Deprecation of certificates for internal needs

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

Plug-in and Automatic update security Presented by Maxamed Hilowle.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

Intro to Computer Networks DNS (Domain Name System) Bob Bradley The University of Tennessee at Martin.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

SSL From Your Smartphone Support for Android Smartphones /

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.

Copyright ©: SAMSUNG & Samsung Hope for Youth. All rights reserved Tutorials The internet: Getting online Suitable for: Beginner.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

BY OLIVIA WILSON AND BRITTANY MCDONALD Up Your Shields with Shields Up!

G053 – Lecture 09 Domain Names Mr C Johnston ICT Teacher

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Thornbury U3A Computer Club – Mike Farquhar July 2014.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

UNIT 2 LESSON 10 CS PRINCIPLES. UNIT 2 LESSON 10 OBJECTIVES Students will be able to: Describe how a system of DNS servers support IP lookups. Explain.

Privacy & Confidentiality in Internet Research Jeffrey M. Cohen, Ph.D. Associate Dean, Responsible Conduct of Research Weill Medical College of Cornell.

WHAT IS E-COMMERCE? E-COMMERCE is a online service that helps the seller/buyer complete their transaction through a secure server. Throughout the past.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Hostway Confidential & Proprietary Introduction to Web Hosting.

1-way String Encryption Rainbows (a.k.a. Spectrums) Public Private Key Encryption HTTPS Encryption.

Dial For Twitter Support Number. How to Join Twitter to Use for Business and Marketing? While the registered users can post and share tweets,

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Dimension v2.1.1.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Architecting Enterprise Workloads on AWS Mike Pfeiffer.

Important Information Provided by Information Technology Center

VPN Connection in the Central Library

VCE IT Theory Slideshows

CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers By Kartik Patel.

Welcome to the Hands on Lab!

Setting and Upload Products

IS1500: Introduction to Web Development

Sender ID: An Overview for Registrars ICANN Vancouver December 1, 2005

Module 3: Enabling Access to Internet Resources

Encryption 1-way String Encryption Rainbows (a.k.a. Spectrums)

VPN Connection in the Central Library

Unit 5: Providing Network Services

GCE Applied ICT G053: Lesson 09 Domain Names

How to Check if a site's connection is secure ?

Big Picture How many ways can a system be attacked? What can we do about it?

Addresses on the Web.

Welcome To : Group 1 VC Presentation

Using SSL – Secure Socket Layer

Man-in-the-Middle Attacks

2018 Latest Eccouncil Exam Questions Answers - Eccouncil Dumps PDF

Lifesize® Technical Update

VPN Connection in the Central Library

Firewalls Routers, Switches, Hubs VPNs

Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.

NET 536 Network Security Lecture 8: DNS Security

COMPUTER NETWORK TECHNOLOGY

A worldwide system of interconnected computer networks.

AbbottLink™ - IP Address Overview

Active Man in the Middle Attacks

VPN Connection in the Central Library

Read this to find out how the internet works!

Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment

Introduction to Let’s Encrypt

The Internet and Electronic mail

Q/ Compare between HTTP & HTTPS? HTTP HTTPS

Exceptions and networking

VNet and Cross-Premises Connectivity

Presentation transcript:

Deprecation of certificates for internal needs 21/02/2019 Deprecation of certificates for internal needs

Reserved IP address range WHY? Not directly linked to the launch of new domain names extensions! The decision was made in June 2012 by CA/B forum Main reason: security issue Short version => Local domains are not unique, unlike public domains or public IPs, so they cannot be vetted by CAs + the launch of new gTLDs can create collisions between a local domain and a public domain WHAT IS PUBLIC, WHAT IS PRIVATE? https://ssl247.co.uk <<< Public domain name (aka FQDN) Reserved IP address range 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 https://ssl247.lan <<< Private domain name (aka local domain) 88.208.246.30 <<< Public IP address 192.168.0.1 <<< Private IP address (aka reserved / local IP) prod-cft-1 <<< Machine name (always private) /!\ There are exceptions. Any doubt, consult this page: http://en.wikipedia.org/wiki/Reserved_IP_addresses#Reserved_IPv4_addresses

Nameserver’s cache database Long version => 2 examples 1.Let’s say Barclays has deployed an internal mail system at the address https://mail/ Legitimate server The system is not reachable from the public Internet – only on the local corporate network or over the VPN The name mail is not unique, so anyone can potentially obtain a certificate that validates for https://mail/ https://mail/ Employee’s computer If you bring such a certificate into Barclay’s network, it can be used in combination with local name spoofing* to perfectly impersonate the real corporate mail server and steal users’ credentials and other confidential information. Hacker’s server Nameserver’s cache database https://mail/ *DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server's cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer (often the attacker's).

Employee’s laptop asking to see the page 2.Let’s say Barclays has deployed an internal mail system at the address https://webmail.barclays.corp Local server https://webmail.barclays.corp ICANN decides to launch .corp as a new extension Employee’s laptop asking to see the page https://webmail.barclays.corp A hacker registers the domain Barclays.corp, and issues a DV certificate to secure it. The hacker perfectly impersonates the real corporate mail server and uses DNS cache poisoning attacks to redirect people to the hacker’s server. The attacker might not even need to be on the corporate network to mount a successful attack. If a user connects their corporate laptop to a public WiFi network, the mail client might automatically attempt to connect to “https://mail/” or” https://webmail.barclays.corp“ before a VPN connection is established. If an attacker has anticipated this, again, a perfect impersonation can be made. Hacker’s server https://webmail.barclays.corp

WHAT? All our CAs will respect the deprecation To be deprecated Local domains Local IPs Server names https://ssl247.lan 192.168.0.1 prod-cft-1 Not deprecated Public domain names Public IPs https://ssl247.co.uk 88.208.246.30

WHEN?

BATTLE PLAN MARKETING SIDE Blog article: being translated into all languages https://www.ssl247.co.uk/about/blog/Deprecation-of-ssl-certificates-securing-internal-domains-why-when-and-what-to-do DotMailer campaign: being translated into all languages To be sent on Thursday (Sept 11) http://dmtrk.com/t/M42-2SDXD-BDC5RL8OD3/cr.aspx

SALES SIDE: CLIENTS FIRST! Certificates expiring before 01.11.2014 < To contact immediately by phone (10 Symantec clients) Certificates expiring before 01.11.2015 < To contact asap by phone (54 Symantec clients) Certificates expiring before 01.10.2016 < To inform by phone if possible but not urgent. Reminder Mid-2015 (3 Symantec clients) Certificates expiring after 01.10.2016 < Inform whenever possible (0 Symantec client) < Check the Word document to get more details

DON’T FORGET SHA-2! Any client whishing to renew SHOULD renew in SHA-2 if he can. Redirect the client to the KB for more info: https://www.ssl247.co.uk/kb/ssl-certificates/generalinformation/what-is-sha1-sha2 https://www.ssl247.co.uk/kb/ssl-certificates/generalinformation/sha2-compatibility-browsers-os Google plans to “force” the deprecation by displaying warning icons in future versions of Chrome. This will NOT immediately impact the website’s layout, but has to be taken into account by domain owners

What Google is going to do to deprecate SHA-1 in the next versions of Chrome: (Branch point Sept 26 2014) Chrome 40 (Branch point Nov 7 2014) Chrome 41 (Branch point Q1 2015) Certificates expiring Between June 1st and December 31st, 2016 Certificates expiring After Jan 1st, 2017

Any question? marketing@SSL247.co.uk +44 (0)203 69 79 391 +44 (0)203 69 79 391 www.SSL247.co.uk