CA/B Forum and Industry Update. Dean Coclin Sr. Director of Business Development Chair CA/B Forum

Size: px

Start display at page:

Download "CA/B Forum and Industry Update. Dean Coclin Sr. Director of Business Development Chair CA/B Forum"

Marcia Wilkins
5 years ago
Views:

1 CA/B Forum and Industry Update Dean Coclin Sr. Director of Business Development Chair CA/B Forum

5 Browsers will warn users of non-https connections Chrome plans to warn users when pages are insecure (non-https) Type chrome://flags and select: Mark nonsecure origins as non-secure to test behavior 5

6 Firefox warnings When passwords are requested over http:

7 Chrome to Present Similar Warnings Symantec Corporation 7

8 US Government moving to all https See: pulse.cio.gov Out of 1166 domains!

9 Powerful features only on https 1. Geolocation (Chrome 50) 2. Device Motion/Orientation 3. Fullscreen 4. getusermedia (Camera/Mic) 5. Encrypted Media Extension (DRM) See:

10 http2 over https only Chrome, Firefox, IE, Edge, Safari, Opera Significantly faster!

11 Improved referrer data http Website Operator: Where did that guy come from? Source (https): Sorry I can t tell you because you are not using https MORAL: Use https for your own site and improve your referrer data!

12 Google giveth SMTP TLS Connection GUI in gmail No encryption According to Netcraft, 82% of mail servers don t have a publicly trusted SSL cert yet Use publicly trusted certs for mail servers With encryption certificate

13 And google taketh away Potential removal of EV treatment in Chrome Claim: users don t understand and can t differentiate Not imminent as it currently is the stick to force CAs to use CT for EV

14 https is coming to a domain near you Google Blogspot Google Analytics Reddit Wikimedia.gov Wordpress yell.com Bitly (for URL shorteners) Shopify

17 Industry Stats +65% growth from Aug 2015 August 2016: 5.97M certs DV OV EV 76.1% 21% 3.1%

18 Top Million Busiest Sites All Certificates EV, 3% Top Million EV, 16% OV, 21% DV, 47% DV, 76% OV, 37% DV OV EV DV OV EV Source: Netcraft Data May 2016

19 Market Share Top Million 40% Top Million Netcraft Sites 35% 30% 25% 20% 15% 10% 5% 0% Symantec Comodo GoDaddy Digicert Globalsign Entrust Startcom Let's Encrypt Other Market Share - Top Million

20 Number of certificates Certificates Switching to Let s Encrypt 1,600 1,400 1,200 1, Comodo StartCom Symantec GoDaddy WoSign GlobalSign Other DigiCert QuoVadis Unizeto Network Solutions Source of gained certificates Trustwave Entrust.net TAIWAN-CA 2016 Symantec Corporation 20

21 Dean s Predictions Certificate usage will continue to grow 6.5 to 7.5M in 12 months Fueled by https initiatives (search ranks, powerful features, negative browser UI) SNI servers will show increased growth SHA-1 usage will decline dramatically (and so will XP!) Phishing using DV certs will continue to increase Chrome will be on the bleeding edge of changes and enforcements IPv6 will finally be adopted for CRL and OCSP lookups

Comodo certs issued by Cloudflare Symantec, 6% Let's Encrypt, 10%

23 Phishing certs found by Netcraft (August 2016) STRATO AG, 1% SSL.com, 1%, Starrtcom, 2% WoSign, 5% Amazon, 0%, Globalsign, 4%, 35% of Comodo certs issued by Cloudflare Symantec, 6% Let's Encrypt, 10% Comodo, 61% GoDaddy, 9%,

24 Recent phishing example sites Let s Encrypt paypal-4updates.com icloud-unlock.pl icloud-lostapple.info restore-amazon.com intl-paypal.hotchat.online Comodo net-flix.one amazom.ml paypal-security.center p.aypal.info safe-payment.online pypal-account-information.info Copyright 2014 Symantec Corporation 24

25 Summary DV: Easy to get by legitimate users and cybercriminals Phishers getting more adept at creating look-alike domains xn 80aj7b8a.com еьау.com xn secure-ank-yzi.com secure-ьank.com ltunes.com paypl.com ww.vv-paypal.com icl0ud.ru.com Ecosystem partners must work together

27 What do you know about the CA/B Forum? TRUE OR FALSE: Anyone can join the CA/B Forum as a voting member The Forum s latest member is from the Ukraine Firefox supports short lived certificates Code Signing Requirements will go into effect next year A working group was formed to change the governance of the forum A ballot to report mis-issued certificates failed 27

Change Working Group formed F2F meetings held in Istanbul, Scottsdale, Bilbao Upcoming meetings in

28 CAB Forum: What s new since last year? New members: Amazon, Let s Encrypt, ComSign, GDCA Members suspended: Visa Governance Change Working Group formed F2F meetings held in Istanbul, Scottsdale, Bilbao Upcoming meetings in Redmond, Cupertino (2017), Berlin (2017) Failed Ballots in 2015: Certificate Mis-Issuance All publicly trusted CAs, whether members of CABF or not, must adhere to guidelines! 28

29 Current Topics Code Signing Working Group: Baseline Requirements BALLOT FAILED! BUT: Microsoft adopts BRs as of Feb 1, 2017 Certificate Mis-issuance, Short Lived Certificates BALLOTS FAILED! Governance Change: Other types of certificates SHA-1 for payment processors EV Wildcards 29

31 Thank you! Dean Coclin Copyright 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements

Chair of Network Architectures and Services Department of Informatics Technical University of Munich In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements