example: ssl247.com, exchange.ssl247.com, ssl247.net, new-ssl247.net - TheCAwillstilloperateavettingprocessforeachSAN; RequiresgoodmanagementifyouhaveseveralSANs; MoreexpensivethananormalorWildcardcertificate + UsuallycheapertobuySANsratherthanseveralcertificates;Ifyourwebsitesarehostedonasingleserver,aSANwon’trequiredifferentIPaddressesforeachdomainname
  • 13. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS The ordering process The request The vetting & issuance The installation 1 2 3 CSR = CertifiateSigning Request Applicant’s information Private key Public key When the CA issues your SSL certificate , they officially guarantee that the public key which was contained in your CSR belongs to www.yourdomain.com , and they also guarantee that www.yourdomain.com is controlled by your organisation(except for DV: no vetting).
  • 14. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Certificate chain / certification path Root certificate = the CA’s own certificate! A root can become linked to an intermediate by “signing” (authenticating) it. Trust infrastructure Intermediate CA = the root’s delegate. The intermediate is in charge of “signing” (authenticating) SSL certificates. SSL certificate. The SSL certificate is issued by the CA, then signed by an intermediate, which is signed by a root certificate.
  • 15. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS SSL algorithms: encryption RSA –Authored by Ron Rivest, AdiShamir and Leonard Adleman DSA –DigitalSignatureAlgorithm ECC –EllipticCurveCryptography –NEW! a) Assymetricencryption > 3 main “key exchange algorithms” 2 types of encryption in SSL a) Assymetric encryption: used at the beginning of an encrypted session , during the «key exchange» (needs 2 keys, a public and a private) b) Symmetric encryption: used when the session key has been exchanged (needs one temporary, session key) b) Symmetric encryption > 1 main standard: AES (Advanced Encryption standard) Cipher suite = combination of authentication / key exchange / encryption algorithms
  • 16. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS SSL algorithms: authentication 1mainalgorithm:SHA(SecureHashAlgorithm) Usedinsecuredconnectionstoprovetheintegrityandauthenticityofamessagetothereceiver. StandardhashalgorithminSSLcertificates. SHA-1 Certificates concerned by Google’s action: •Expiring between 01/06/2016 and 31/12/2016 •Expiring from 01/01/2017 SHA-1phasingout,movingtoSHA-2 SHA-2 = 256-bit fingerprint Vs. 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Google is accelerating the deprecation SHA-1 = 160-bit fingerprint The next 3 releases of Chrome will progressively display warning icons on websites secured with SHA-1 certificates
  • 17. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Case Studies: typical requests “ I need to secure my Microsoft Exchange server” •mail.contoso.com •mail.contoso-local.com •autodiscover.contoso.com •autodiscover.contoso-local.com •legacy.contoso.com •sip.contoso.com •meet.contoso.com •lyncdiscover.contoso.com •lyncweb.contoso.com •dialin.contoso.com OV certificatewithSAN OV certificatewithWildcard+SAN •shop.contoso.com “ I have a Lync project with 2 servers : Edge + Proxy” Single domainEV certificate Symantec “ I have an e-commerce website”
  • 18. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Baptiste Assmann–HAProxy •TLS and IPV4 exhaustion •HAProxy and SNI •TLS impacts: •on performance •on clients •on Web applications •SSL offloading •SEO •Security of the SSL protocol PART 2 SSL impact and optimisation
  • 19. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Deployment modes HAProxy server •SSL pass through or forward •SSL offloading •SSL cut through or bridging client SSL SSL HAProxy server client SSL clear HAProxy server client SSL SSL Encrypteddata Cleardata Cleardata •HAProxy can be used in 3 different modes in front of services requiring SSL There is no ‘good’ neither ‘bad’ way. There is a mode which meet your requirements. •Requirements are dictated by the application, the servers, the hardware capacity, etc..
  • 20. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS server client SSL SSL HAProxy Encrypteddata HAProxy and SSL pass through or SSL forward frontend ft_www mode tcp bind 10.0.0.1:443 default_backendbk_www backend bk_www mode tcp server s1 10.0.0.11:443 Deployment modes
  • 21. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS HAProxy server client SSL clear Cleardata HAProxy and SSL offloading frontend ft_www mode http bind 10.0.0.1:443 sslcrtmycrt.pem default_backendbk_www backend bk_www mode http server s1 10.0.0.11:80 Deployment modes
  • 22. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS HAProxy server client SSL SSL Cleardata HAProxy and SSL cut through or bridging frontend ft_www mode http bind 10.0.0.1:443 sslcrtmycrt.pem default_backendbk_www backend bk_www mode http server s1 10.0.0.11:443 ssl Deployment modes
  • 23. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS and IPv4 exhaustion TLS extension: SNI •The certificate presented by the server must match the hostname, otherwise the client sends a warning •Lessons learned until now: •When the server has to send the certificate, it doesn’t know which service the client is trying to browse •The service host name is an HTTP information, not available at TLS layer Since it is impossible for the server to create a relation between one of its certificates and the service reached by the client, a best practice was to affect one IP address per certificate. Wildcard certificates, SAN, multi domain helps, but this is not scalable.
