SSL Overview for Resellers

Transcription

1 Web Security Enterprise Security Identity Verification Services Signing Services SSL Overview for Resellers

2 What We ll Cover Understanding SSL SSL Handshake 101 Market Opportunity for SSL Obtaining an SSL Certificate

3 Web Security Enterprise Security Identity Verification Services Signing Services Understanding SSL

4 Secure Sockets Layer (SSL) Protocol that has become the industry standard for securing data transmissions on the Internet Provides a secure channel in two ways: Authenticates the Web server to the client Encrypts all the data being sent 4 Key components to enable SSL Digital Certificate Public/Private Key Pair Session Key Certificate Authority (CA) SSL is established using the SSL handshake Server authentication and session key creation take place

5 Secure Sockets Layer (SSL) Largely invisible to application https URLs specifies HTTP over SSL Connects to port 443 instead of 80 Identical in all other respects to HTTP All https data is sent via SSL Even the requested URL is encrypted SSL interacts poorly with virtual hosts that have 1 IP for multiple domains SSL connection is established before any HTTP data is transmitted SSL handshake down without the guidance of the Host header Web server doesn t know which certificate to present Must set up each domain with a unique IP address Does not need to be routable IP (called aliases) Web server uses the alias to determine which certificate to present

6 Digital Certificates Electronic passports that handle the passing of the keys to: Authenticate the Web server Encrypt/Decrypt the data passed Standard format for all digital certificates is X.509 V3 Helps define the fields contained in the certificate Main components of a certificate include: Web server s public key Fully qualified domain name the certificate was issued to Name of the holder of the key CA s digital signature Validity period

7 Digital Certificates (cont.) Key Components of an SSL certificate The domain the certificate was issued to Which certificate authority issued the certificate The validity period of the certificate

8 Digital Certificates (cont.) Key Components of an SSL certificate Digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real

9 Public/Private Keys Created when the Certificate Signing Request (CSR) is generated CSR is an unsigned certificate which is submitted to the CA In SSL they are used to authenticate the identity of the Web server and encrypt and decrypt the session key Private key is kept secret (and very secure) and stays on the Web server Public key is part of the digital certificate and is available to all Public key must be matched to the corresponding private key for a digital certificate to work

10 Session Key Created by the browser during the SSL handshake Sent to the server via an encrypted message using the server s public key Used to encrypt and decrypt information exchanged during the SSL session Randomly generated and changes each time 128 bit is the standard length for the key (though some browsers have started to move towards 256-bit)

11 Certificate Authority Trusted organization that: Accepts SSL certificate applications from entities Authenticates those applications WebTrust compliant Follow steps and procedures outlined in CPS Issues certificates Maintains status information about the certificates Validity period, Certificate Revocation Lists, etc Invest in the technologies and resources to support SSL certificates and assure their certificates are trusted by Web browsers

12 Web Security Enterprise Security Identity Verification Services Signing Services SSL Handshake 101

13 User has a standard browser SSL - setting up the session SSL Provides: Server Authentication, Data Encryption and Message Integrity Firewall Web Server Website has a X.509 Certificate Signed by a trusted 3 rd party:

14 SSL - setting up the session Web Server Firewall User enters website URL Browser sends URL to www

15 SSL - setting up the session Web Server Firewall Server certificate is sent to browser

16 SSL - setting up the session Web Server Firewall Serial Number: 6cb0dad0137a5fa79888f Validity: Nov.08,2004 Nov.08,2004 Subject / Name / Organization Locality = Internet Organization = GeoTrust, Inc. Organizational Unit = GeoTrust Class 2 CA - Individual Subscriber Public Key: Status: Valid ie86502hhd009dkias736ed55ewfgk 98dszbcvcqm85k309nviidywtoofk kr2834kl Signed By: GeoTrust, Inc.: kdiowurei495729hshsg0925h309afh we09721h akndnxnzkjoaio eru y5 Certificate Includes Server s Public Key

17 SSL - setting up the session Web Server The browser generates a symmetric key of specified strength This will be the session key Firewall

18 SSL - setting up the session Web Server The browser encrypts the session key with the webserver s public key (found in the certificate) Firewall

