SlideShare a Scribd company logo

CAs and SSL Security Improvements Discuss New Proposals Like CT, CAA and Pinning

CASCouncil
CASCouncil

CASC member Dan Timpson's July 2013 ICANN presentation on CAs and the new paradigm

Technology
1 of 19
Download to read offline
sales@digicert.com www.digicert.com +1 (801) 877-2100 CAs and the New Paradigm ICANN 47 ccNSO Tech Day Dan Timpson
July 15, 2013 ► Problem: ► Harm: ► Response: Looking Back (2011) Hacking/complete compromise of CA system over many months; cert issuance logs erased (no record); 531 or more fake certs issued Potentially great (many OCSP checks from Iran). Hacking claims by “Iranian hacker” never verified Some certs revoked by CA (no complete list). DigiNotar roots became “untrusted” by browsers; CA went out of business
July 15, 2013 ► The state of SSL is stronger than ever and continues to incrementally improve. ► Ongoing Industry Improvements – CA/B Forum Enhanced BR's & Networking guidelines – Improved customer – CAs proactively responding to emerging threats ► Forward looking: Good IETF proposals are on the table – Certificate Transparency (CT) – Certificate Authority Authorization (CAA) – Public Key Pinning Discussion
July 15, 2013 ► CA's, browsers and industry groups are constantly improving standards (Self Regulated) – Mozilla/Microsoft root program requirements – CA/Browser Forum (2005 to date) – raised the bar: ● EV Guidelines revamped (2012), ● Baseline Requirements updated (2013) ● *New - Network and Security Controls (2013) – *New - CA Security Council www.casecurity.org – WebTrust, ETSI audit requirements (2000 - date) – Online Trust Alliance (OTA) encourages CA Best Practices ► CA's are continuously improving security, processes and responding quickly to issues as they surface (ex. gTLD's) Industry - Raising the Bar
July 15, 2013 Relatively few CA security issues over 15 years... ► Certs issued worldwide: 2,000,000 per year ► Bad certs issued: maybe 1,000 over 11 years (~91 bad certs per year) – mostly single incident (DigiNotar) – Most breaches resulted in no tangible harm and were remediated quickly ► Accuracy ratio for certs issued each year: 99.995% (Error rate 0.005%) - US Passport Office and state Departments of Motor Vehicles are NOT this accurate ► Significant harm from bad certs? Only likely in DigiNotar case (actual harm unknown) ► The state of SSL is stronger today as result of industry responses Putting it in Perspective
July 15, 2013 ► Effective 1/12013 (CA/B) – New networking Requirements – Protection of networks and supporting systems Zoning, air gapping critical systems etc. – Implementation of trusted roles and system accounts – Vulnerability and patch management ● Includes penetration testing – Logging, Monitoring and Alerting Networking Requirements
July 15, 2013 ► Goal: Prevent misissued certificates by ensuring they are not issued without domain owner's knowledge. ► CT provides publicly published logs to audit issued certificates. ► Anyone can see what CAs are asserting about your organization. Certificate Transparency (CT)
July 15, 2013 ► Is based on existing technologies that are easily supported with industry coordination ► Internal CAs are not impacted: internal certificates do not need to be logged ► Internal hostnames in public certificates don't need to be logged - clients can be configured with a list of internal domains or intermediate CAs can be name constrained Certificate Transparency
July 15, 2013 ► Enhances the current CA infrastructure rather than replacing it. ► Doesn't require any actions by sites in the vast majority of cases. Certificate Transparency ► Requires all CAs to be updated. ► Deployment will take many years. ► Public records require vigilance to be useful. Pros Cons
July 15, 2013 ► Certification Authority Authorization (CAA) – IETF RFC 6844 drafted by Comodo – Mechanism for preventing and detecting misissued certificates from CAs ► Mechanism – Based on DNS resource record that lists CAs authorized to issue certs for a domain – PRIOR to issuing a certificate, CA checks for a CAA record to ensure CA is allowed to issue cert for that domain Certification Authority Authorization
July 15, 2013 ► Context and Key Points – Benefit in that it’s a verification to see whether a CA should be associated with a cert for a specific domain – This is a “preventative” approach to issuing rogue certs without replacing current system – CAA record doesn’t say which key must be in the end- entity cert – entry is at the CA level – Supports wildcard certs – More than one CA may be specified for each DNS record – CABF is starting discussions on CAA for potential usage by CAs Certification Authority Authorization
July 15, 2013 ► Good complement to existing ecosystem to prevent and detect mis-issuance from CAs ► Low barrier for deployment for CAs – CAs need to check CAA record ► Does not require big-bang adoption – can be phased per CA and per certificate customer ► Raises the bar on CA security – bad actor must be able to attack DNS or suppress CA’s CAA check Certification Authority Authorization Pros
July 15, 2013 ► DNSSEC is recommended but not required, opening up potential for DNS record manipulation ► CA and customer opt-in nature makes CAA non- deterministic ► Potential perception of CAA being a mechanism for CAs to “lock in” customers Certification Authority Authorization Cons
July 15, 2013 ► Client (browser) tracks what certs are used by a website – Can be preloaded into browser – Alternatively, Web server can make an assertion in the HTTP Header about what certificate(s) it must use ► Generate an alert or block the connection if a different cert is used ► Two current IETF drafts: – Trust Assertions for Certificate Keys – Public Key Pinning Extension for HTTP Public Key Pinning
July 15, 2013 ► Reduces attack surface for a given site from approx. 65 roots (and potentially hundreds of intermediates) down to 1-2 ► Proven value in detecting compromise – Would've detected DigiNotar problems ► Enhances existing ecosystem ► Doesn't suffer from CAA's potential "lock in" perception Public Key Pinning Pros
July 15, 2013 ► Trust on First Use – doesn’t protect initial connection ► Doesn’t protect against key compromise ► Creates operational challenges with key exchanges ► May be best as a reporting mechanism – Long deployment horizon – Impact of false positives in "hard fail" mode Public Key Pinning Cons
July 15, 2013 ► Where do these proposals go from here? ► Which proposals get adopted (CT, CAA, Pinning) – and in which form(s) – is yet to be decided and groups will continue good research ► Incremental improvements will progress – Continue to monitor emerging security threats – Improving WHOIS – CA's must be informed of ownership changes – Impact of gTLD MITM ► SSL will improve. Systems that retain the improvements made by CA's as the knowledgeable trust anchors will advance internet security most effectively. Endgame
July 15, 2013 ► More research and multi-stakeholder collaboration is needed with ICANN community. ► CA's are interested in improving the landscape and DigiCert is taking a lead role, especially with CT. ► Many smart people are working on these issues, and the future looks good. Next Steps
July 15, 2013 ► Resources – CA/B - Baseline Requirements for the Issuance of Publicly Trusted Certs – CA/B - Network and Certificate System Requirements – CA/B - Letter to ICANN - Security Implications of New gTLD's – Mozilla - CA Certificate Policy v2.1 – Microsoft - Root Certificate Program – Online Trust Alliance - CA Best Practices – CA Security Council – WebTrust - Audit Criteria for CAs ► Open Proposals – Certificate Transparency Overview (CT) – Certificate Transparency (CT) - rfc6962 – Certificate Authority Authorization (CAA) - rfc6844 – Public Key Pinning - IETF Draft More Info