  • 24. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS and IPv4 exhaustion TLS extension: SNI •In April 2006, the RFC 4366 is published and introduces TLS Extensions. •One of this extension is named Server Name Indication, shortened as SNI. •Basically, during the client hello, the client sends a string containing the name of the service the above layer (IE HTTP) is trying to reach. •Based on this string, the server can now select the appropriate certificate •Both client and server must support SNI Client Server (1) Client Hello Supportedciphersuites, Server Name Indication (2) Server Hello CipherSuite, Server certificate, public key, Server Random (3) Verifyserver certificate Server chooses the certificate based on SNI sent by the client
  • 25. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS and IPv4 exhaustion HAProxy and SNI Working as a TLS endpoint •Tell HAProxy to load all the certificates available in a directory: (validated at 50000 certificates in production) •Path to a default certificate, used when clients don’t send SNI: •To Log SNI information, use the ssl_fc_snisample fetch in a log-formatdirective: Working in TLS passthroughmode •Route TLS connections to different server farms frontend ft_www bind 10.0.0.1:443 sslcrt/etc/haproxy/certs/ frontend ft_www bind 10.0.0.1:443 sslcrt/etc/haproxy/certs/default.pemcrt/etc/haproxy/certs/ log-format ...%[ssl_fc_sni]... frontend ft_ssl bind 10.0.0.1:443 tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type1 } use_backendbk_webmailif { req.ssl_sni–iowa.domain.com mail.domain.com } use_backendbk_sharepointif { req.ssl_sni–isharepoint.domain.com }
  • 26. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on performance CPU •CPU usage: •Key computation is very expensive, furthermore with 2048 RSA keys. Scales very well with number of processes •TLS resume is cheaper. Scales well up to 3 processes •Ciphering a request on an established connection is cheap with modern CPU and AES- NI instruction •HAProxy/OpenSSLperformance on a single core of a i7 CPU @3.4GHz: •key computation: around 600/s (2048 bits) •TLS resume per second (TLS 1.2): around 12000/s •TLS bandwidth: 4.3Gb/s •Now, you know why it is important to be able to resume a TLS connection!!!! (x20 gain of performance!) The choice of the cipher suiteis very important!!! Read: https://wiki.mozilla.org/Security/Server_Side_TLS
  • 27. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on performance CPU •Use HAProxy’sglobal section to manage SSL parameters (HAProxy 1.5.8 and above) •Log client User-Agent and negotiated cipher suite •Example of log output: ...{TLSv1/ECDHE-RSA-AES128-SHA}... •Adapt your cipher suite to your client pattern and not to make SSLlabshappy!!! •In case of trouble, HAProxy will log TLS handshake error, without any other information. This part is handled by OpenSSL library •Tune HAProxySSL session key cache: global ssl-default-bind-ciphers <copy paste the intermediary SSL cipher suite> tune.ssl.default-dh-param2048 ssl-default-bind-options no-sslv3 capture request header User-Agent len128 log-format ...{sslv/sslc}... global tune.ssl.cachesize50000 # default to 20000 tune.ssl.lifetime600 # default to 300 seconds
  • 28. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on performance Memory •Memory usage (no tuning, system and HAProxy defaults): •Raw TCP connection passing through HAProxy requires 50K of memory •With OpenSSL, add 64K of memory per TLS connection. •Memory requirements for a peak of 1000 TLS connections: Deploymentmode Computation Total memory required TLS pass through 1000 * 50K 50 MBytes TLS offloading 1000 * (50K + 64K) 114 MBytes TLS cutthrough 1000 * (50K + 64K + 64K) 178 MBytes
  • 29. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on clients Forward proxies •Some companies may forbid HTTPs on their forward proxies •Web sites should be available over both HTTP and HTTPs (public data only) •Web applications should be available over HTTPs only •Some forward proxies does SSL inspection, making SSL useless: https://www.google.fr/search?&q=SSL+inspection+appliance Low capacity devices •Low CPU resource means huge impact on performance •Battery consumption increased •Add latency and delay printing •Usually, they support only outdated SSL protocols and can’t be updated •The choice of the cipher suite is very important!!!
