Digital Certificates HUIT IT Security | May 24 2012
Agenda: Why are we meeting? What have we learned? 11/11/2018 Agenda: Why are we meeting? What have we learned? HUIT Digital Certificates Q&A/Demo Introduce yourself. Everyone know me? Ask for raised hands for questions I appreciate your patience for a few slides. This talk will pick up technospeak and jargon as we move along but I will try and keep it approachable for everyone.
11/11/2018 Breadcrumb May 24 2012 Why? When we last spoke in September 2011, we discussed specific Best Practices and Hardening tips for Web Servers. The presentation was motivated by recent incidents, at least one was front page news. Citation HUIT IT Security | Digital Certificates
Why? To restate the problem: 11/11/2018 Breadcrumb May 24 2012 Why? To restate the problem: The web continues to be the defacto platform for content delivery, sometimes insecurely. Web applications are now a dominant focus for attackers. Insecure delivery: firesheep, mobile clients Confidential information: ecommerce, mail/OWA, calendering, administrative applications and more High risk information: wonderful and scary acronyms like FERPA, PCI, HIPAA, IDM, HRCI Citation HUIT IT Security | Digital Certificates
What have we learned? Mandating SSL/TLS is not enough Breadcrumb 11/11/2018 Breadcrumb May 24 2012 What have we learned? Mandating SSL/TLS is not enough SSL/TLS support is "necessary but not sufficient," A range of problems exist: Self-signing (spoofing) Best Practices and procedures Notification and alerting Now widely adopted Financial incentive to use wildcards Several new uses for SSL Necessity for Intermediate certificate A range of registrars in use. Some insecure (I’ll eat my words later) Cipher length and re-negotiation/downgrading Certificate length (2048 people) Certificate enabled but not enforced. EFF SSL anywhere Not all SSL is created equal: SSL has continued to evolve over time: -- 1996: SSL version 3.0 -- 1999: TLS 1.0 (aka SSL 3.1) -- 2006: TLS 1.1 (aka SSL 3.2) -- 2008: TLS 1.2 (aka SSL 3.3) BEAST targeted an older revision of SSL. SSL 2.0 is insecure and should not be supported (Microsoft) Can check your SSL implmentation https://www.ssllabs.com/ssldb/index.html Citation HUIT IT Security | Digital Certificates
What have we learned? Fund Security initiatives Breadcrumb Citation 11/11/2018 Breadcrumb May 24 2012 What have we learned? Fund Security initiatives I know, news to everyone here, right? Unfortunately I could give the same September presentation today. Lets try to incent good behavior. Unfunded security initiatives can and do fail. The HUIT IT Security catalog is centrally funded and available for the entire community. Citation HUIT IT Security | Digital Certificates
The HUIT Digital Certificate Service 11/11/2018 Breadcrumb May 24 2012 The HUIT Digital Certificate Service Certificate Management Administration Provisioning Revocation Reporting With thanks to Joe St Sauvier from Internet2: If SSL/TLS works the way it is supposed to, it would be impossible for you to be conned into trusting an imposter's system – the imposter wouldn't have the certificate it should have, signed by a trusted CA. If users decide to trust a new random CA, however, that model can fall apart. Some machines/users are more vulnerable to getting new random untrustworthy CAs than others... In most cases, user simply blindly trust those who create and distribute browsers to ultimately decide which CAs should be considered to be "trustworthy" by default. Everyone know Stuxnet? Flame? DigiNotar? Citation HUIT IT Security | Digital Certificates
The HUIT Digital Certificate Service 11/11/2018 Breadcrumb May 24 2012 The HUIT Digital Certificate Service Certificate Availability Delegation Multi-site Other uses Other uses – we’ll come back to this. Lets focus on what we can do today. Personal Certs/SMIME/Code/SAN/EV Citation HUIT IT Security | Digital Certificates
The HUIT Digital Certificate Service 11/11/2018 Breadcrumb May 24 2012 The HUIT Digital Certificate Service Using this program, any domain associated with a Harvard school or institute may obtain SSL certificates for no fee. In JUNE for existing NOC Portal customers More on our iSite Goals and Objectives Ensure that websites are adequately secured using accepted standards and best practices Develop a certificate service and program capable of centralizing all University certificates Fund a university-wide site license, removing any financial disincentive to adopt and comply with University policy and best practice Did I say June? Citation HUIT Security | Digital Certificates
Demo and Q & A Breadcrumb Image goes here Citation 11/11/2018 May 24 2012 Demo and Q & A Image goes here Citation HUIT Security | Digital Certificates
11/11/2018 Breadcrumb Sep 30 2011 IT Security Contact Info ithelp@harvard.edu Helpdesk at x 57777 Use the iSite These slides will be on http://security.harvard.edu Citation HUIT IT Security | Digital Certificates
Esmond Kane | Digital Certificates 11/11/2018 Thank you. Esmond Kane | Digital Certificates Thank you slide May 24 2012