Recommended

PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesHyTrust
 
The Global Fight for Internet Trust
The Global Fight for Internet TrustThe Global Fight for Internet Trust
The Global Fight for Internet TrustPECB
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesOllie Whitehouse
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
PCI Myths
PCI MythsPCI Myths
PCI MythsSasha Nunke
 

Recommended

PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesHyTrust
 
The Global Fight for Internet Trust
The Global Fight for Internet TrustThe Global Fight for Internet Trust
The Global Fight for Internet TrustPECB
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesOllie Whitehouse
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
PCI Myths
PCI MythsPCI Myths
PCI MythsSasha Nunke
 
NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesOllie Whitehouse
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentOllie Whitehouse
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
Recent developments and future challenges in privacy
Recent developments and future challenges in privacyRecent developments and future challenges in privacy
Recent developments and future challenges in privacyPECB
 
Enterprise Security and the Waves of Disruption: It’s Surf or Sink
Enterprise Security and the Waves of Disruption: It’s Surf or SinkEnterprise Security and the Waves of Disruption: It’s Surf or Sink
Enterprise Security and the Waves of Disruption: It’s Surf or Sinkbstiekes
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Ahmed Al Enizi
 
Astrit Mulla Resume
Astrit Mulla ResumeAstrit Mulla Resume
Astrit Mulla ResumeAstrit Mulla
 
Anton Chuvakin on Security Data Centralization
Anton Chuvakin on Security Data CentralizationAnton Chuvakin on Security Data Centralization
Anton Chuvakin on Security Data CentralizationAnton Chuvakin
 
