Web SSL

The Shortcut Guide To
The Shortcut Guide To

tm
tm
Protecting
Against Web
Application Threats
Using SSL
Dan Sullivan
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL DanSullivan
i
IntroductiontoRealtimePublishers
by Don Jones, Series Editor

Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks
thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve
madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof
oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour
readers.
Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment
thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare
asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or
more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You
receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect
ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology.
Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers.
Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake
surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor
restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat
weveproducedsomanyqualitybooksoverthepastyears.
Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially
ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof
additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto
youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour
farintothefuture. educationalneeds
enjoy. Untilthen,
DonJones
ii
IntroductiontoRealtimePublishers.................................................................................................................i
Ch
apter1:CombinedRiskofDataLossandLossofCustomerTrust................................................1
Ev olvingSecurityLandscape..........................................................................................................................1
Pr ofessionalismofCybercrime.................................................................................................................2
DivisionofLaborinCybercrime..........................................................................................................2
MarketForces..............................................................................................................................................3
DiversificationintheCybercrimeMarkets.....................................................................................3
GrowthinCybercrime.............................................................................................................................5
AutomationofVulnerabilityScanning..................................................................................................7
EmergenceofAPTs........................................................................................................................................7
Ris kofDataLossandThreatstoInformationSecurity......................................................................9
InterceptingCommunications...................................................................................................................9
Spoofing...........................................................................................................................................................10
DirectedAttacks:APTsandInsiderAbuse.......................................................................................10
ImproperlyManagedAccessControls................................................................................................11
Im pactoftheNewSecurityLandscapeonCustomerTrust...........................................................11
WellPublicizedDataBreachesandAttacks....................................................................................11
WellPublicizedCybercriminalandHackingOrganizations.....................................................12
PotentialImpacttoBuildingTrustOnlinewithCustomers......................................................13
HowBusinessesCanRespondtoInformationLoss..........................................................................14
5 Summary..............................................................................................................................................................1
Chapter2:HowSSLCertificatesCanProtectOnlineBusinessandMaintainCustomerTrust
.... ...................................................................................................................................................................................16
Ho wSSLCertificatesWork...........................................................................................................................16
ComponentsofanSSLCertificate.........................................................................................................17
OverviewofHowSSLCertificatesSecureCommunications.....................................................20
OverviewofHowSSLCertificatesSupportAuthentication......................................................22
iii
W ebApplicationsWithoutandWithSSLCertificateProtection.................................................24
Scenario1:WebApplicationsWithoutSSLCertificateProtection........................................24
Scenario2:WithSSLCertificateProtection.....................................................................................27
Au thenticationandTrust..............................................................................................................................28
HowCertifyingAuthoritiesAuthenticate..........................................................................................29
DevelopingTrust..........................................................................................................................................29
..........30 Summary....................................................................................................................................................
Chapter3:Planning,Deploying,andMaintainingSSLCertificatestoProtectAgainst
Inf ormationLossandBuildCustomerTrust.............................................................................................31
Pla nningfortheUseofSSLCertificates..................................................................................................31
Pr ocessandAssetInventory...................................................................................................................32
CompanyWebSite.................................................................................................................................32
OnlineCatalog..........................................................................................................................................33
CustomerServiceSupportPortal....................................................................................................34
CustomerFeedbackApplication......................................................................................................35
TrackShipmentApplication..............................................................................................................35
ProductDocumentation.......................................................................................................................35
MultiTierApplications.............................................................................................................................37
DeterminingtheTypeofSSLCertificateRequired.......................................................................38
KeyPointsAboutChoosingandDeployingSSLCertificates..........................................................39
Summary..............................................................................................................................................................40
iv
Copyright Statement
2012 Realtime Publishers. All rights reserved. This site contains materials that have
been created, developed, or commissioned by, and published with the permission of,
Realtime Publishers (the Materials) and this site and any such Materials are protected
by international copyright and trademark laws.
THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
TITLE AND NONINFRINGEMENT. The Materials are subject to change without notice
and do not represent a commitment on the part of Realtime Publishers its web site
sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for
technical or editorial errors or omissions contained in the Materials, including without
limitation, for any direct, indirect, incidental, special, exemplary or consequential
damages whatsoever resulting from the use of any information contained in the Materials.