19 SSL - setting up the session Web Server The browser sends the encrypted session key to the webserver Firewall

20 SSL - setting up the session Web Server Firewall The webserver decrypts encrypted session key with its private key

21 SSL - setting up the session Web Server The secret key has now been shared Firewall The encrypted session is now established

22 How the SSL Handshake Works A browser requests a secure page ( The Web server sends its public key with its certificate The browser authenticates the server by checking the: 1. Is today's date within the validity period 2. Is the issuing CA a trusted CA 3. Does the issuing CA's public key validate the issuer's digital signature 4. Does the domain name in the server's certificate match the domain name of the server itself The browser then uses the server s public key to encrypt a random session key and sends it to the server with the encrypted data on the Web page

23 How the SSL Handshake Works The web server decrypts the session key using its private key and uses the session key to decrypt the data from the Web page The web server sends back the requested Web page data encrypted with the session key The browser decrypts the Web page data using the session key and displays the information

24 SSL Enabled Browsers initiate SSL sessions when they connect to a Web server over Gold lock icon located in the lower right hand corner contains the certificate details and lets Web site users know the site is secure When a browser connects to a site that uses SSL the URL switches to Lock symbol means site is secure and encryption is enabled.

25 Web Security Enterprise Security Identity Verification Services Signing Services Market Opportunity for SSL

26 SSL Market Data Over *60M active domains Approximately 850,000 active digital certificates About 1.4% of the 51m domains have an active digital certificate 25% annualized growth in number of active certificates over the last 12 months Expected growth over the next year is greater than 30% *Source:

27 Applications of SSL Secure browser to Web server communications when collecting financial and personal data ecommerce sites Banking applications User/Member login pages Sign-up pages VPN access Web access to Sensitive business information (business partners, remote offices) Secure server to server communications to improve data and network security FTP sites Database and application servers Communication between servers

28 Value of SSL Certificates Information on the Internet is vulnerable to many threats Spoofing/phishing Eavesdropping Data alteration SSL certificates safeguard against these threats by providing: Confidentiality to keep data secret from unintended listeners Authentication to identify with whom you are dealing End-to-end message integrity to ensure the information has not been altered during transmission

29 Online Fraud A Growing (and costly) Threat Source: April 2006

30 Other SSL Market Influencers Significantly increased Web usage and market and consumer awareness of SSL Technological enhancements have made dedicated servers and SSL more affordable

31 Web Security Enterprise Security Identity Verification Services Signing Services Obtaining an SSL Certificate

32 Setting Up SSL 5 step process to get a certificate: 1. Company generates the CSR (public/private key pair and certificate) on the Web server 2. Company submits the CSR and other order information to CA through some type of online enrollment process 3. CA authenticates the Web server/and or Company and verifies that the requestor is authorized to order a certificate for that domain 4. CA signs the certificate (adding their trust to it for browser recognition) and issues the certificate to the requestor 5. Company installs the certificate on the Web server

33 Self-Signed Certificates Companies generate their own certificates by setting up their own certificate authority Extra efforts and resources needed to administer and manage certificates Large up front costs (additional hardware, software, etc..) Not automatically recognized by a user s browser User asked if they want to accept the certificate and secure connection Not recommended for production

34 Self-Signed Certificates

35 Trusted Certification Authority Browser automatically recognizes the certificate and allows a secure connection High ubiquity: root already present in all popular Web browsers CA guarantees either the identity of the Web server or organization Long-term stability WebTrust compliant Practices and controls audited yearly for compliance WebTrust seal displayed on site

36 Dedicated SSL vs. Shared SSL One single fully qualified domain name per certificate More credibility with the customer - Customer won t experience a domain name change in middle of shopping experience (i.e. go from to or if the wildcard method is used) Reduces Risk of low-customer confidence Same user experience as phishing Consumers are more likely to purchase from a site that uses a dedicated SSL certificate Own the certificate and can transfer it with them Display site seal with information specific to your domain No extra hardware or software to install Low cost and easy to manage

37 Web Security Enterprise Security Identity Verification Services Signing Services Questions