  • 30. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on clients Disabling TLSv1.0 or not ??? •Compatibility matrix errors without TLSv1.0: (non exhaustive list)
  • 31. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on clients Disabling TLSv1.0 or not ??? •Compatibility matrix with TLSv1.0: (non exhaustive list)
  • 32. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on Web applications •In order to support the switch to TLS, a web application must be “agile”. •Links must be adapted to scheme (http or https). Prefer using relative links. •HTTP responses should match the right scheme (http or https) and port (80 or 443) Sometimes we must switch to SSL bridging mode •What should be ciphered: •Pages with sensitive / personal information •All content of a page must be ciphered •Application cookies should never be sent over a plain connection •Mixing 2 host headers on a single page to download static content and over HTTP and dynamic content over HTTPs may lead to warnings in the browser
  • 33. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS TLS impact on Web applications •HAProxy can enforce the Secure flag on application cookies: The ‘Secure’ flag tells the browser to never send this cookie over a clear connection •Force a logout if the cookie has been sent over a clear connection: Protect application cookie Backendmyapp aclhttpsssl_fc aclsecured_cookieres.hdr(Set-Cookie),lower-m subsecure rspirep^(set-cookie:.*) 1;Secure if https !secured_cookie aclhttpsssl_fc aclapp_cookiereq.cook(JSESSIONID) -m found aclpath_logoutpath–i /logout.jsp http-requestredirect/logout.jspif !https app_cookie!path_logout
  • 34. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Impact of SSL offloading •The main difficulty of SSL offloading is that clients browse over HTTPs and application server is reached over HTTP: •Check list: •HAProxy must inform the server which protocol is being used by the client •Server must adapt responses (Location, Set-Cookie, etc…) •Links from the body of the page must be adapted too HAProxy server client SSL clear Cleardata
  • 35. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Impact of SSL offloading •tell HAProxy to log some useful information: •Tell the application server which protocol was used on the client side: Application server should adapt content based on this header •Track errors and adapt server’s responses to client side connection type: •Don’t forget the Secure flag (see a few slide above) capture responseheader Locationlen32 capture responseheader Set-Cookie len32 http-requestset-header X-Forwarded-Proto https if{ ssl_fc} http-requestset-header X-Forwarded-Proto httpif !{ ssl_fc} rspirep^Location:http://(.*):80(.*) Location:https://1:4432 if { ssl_fc} rspirep^Location:http://(.*) Location:https://1 if { ssl_fc}
  • 36. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Search Engine Optimisation •Lately, Google has announced that protocol scheme (HTTP / HTTPs) from web sites will be used in their ranking algorithm: HTTPs will get more points Important to move to SSL if your business relies on google ranking •If your business doesn’t rely on google ranking, then no worries!!!
  • 37. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Security of the SSL protocol SSL / TLS weaknesses •Lately, some vulnerabilities on SSL has been reported •OpenSSL Library: ensure you’re running the latest OpenSSL library available for your operating system •Heartblead •CCS (CVE 2014-0224) •SSL protocol: •Beast attack: use an up to date SSL librairy •SSLv3 Poodle: disable SSLv3: •Downgrade attack prevention (TLS_FALLBACK_SCSV) •TLS compression global ssl-default-bind-options no-sslv3
  • 38. SSL / TLS: IMPACT AND SOLUTIONS FOR YOUR WEB APPLICATIONS Conclusion Moving to SSL •Moving to SSL is not straight forward: •if the application is SSL-ready, then no problem •If the application is not SSL-ready, then it may work (worst case, use SSL bridging mode) •In rare cases, an update of the application may be needed •Don’t forget to run an audit before •Bear in mind that the type of client can also have an impact on your SSL stack (backward compatibility, limited features and ciphers, etc..) •HAProxy’sflexibility, reporting and performance is your best friend during this move! Choosing the right SSL certificate •An SSL certificate provides more than encryption •You need to find the right balance between the levels of validation, the levels of encryption and the add-ons (Wildcard / SAN) you need •SSL247®can help you choose the right certificate(s) for all your needs
  • 39. info@SSL247.co.uk +44(0)207 060 3775 www.SSL247.co.uk contact@haproxy.com +1-857-366-5050 www.haproxy.com USEFUL LINKS -https://www.ssl247.com/ssl-tools/certificate-decoder> decode anSSL certificate -https://www.ssllabs.com/ssltest/> test your SSL server -https://istlsfastyet.com/> info about moving to TLS -https://www.ssl247.com/?wizard#> choose the right certificate -https://www.ssl247.com/ssl-certificates/brands/GeoTrust/geotrust-trial> use a 30-day free SSL certificate to run tests on your servers