The Materials (including but not limited to the text, images, audio, and/or video) may not
be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any
way, in whole or in part, except that one copy may be downloaded for your personal,
noncommercial use on a single computer. In connection with such use, you may not
modify or obscure any copyright or other proprietary notice.
The Materials may contain trademarks, services marks and logos that are the property of
third parties. You are not permitted to use these trademarks, services marks or logos
without prior written consent of such third parties.
Realtime Publishers and the Realtime Publishers logo are registered in the US Patent &
Trademark Office. All other product or service names are the property of their respective
owners.
If you have any questions about these terms, or if you would like information about
licensing materials from Realtime Publishers, please contact us via email at
info@realtimepublishers.com.
[EditorsNote:ThisbookwasdownloadedfromRealtimeNexusTheDigitalLibraryforITProfessionals.
AllleadingtechnologybooksfromRealtimePublisherscanbefoundathttp://nexus.realtimepublishers.com.]
Chapter1:CombinedRiskofDataLossand
LossofCustomerTrust
BusinessesfaceanincreasinglycomplexsetofthreatstotheirWebapplicationsfrom
malwareandadvancedpersistentthreats(APTs)todisgruntledemployeesand
unintentionaldataleaks.Althoughthereisnosinglesecuritymeasurethancanpreventall
threats,therearesomethatprovidebroadbasedmitigationtoanumberofthreats.The
useofSSLencryptionanddigitalcertificatebasedauthenticationisoneofthem.
Changesinthewaywedeliverservices,theincreasinguseofmobiledevices,andthe
adoptionofcloudcomputingcompoundedbytheeverevolvingmeansofstealing
informationandcompromisingservicesleaveWebapplicationsvulnerabletoattack.SSL
encryptioncanprotectservertoservercommunications,clientdevices,cloudresources,
andotherendpointsinordertohelppreventtheriskofdataloss.Alaterchapterprovides
astepbystepguidetoassessingyourneeds,determiningwhereSSLencryptionanddigital
certificatebasedauthenticationmaybehelpful,planningfortherolloutofSSLtoWeb
applications,andestablishingpoliciesandprocedurestomanagethefulllifecycleofSSL
certificates.Inthischapter,weturnourattentiontothecombinedriskoflosingdataand
losingcustomertrust.
EvolvingSecurityLandscape
Businessinformation,fromcustomeridentityinformationtotradesecrets,isvaluableto
morethanjustthebusinessthatcontrolsit.Attackersandcybercriminalscanexploit
weaknessesinITsystems,resultingindataloss,andinsomecases,involvingpublic
disclosureaswell.Moreover,informationsecurityattacksarenotlimitedtooneortwo
industries,governments,orevengeographiclocations.Inadditiontodirectattacksonthe
interestsofbusinesses,governments,andotherorganizations,therearecasesofmalicious
attacksthataremorelikevandalismthantheft.Thesemayhavelessdirectcostsbutcan
stillcauseconcernaboutthetrustworthinessofonlineresources.
Theevolutionofthesecuritylandscapeiscreatingwhatappearstobeaglobal,continuous
andcrossindustrythreat.Anumberoffactorsarecontributingtotheadvancementof
cybersecuritythreats:
Theprofessionalismofcybercrime
stoautomaticallyscanpotentialtargetsforvulnerabilities Theabilityforother
EmergenceofAPTs

Acomplexphenomenonlikecybersecuritythreatshasmanyaspectsinvolvingmultiple
motivations,awidearrayoftechnologies,andmanyopportunities.Wewillexaminethree,
assumingthattheyarearepresentativesampleofthevariousdimensionsoftheproblem.
Theyarenotbyanymeansacomprehensivelistofelementsthatcontributetotheevolving
securityenvironmentweface.
ProfessionalismofCybercrime
Cybercrimeisabusiness,literally.Ifyouwereanoutsiderlookinginontheoperationsof
theundergroundmarketforstolencreditcardsandbankcredentialsandyoudidnotknow
theillegaloriginsoftheproductsforsale,itmightbehardtodistinguishtheoperations
fromalegitimatebusiness.Cybercrimehascharacteristicsonewouldexpectinother
profess ses,including: ionsandbusines
or Divisionoflab
Marketforces
cation Diversifi
Growth
Thefactthatcybercrimehasdevelopedthesecharacteristicsassociatedwithfreemarkets
speakstothepersistence,professionalism,anddriveforefficiencyinthisarena.