Middleware Audits And Remediation For Pci Compliance
Middleware Audits And Remediation For Pci ComplianceMiddleware Audits And Remediation For Pci Compliance
Middleware Audits And Remediation For Pci Compliancemjschreck
 
Pci dss intro v2
Pci dss intro v2Pci dss intro v2
Pci dss intro v2Torstein Hansen
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIBen Rothke
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
Review of Considerations for Mobile Device based Secure Access to Financial S...
Review of Considerations for Mobile Device based Secure Access to Financial S...Review of Considerations for Mobile Device based Secure Access to Financial S...
Review of Considerations for Mobile Device based Secure Access to Financial S...Eswar Publications
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinPCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinAnton Chuvakin
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!CASCouncil
 
Craig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglasCraig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglasSandra Pigram
 

More Related Content

What's hot

NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesOllie Whitehouse
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentOllie Whitehouse
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
Recent developments and future challenges in privacy
Recent developments and future challenges in privacyRecent developments and future challenges in privacy
Recent developments and future challenges in privacyPECB
 
Enterprise Security and the Waves of Disruption: It’s Surf or Sink
Enterprise Security and the Waves of Disruption: It’s Surf or SinkEnterprise Security and the Waves of Disruption: It’s Surf or Sink
Enterprise Security and the Waves of Disruption: It’s Surf or Sinkbstiekes
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Ahmed Al Enizi
 
Astrit Mulla Resume
Astrit Mulla ResumeAstrit Mulla Resume
Astrit Mulla ResumeAstrit Mulla
 
Anton Chuvakin on Security Data Centralization
Anton Chuvakin on Security Data CentralizationAnton Chuvakin on Security Data Centralization
Anton Chuvakin on Security Data CentralizationAnton Chuvakin
 
Middleware Audits And Remediation For Pci Compliance
Middleware Audits And Remediation For Pci ComplianceMiddleware Audits And Remediation For Pci Compliance
Middleware Audits And Remediation For Pci Compliancemjschreck
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIBen Rothke
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
Review of Considerations for Mobile Device based Secure Access to Financial S...
Review of Considerations for Mobile Device based Secure Access to Financial S...Review of Considerations for Mobile Device based Secure Access to Financial S...
Review of Considerations for Mobile Device based Secure Access to Financial S...Eswar Publications
 
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinPCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinAnton Chuvakin
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 

What's hot (20)

NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory Services
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
Recent developments and future challenges in privacy
Recent developments and future challenges in privacyRecent developments and future challenges in privacy
Recent developments and future challenges in privacy
 
Enterprise Security and the Waves of Disruption: It’s Surf or Sink
Enterprise Security and the Waves of Disruption: It’s Surf or SinkEnterprise Security and the Waves of Disruption: It’s Surf or Sink
Enterprise Security and the Waves of Disruption: It’s Surf or Sink
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
 
Astrit Mulla Resume
Astrit Mulla ResumeAstrit Mulla Resume
Astrit Mulla Resume
 
Anton Chuvakin on Security Data Centralization
Anton Chuvakin on Security Data CentralizationAnton Chuvakin on Security Data Centralization
Anton Chuvakin on Security Data Centralization
 
Middleware Audits And Remediation For Pci Compliance
Middleware Audits And Remediation For Pci ComplianceMiddleware Audits And Remediation For Pci Compliance
Middleware Audits And Remediation For Pci Compliance
 
Pci dss intro v2
Pci dss intro v2Pci dss intro v2
Pci dss intro v2
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
 
Review of Considerations for Mobile Device based Secure Access to Financial S...
Review of Considerations for Mobile Device based Secure Access to Financial S...Review of Considerations for Mobile Device based Secure Access to Financial S...
Review of Considerations for Mobile Device based Secure Access to Financial S...
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinPCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 

Viewers also liked

Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!CASCouncil
 
Craig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglasCraig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglasSandra Pigram
 
Social Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage BrokersSocial Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage BrokersSandra Pigram
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 

Viewers also liked (7)

Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
 
Craig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglasCraig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglas
 
Final project
Final projectFinal project
Final project
 
Social Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage BrokersSocial Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage Brokers
 
State of the Web
State of the WebState of the Web
State of the Web
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 

Similar to CAs and SSL Security Improvements Discuss New Proposals Like CT, CAA and Pinning

Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of OpportunityCASCouncil
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPROIDEA
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
The Future of Secure Digital Transactions: QTMaaS
The Future of Secure Digital Transactions: QTMaaSThe Future of Secure Digital Transactions: QTMaaS
The Future of Secure Digital Transactions: QTMaaSSteve Downer
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?CA Technologies
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deckRichard (Dick) Kaufman
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
 
WHDusa 2017: Bridging the Divide between Human Behavior & Security
WHDusa 2017: Bridging the Divide between Human Behavior & SecurityWHDusa 2017: Bridging the Divide between Human Behavior & Security
WHDusa 2017: Bridging the Divide between Human Behavior & SecuritySucuri
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 

Similar to CAs and SSL Security Improvements Discuss New Proposals Like CT, CAA and Pinning (20)

Tech t18
Tech t18Tech t18
Tech t18
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
The Future of Secure Digital Transactions: QTMaaS
The Future of Secure Digital Transactions: QTMaaSThe Future of Secure Digital Transactions: QTMaaS
The Future of Secure Digital Transactions: QTMaaS
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
WHDusa 2017: Bridging the Divide between Human Behavior & Security
WHDusa 2017: Bridging the Divide between Human Behavior & SecurityWHDusa 2017: Bridging the Divide between Human Behavior & Security
WHDusa 2017: Bridging the Divide between Human Behavior & Security
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT Stack
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT Stack
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 

More from CASCouncil

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowCASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor RollCASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumCASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds TrustCASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements CASCouncil
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesCASCouncil
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self RegulationCASCouncil
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI CASCouncil
 

