O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Amazon CloudFront Seminar Accelerated TLS/SSL Adoption

570 visualizações

Publicada em

Presentation deck for the seminar held on August 4, 2016 at Amazon Web Services Japan to illustrate how web traffic encryption came and will go beyond.

Publicada em: Internet
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Amazon CloudFront Seminar Accelerated TLS/SSL Adoption

  1. 1. Amazon Web Services Japan K.K. Security Solutions Architect Hayato Kiriyama Amazon CloudFront Seminar Accelerated TLS/SSL Adoption 2016.8.4
  2. 2. History and Transition of TLS/SSL Session Agenda Past Present Future Recent Trends in Web Traffic Encryption The Future of Web Services
  3. 3. History and Transition of TLS/SSL Session Agenda Past Present Future Recent Trends in Web Traffic Encryption The Future of Web Services
  4. 4. History of TLS/SSL Evolution of Web Encryption Technologies 1995 SSL2.0 1996 SSL3.0 2006 TLS1.1 2008 TLS1.2 2013 Planning of TLS1.3 starts 1999 TLS1.0
  5. 5. Evolution of TLS/SSL SSL2.0 SSL3.0 TLS1.0 TLS1.1 TLS1.2 Resistance to Attack Vectors Downgrade Attacks (Forced Downgrade of Encryption Strength) Weak Secure Secure Secure Secure Version Rollback Attacks (Forced revert to SSL2.0) Weak Secure Secure Secure Secure CBC Mode Vulnerability Attacks (BEAST/POODLE Attacks) Weak Weak Patch Required Secure Secure Supported Encryption Alogorithms 128bit Block Cipher (AES, Camellia) No Support No Support Supported Supported Supported Authenticated Encryption (GCM, CCM) No Support No Support No Support No Support Supported Elliptic Curve Cryptography (ECC) No Support No Support Supported Supported Supported SHA-2 Hash Algorithms (SHA-256, SHA-384) No Support No Support No Support No Support Supported Source: SSL/TLS Encryption Guidelines v1.1, IPA http://www.ipa.go.jp/files/000045645.pdf
  6. 6. History of TLS/SSL Evolution of Web Encryption Technologies 1995 SSL2.0 1996 SSL3.0 2006 TLS1.1 2008 TLS1.2 2014/09 POODLE 2011 BEAST 2014/04 Heartbleed 2016/03 DROWN Battle Against Vulnerabilities 1999 TLS1.0 2015 FREAK 2013 Planning of TLS1.3 starts
  7. 7. History and Transition of TLS/SSL Session Agenda Past Present Future Recent Trends in Web Traffic Encryption The Future of Web Services
  8. 8. Google Webmaster Central Blog (Dec. 17, 2015) https://webmasters.googleblog.com/2015/12/indexing-https-pages-by-default.html Indexing of HTTPS Pages by Default
  9. 9. PCI DSS v3.2 Requirements By 2016 June 30 PCI DSS Requirements and Security Assessment Procedures Version 3.2 (April 2016) https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf All service providers must provide a secure service offering By 2018 June 30 After June 30, 2018, all entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol
  10. 10. Apple will require HTTPS connections for iOS apps by the end of 2016 (June 14, 2016) https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/324759/ By end of 2016 App Transport Security(ATS) Required
  11. 11. HTTP Strict Transport Security(HSTS) Enforces HTTPS on google.com Google's HSTS rollout: Forced HTTPS for google.com aims to help block attacks (August 1, 2016) http://www.zdnet.com/article/googles-hsts-rollout-forced-https-for-google-com-aims-to-help-block-attacks/ * Gmail, Inbox, Google Play, Hangouts, Docs
  12. 12. Upgrade to TLS 1.2 and HTTP/1.1 (PayPal) Source: TLS 1.2 and HTTP/1.1 Upgrade Microsite, PayPal https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1914
  13. 13. Greater Enforcement by Industry/Vendors Battle Against Vulnerabilities 2014/09 POODLE 2011 BEAST 2014/04 Heartbleed 2016/03 DROWN Industry Enforcement 2015 FREAK 2015/12 Indexing HTTPS Pages by Default 2016/04 PCI DSS v3.2 2016/07 Mandatory ATS 2016/08 HTTP Strict Transport Security (HSTS) 2017/06/30 Mandatory TLS1.2
  14. 14. History and Transition of TLS/SSL Session Agenda Past Present Future Recent Trends in Web Traffic Encryption The Future of Web Services
  15. 15. Survey of the SSL Implementation of the Most Popular Web Sites, SSL Pulse https://www.trustworthyinternet.org/ssl-pulse/ Survey of Most Popular Websites
  16. 16. HTTP Archive Trends http://httparchive.org/trends.php#perHttps HTTPS Adoption Rate Percentage of Requests to Top 1,000,000 URLs in Alexa
  17. 17. Web Sites with Always On SSL Top Page Service Introduction Case Studies Seminar Registration Top Page Partial SSL Always On SSL Seminar Registration Case Studies Service Introduction
  18. 18. Benefits of Always On SSL Item Effects Business Benefits Search Engine Optimization Higher rankings in Google search results Increase in marketing presence Obtain referrer data Access analytics of web sites Analyze user behavior Web site development and operation Protect and maintain contents, urls, and configurations files Lower development and operational costs Eavesdropping on vulnerable access points Prevent man-in-the-middle and spoofing attacks Protect users from damages Use of HTTP/2 Faster web pages Better user experience
  19. 19. HTTPS for Maximizing Business Value Industry Enforcement Business Benefits 2016/04 PCI DSS v3.2 Increase in Marketing Benefits Lower Costs Increase in User Benefits 2015/12 Indexing HTTPS Pages by Default 2016/07 Mandatory ATS 2017/06/30 Mandatory TLS1.2 2016/08 HTTP Strict Transport Security (HSTS)
  20. 20. Business Benefits Complete HTTPS Evolution of Web Encryption Battle Against Vulnerabilities Industry Enforcement Shifting to the Era of Complete HTTPS
  21. 21. Battle Against Vulnerabilities: Security Conclusion: Behind Accelerated TLS/SSL Adoption Past Present Future Industry Enforcement: Trust and Reliability Business Benefits: Greater Business Value

×