Industry Update: Movement toward https Dean Coclin Senior Director of Business Development Symantec Website Security Agenda 1 What’s new in the Industry? 2 Phishing 3 Encryption Everywhere Agenda 1 What’s new in the Industry? 2 Phishing 3 Encryption Everywhere HTTP WILL BECOME A THING OF THE PAST Browsers Will Warn Users of Non-https Connections Chrome plans to warn users when pages are insecure (non-https) Type chrome://flags and select: “Mark non-secure origins as non-secure” to test behaviour US Government Moving to All https Out of 1166 domains! Source: pulse.cio.gov Powerful Features Only on https 1. 2. 3. 4. Geolocation (Chrome 50) Device Motion/Orientation Fullscreen getUserMedia (Camera/Mic) 5. Encrypted Media Extension (DRM) See: https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins http2 over https only Chrome Firefox IE Edge Safari Opera Significantly faster! Improved Referrer Data • http Website Operator: “Where did that guy come from?” • Source (https): Sorry I can’t tell you because you are not using https • MORAL: Use https for your own site and improve your referrer data! What does this • • • • • • • mean? The site is safe? The site is secure? The site is patched up to date and has no vulnerabilities? I know who the site claims to be? The site is free of malware? I can trust the site? If I buy something, I can be sure they will deliver? SOMEONE has control of the domain… The data is encrypted! But who controls the domain? Who can request a cert for dean.example.com? • Dean Coclin, author of the content and logical operator of the dean.example.com origin • Example.com, provider of hosting services for Dean Coclin • CDN Corp, a CDN that provides SSL/TLS front-end services for example.com, which does not offer them directly • Marketing Inc, the firm responsible for designing and maintaining the website on behalf of Dean Coclin • Payments LLC, the payment processing firm responsible for handling orders and financial details on dean.example.com • DNS Org, the company who operates the DNS services on behalf of Dean Coclin • Mail Corp, the organization who handles the MX records that dean.example.com responds to WHAT SHOULD GO IN THE “O” FIELD? What Do These Mean? Consistent, Universal, Global, No learning curve! Consistency Matters http or https? Industry Stats +39% growth from May 2015 May 2016: 4.84M certificates DV OV EV 76.1% 21% 3.1% Top Million Busiest Sites All Certificates Top Million EV, 3% EV, 16% OV, 21% DV, 47% DV, 76% DV Source: Netcraft Data May 2016 OV EV OV, 37% DV OV EV The Leader in Website Security Market Share Top Million Top Million Netcraft Sites 40% 35% 30% 25% 20% 15% 10% 5% 0% Symantec Comodo GoDaddy Digicert Globalsign Entrust Market Share - Top Million Startcom Let's Encrypt Other Certificates Switching to Let’s Encrypt Source of gained certificates 1,600 Number of certificates 1,400 1,200 1,000 800 600 400 200 0 Dean’s Predictions • Certificate usage will continue to grow  6.5 to 7.5M in 12 months – Fueled by https initiatives and EE! • SNI servers will show increased growth • SHA-1 usage will decline dramatically (and so will XP!) • Phishing using DV certs will continue to increase • Chrome will be on the bleeding edge of changes and enforcements • IPv6 will finally be adopted for CRL and OCSP lookups