More from CASCouncil (15)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
 

Recently uploaded

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 

CAs and SSL Security Improvements Discuss New Proposals Like CT, CAA and Pinning

  • 1. sales@digicert.com www.digicert.com +1 (801) 877-2100 CAs and the New Paradigm ICANN 47 ccNSO Tech Day Dan Timpson
  • 2. July 15, 2013 ► Problem: ► Harm: ► Response: Looking Back (2011) Hacking/complete compromise of CA system over many months; cert issuance logs erased (no record); 531 or more fake certs issued Potentially great (many OCSP checks from Iran). Hacking claims by “Iranian hacker” never verified Some certs revoked by CA (no complete list). DigiNotar roots became “untrusted” by browsers; CA went out of business
  • 3. July 15, 2013 ► The state of SSL is stronger than ever and continues to incrementally improve. ► Ongoing Industry Improvements – CA/B Forum Enhanced BR's & Networking guidelines – Improved customer – CAs proactively responding to emerging threats ► Forward looking: Good IETF proposals are on the table – Certificate Transparency (CT) – Certificate Authority Authorization (CAA) – Public Key Pinning Discussion
  • 4. July 15, 2013 ► CA's, browsers and industry groups are constantly improving standards (Self Regulated) – Mozilla/Microsoft root program requirements – CA/Browser Forum (2005 to date) – raised the bar: ● EV Guidelines revamped (2012), ● Baseline Requirements updated (2013) ● *New - Network and Security Controls (2013) – *New - CA Security Council www.casecurity.org – WebTrust, ETSI audit requirements (2000 - date) – Online Trust Alliance (OTA) encourages CA Best Practices ► CA's are continuously improving security, processes and responding quickly to issues as they surface (ex. gTLD's) Industry - Raising the Bar
  • 5. July 15, 2013 Relatively few CA security issues over 15 years... ► Certs issued worldwide: 2,000,000 per year ► Bad certs issued: maybe 1,000 over 11 years (~91 bad certs per year) – mostly single incident (DigiNotar) – Most breaches resulted in no tangible harm and were remediated quickly ► Accuracy ratio for certs issued each year: 99.995% (Error rate 0.005%) - US Passport Office and state Departments of Motor Vehicles are NOT this accurate ► Significant harm from bad certs? Only likely in DigiNotar case (actual harm unknown) ► The state of SSL is stronger today as result of industry responses Putting it in Perspective
  • 6. July 15, 2013 ► Effective 1/12013 (CA/B) – New networking Requirements – Protection of networks and supporting systems Zoning, air gapping critical systems etc. – Implementation of trusted roles and system accounts – Vulnerability and patch management ● Includes penetration testing – Logging, Monitoring and Alerting Networking Requirements
  • 7. July 15, 2013 ► Goal: Prevent misissued certificates by ensuring they are not issued without domain owner's knowledge. ► CT provides publicly published logs to audit issued certificates. ► Anyone can see what CAs are asserting about your organization. Certificate Transparency (CT)
  • 8. July 15, 2013 ► Is based on existing technologies that are easily supported with industry coordination ► Internal CAs are not impacted: internal certificates do not need to be logged ► Internal hostnames in public certificates don't need to be logged - clients can be configured with a list of internal domains or intermediate CAs can be name constrained Certificate Transparency
  • 9. July 15, 2013 ► Enhances the current CA infrastructure rather than replacing it. ► Doesn't require any actions by sites in the vast majority of cases. Certificate Transparency ► Requires all CAs to be updated. ► Deployment will take many years. ► Public records require vigilance to be useful. Pros Cons
  • 10. July 15, 2013 ► Certification Authority Authorization (CAA) – IETF RFC 6844 drafted by Comodo – Mechanism for preventing and detecting misissued certificates from CAs ► Mechanism – Based on DNS resource record that lists CAs authorized to issue certs for a domain – PRIOR to issuing a certificate, CA checks for a CAA record to ensure CA is allowed to issue cert for that domain Certification Authority Authorization
  • 11. July 15, 2013 ► Context and Key Points – Benefit in that it’s a verification to see whether a CA should be associated with a cert for a specific domain – This is a “preventative” approach to issuing rogue certs without replacing current system – CAA record doesn’t say which key must be in the end- entity cert – entry is at the CA level – Supports wildcard certs – More than one CA may be specified for each DNS record – CABF is starting discussions on CAA for potential usage by CAs Certification Authority Authorization
  • 12. July 15, 2013 ► Good complement to existing ecosystem to prevent and detect mis-issuance from CAs ► Low barrier for deployment for CAs – CAs need to check CAA record ► Does not require big-bang adoption – can be phased per CA and per certificate customer ► Raises the bar on CA security – bad actor must be able to attack DNS or suppress CA’s CAA check Certification Authority Authorization Pros
  • 13. July 15, 2013 ► DNSSEC is recommended but not required, opening up potential for DNS record manipulation ► CA and customer opt-in nature makes CAA non- deterministic ► Potential perception of CAA being a mechanism for CAs to “lock in” customers Certification Authority Authorization Cons
  • 14. July 15, 2013 ► Client (browser) tracks what certs are used by a website – Can be preloaded into browser – Alternatively, Web server can make an assertion in the HTTP Header about what certificate(s) it must use ► Generate an alert or block the connection if a different cert is used ► Two current IETF drafts: – Trust Assertions for Certificate Keys – Public Key Pinning Extension for HTTP Public Key Pinning
  • 15. July 15, 2013 ► Reduces attack surface for a given site from approx. 65 roots (and potentially hundreds of intermediates) down to 1-2 ► Proven value in detecting compromise – Would've detected DigiNotar problems ► Enhances existing ecosystem ► Doesn't suffer from CAA's potential "lock in" perception Public Key Pinning Pros
  • 16. July 15, 2013 ► Trust on First Use – doesn’t protect initial connection ► Doesn’t protect against key compromise ► Creates operational challenges with key exchanges ► May be best as a reporting mechanism – Long deployment horizon – Impact of false positives in "hard fail" mode Public Key Pinning Cons
  • 17. July 15, 2013 ► Where do these proposals go from here? ► Which proposals get adopted (CT, CAA, Pinning) – and in which form(s) – is yet to be decided and groups will continue good research ► Incremental improvements will progress – Continue to monitor emerging security threats – Improving WHOIS – CA's must be informed of ownership changes – Impact of gTLD MITM ► SSL will improve. Systems that retain the improvements made by CA's as the knowledgeable trust anchors will advance internet security most effectively. Endgame
  • 18. July 15, 2013 ► More research and multi-stakeholder collaboration is needed with ICANN community. ► CA's are interested in improving the landscape and DigiCert is taking a lead role, especially with CT. ► Many smart people are working on these issues, and the future looks good. Next Steps
  • 19. July 15, 2013 ► Resources – CA/B - Baseline Requirements for the Issuance of Publicly Trusted Certs – CA/B - Network and Certificate System Requirements – CA/B - Letter to ICANN - Security Implications of New gTLD's – Mozilla - CA Certificate Policy v2.1 – Microsoft - Root Certificate Program – Online Trust Alliance - CA Best Practices – CA Security Council – WebTrust - Audit Criteria for CAs ► Open Proposals – Certificate Transparency Overview (CT) – Certificate Transparency (CT) - rfc6962 – Certificate Authority Authorization (CAA) - rfc6844 – Public Key Pinning - IETF Draft More Info