DivisionofLaborinCybercrime
Thereisafullverticalindustrydedicatedtocreditcardandbankcredentialfraudthat
includes,accordingtotheFBI,awelldefineddivisionoflabor:
rmation ProgrammerswhodevelopTrojansandothermalwaretostealfinancialinfo
Distributorswhoestablishonlinemarketplacesandsellstoleninformation
Fraudsterswhodevelopphishingscamsandothersocialengineeringschemesto
lurevictimsintorevealinginformation
Cashiersandmoneymules(lowlevelparticipantswhousetheiraccountsinthe
moneytransferprocess
Thisdivisionoflaborisexpected.TheskillsneededtocreateaTrojanaredifferentfrom
thoseneededtowriteaconvincingphishingemail.Ironically,theundergroundmarket
mustbebasedontrustthatparticipantswillnotviolateunderstoodrulesofexchange.
WithintheconfinesoftheInternetcrimemarketplace,thereisaneedfordistributorswho
canestablishonlineexchangesandruntheminatrustworthymanner.Thereisalsoaneed
tomovemoneyoutoftheundergroundmarketandintothebusinessandconsumer
markets.Thisjobrequiresasetofskillsthatallowsonetobridgetheundergroundand
egitimatemarkets. l

3
MarketForces
Pricesappeartobesetintheundergroundmarketsimilarlytothewayspricesaresetin
legitimatefreemarkets:bysupplyanddemand.Forexample,PandaSecurityreportsonthe
costofanumberofdifferentproductsintheirreportTheCyberCrimeBlackMarket.
Stolencreditcarddetailswillcostyoubetween$2and$90(thepricewillvarydepending
onfactorssuchascreditlimit,amountofcarddetailavailable,timesincethenumberwas
stolen).Bankcredentialscostbetween$80and$700;thehigherpricedcredentialscome
withbalanceguarantees.Banktransferandcheckcashingservicesareprovidedatrates
from10%to40%ofthetransactiontotal.Thosecriminalsthatliketooperateinthe
physicalrealmcanpurchasecreditcardclonersforanywherefrom$200to$1000buta
fakeATMcardcancostupto$35,000.
Ofcourse,thereiscompetitionintheundergroundmarket,sotherewillbeinnovative
waystodistinguishoffersbasedonmorethanprice.ThePandaSecurityreportnoted
offerssometimescomewithtryandbuydemos,bulkdiscounts,andevencustomer
serviceandsupport.
Anotherindicatorofthematurityofthemarketisthewaypricesforstolengoodsare
influencedbythelawsofsupplyanddemand.Toomuchsupplywilldrivedownprices.In
thespringof2011,theSonyPlayStationnetworkwasattackedandinformationfrom101.6
millioncustomerswasstolen(Source:https://www.privacyrights.org/databreach
asc?title=Sony).Sonyandtheircustomerswerenottheonlyonesconcernedaboutthis
massivebreachothercybercriminalswereconcernedthataninfluxofalargenumberof
newstolencreditcardswoulddrivedownthepricefortheirstolengoods.TheNewYork
TimesquotedKevinStevens,aseniorresearcheratTrendMicroasreporting,Therewasa
lotofdiscussiontakingplaceinhackerforumsabouttheSonydatabreach.Severalcredit
carddealersareworriedthatthedistributionofmillionsofcreditcardswouldfloodthe
marketandlowerprices.AndaEuropebasedhackerwhowasnotfurtheridentified
indicated,WerekeepingacloseeyeontheSonystoryasitwoulddrasticallyaffectthe
resaleofothercards.(Source:NickBolton,HowCreditCardDataisStolenandSold,The
NewYorkTimes,May3,2011).Giventhedynamicsoftheundergroundcybercrimemarket
combinedwiththeriskoflargeswingsinsupply,itisprudentfortheriskaverse
cybercriminaltodiversify.
DiversificationintheCybercrimeMarkets
Cybercriminalscandiversifyinthewaytheyattacktheirvictimsandinthewaytheyselect
theirtargets.Cybercriminalsdiversifythedistributionofmalwareandinfectdevices
aroundtheglobe.TheAntiPhishingWorkingGroup(http://www.antiphishing.org/)
reportsthatmorethan10millionmalwaresamplesweredetectedinthesecondhalfof
2010.Inaddition,atleast10countrieshaveinfectionratesgreaterthan50%(seeFigure
2.1).
Figure2.1:Highmalwareinfectionrates(above50%)areseenacrosstheglobe.The
UnitedStatesranked22
nd
inthelistwitha45.32%infectionrate.
Diversificationisalsoafactorwithregardstovictims.AtleastintheUnitedStates,thereis
asomewhatbalanceddistributionintheageofcybercrimevictimsaccordingtoFBI
statistics(seeFigure2.2).
Figure2.2:ReportsofInternetcrimetotheFBIarefairlywellevenlydistributed
acrossagegroupswithunder20yearoldsfairingthebest.
Criminalsarenotasdiverseintheindustriestheytargets;financialservicesandpayment
servicesarestillleadingtargetsforobviousreasons.Figure2.3showsthetoptargeted
industriesinthefourthquarterof2010,accordingtotheAntiPhishingWorkingGroup.
Figure2.3.Diversitydoesnotextendasmuchtotheindustriestargeted.Financial
servicesandpaymentservicesaccountformorethanthreequartersofphishing
scams(Source:AntiPhishingWorkingGroup,PhishingActivityTrends,2ndHalf
2010).
Inadditiontodiversifyingtheresourcesusedtocommitcybercrime,wehavewitnesseda
growthintheamountofcybercrime.
GrowthinCybercrime
Thereislittledoubtthatcybercrimeisgrowing.Wehavealreadynotedtheincreasing
sophisticationofundergroundmarkets,thedivisionoflaboramongcybercriminals,high
malwareinfectionratesinsomepartsoftheworld,andeventheeffectsofmarketforceson
thecriminalenterpriseatlarge.Therearealsostatisticsthatprovideevidenceforthe
increaseinthenumberofcybercrimes.Figure2.4,forexample,showsanincreasing
numberofcybercrimesreportedperyearbetween2000and2010.
Figure2.4:ThenumberofInternetcrimecomplaintsfiledwiththeUSFederal
BureauofInvestigation(FBI)isanotherindicatorthatcybercrimeisanestablished,
ongoing,andgrowingproblem(Source:FBI,2010InternetCrimeReport).
Thereisagrowingsupplyofmalicioussoftwareandmethodsfordistributingmalwarethat
canbeusedtoexecutecybercrimes:
Afewyearsago,PandaSecurityreportedreceiving500newthreatsperday;today
theyreceive63,000newthreatsperday(Source:PandaSecurity,TheCyberCrime
BlackMarket).
McAfeeprocessed55,000piecesofnewmalwareeverydayin2010(Source:
http://blogs.mcafee.com/corporate/cto/globalenergyindustryhitin
nightdragonattacks).
Inthe15yearperiodfrom1991to2006,PandaSecuritycompiledadatabaseof
92,000strainsofmalware;in2009,thatnumberreached40million;andin2010,
thenumberjumpedto60million(Source:PandaSecurity,TheCyberCrimeBlack
Market).
Symantechasfoundthatenterprisingattackersbuyadspaceandusetraffic
distributionsystems(thatis,vendorsthatbuyandsellWebtraffic),avoidingthe
needtoinfectWebsites.Thisprocesshasbecomeanothercommonmethodfor
distributingmaliciouscode(Source:Symantec,WebBasedMalwareDistribution
Channels:ALookatTrafficRedistributionSystems).
TheincreasinguseofshortenedURLshelpstomaskmalicioussites.Inonestudyof
maliciousshortenedURLspostedtosocialnetworkingsites,88%ofthemalicious
linkswereclickedatleastonce(Source:Symantec,TakingtheShortcuttoMalicious
Attacks).
Theextentofcybercrimeandthemeansbywhichitisexecutedarebothgrowingand,
unfortunately,thereislittleinthedatatosuggestthetrendwillchangeintheforeseeable
future.Infact,asSymantechassummarized,thethreatsinthepastdecadehavebecome
increasinglysophisticated;seeADecadeinReview:CybercriminalMotivationsbehind
Malwareforatimelineofmajorcybercrimeeventsinthepast10years.
