PowerPoint Template - tldcon-2015
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of PowerPoint Template - tldcon-2015
TLS: history
• SSLv2 deprecated (RFC 6176)
• SSLv3 deprecated
(RFC 7568)
• TLS 1.0 – RFC 2246 (1999)
• TLS 1.1 – RFC 4346 (2006)
• TLS 1.2 – RFC 5246 (2008)
Sourсe: https://www.trustworthyinternet.org/ssl-pulse/
New solutions
Elliptic curves
Edwards curves
Perfect Forward Secrecy
ChaCha20
Poly1305
Certificate transparency
Encrypt everything!
Share of encrypted traffic grows
New protocols require encryption
Hosting provides TLS by default
(Universal SSL)
DNS is the last unencrypted
protocol
RFC 7626
Overall statistics
0
20 000
40 000
60 000
80 000
100 000
120 000
140 000
IP addresses Unique certificates Unique validcertificates
Self-signedcertificates
June 2015
July 2015
.RU statistics
509020 512064
450000
500000
550000
June July
.RU with any certificate 31023 6%
454413 89%
23584 5%
.RU with valid matching certificate
.RU with valid non-matching certificate
.RU with other certificate
34228 7%
452253 88%
25583 5%
June
July
.RU statistics
25771 25683
18928 20406
7483 7801
0
10000
20000
30000
40000
50000
60000
June July
Unique valid certificates,ECDSA
Unique valid certificates,RSA
Unique self-signedcertificates
Some details
All EC certificates are from Cloudflare
~50% of certs are free or bundle
~400 EV certificates at 2nd level,
more at 3rd level
>90% RSA certs 2048 bits
<10 has 1024 bits
Conclusions
Practice in Russia matches recommendations
We will improve the statistics
• MX, ciphersuites,…
We can analyze our zones for threats