Cybercrimeisclearlyawellestablished,professional,andillegalindustry.Businessdata,
especiallypersonalconsumerdata,isahighlyvaluedtarget.Thisputspressureon
businessestoprotectthatdata,andwellpublicizeddatabreachescanleadcustomersto
questiontheprotectionsinplacearoundtheirinformation.Thisrealityultimately
underminestrustintheabilityofthebusinesstoperformonlinetransactionswithout
compromisingpersonalinformation.
AutomationofVulnerabilityScanning
Theproliferationofcybercrimehasbeenenabled,inpart,bytheemergenceofa
professionallyruncybercrimemarket.Anotherfactorinfavorofcybercriminalsisthe
availabilityoftechnologyforvulnerabilityscanning.Onecanimaginea(false)senseof
securityyoucoulddevelopbyassumingthatwithallthedevicesontheInternet,whatare
thechancesanattackerwouldfindoneofmyserversanddetectanunpatchedapplication
oramisconfiguredservice?Thiskindofreasoningfailstoaccountforsecuritytoolsthat
canbeusedtohelplockdowndevicesorexploitthem.
Automatedvulnerabilityscanningtoolscanbeusedtodiscoverdevices,assess
configurations,detectaccesstosensitivedata,anddeterminewhetheravulnerableversion
ofanapplicationwithaknownvulnerabilityisrunningonadevice.Vulnerabilityscanning
toolsarevaluabletosecurityandnetworkprofessionalsworkingonidentifyingand
correctingweaknesses.Theyareequallyusefulforcybercriminalsinidentifyingand
exploitingweaknesses.
Cybercriminalsfunctionundersimilarbusinessdriversaslegitimatebusinesses,including
theneedtoperformoperationsmoreefficientlyandtodevelopbusinesspracticesthat
allowthemtoscaletomarketdemandsandopportunities.Automationofrepetitivetasks,
suchaslookingforvulnerabilitiesinWindowsandLinuxservers,isonewaytoimprove
attackerproductivity.Automatedvulnerabilityscanningcanbeusedtoscanawiderange
ofIPaddresseslookingforvulnerablesystemsandapplicationsortheycanbeusedin
moretargetedattacks.
EmergenceofAPTs
Acommonmotiveinmodernheistmoviesistheneedforstrategicplanninganddetailed
tacticalmovesbeforethetheftcanbeaccomplished.Moviesabout1920sbankrobberies
couldworkwithahandfulofbankrobbersrushingintoabankwithgunsandminuteslater
runningouttothegetawaycarwithbagsfullofcash.Thatstorylineneedstoberevisedin
ordertoseemrealisticbytodaysstandards.Securityatmodernbanks,casinos,andother
likelytargetsdemandmoreinsiderknowledgeofweaknessesandfinessewhenitcomesto
execution.Thisappliestocybercrimesaswell.
WellfundedanddeterminedattackerscanuseanattackstructureknownasanAPTto
breach dtarget.APTsarecharacterizedby: securityofahighlyvalue
y Targetingasingleentit
Intelligencegathering
ck Multiplemodesofatta
Incrementalbreaches
Exploitinghumanswithsocialengineeringattacks
MalwareplaysacentralroleinAPTs,buttheyaremorethanviruses.Malwarecanbe
injectedintoavictimsdevicebyluringthevictimtoasitecontrolledbytheattackerand
convincingthevictimtodownloadafileorbyfindingaweaknessinperimeterdefensesor
avulnerabilityinanapplicationthatallowsmalwaretobeinjected.Chancesofanantivirus
programdetectingthemalwarearereducedbythefactthatmalwaredeveloperscantest
theirTrojansandothermalwareagainstantivirussoftwarebeforeitisdeployedandcraft
themalwaretoavoiddetection.
ThescopeofanAPTcanbesubstantial:
In2009,acoordinatedattackusingsocialengineering,intelligencegathering,
breachesofperimeterdefenses,andSQLinjectionattackswereusedagainstoil,gas,
andpetrochemicalcompanies.Theattacktargetedresourcesandpersonnelinthe
UnitedStates,theNetherlands,Kazakhstan,Taiwan,andGreece(Source:McAfee,
GlobalEnergyCyberattacks:NightDragon,Feb.10,2011).
In2010,researchersdiscoveredacoordinatedattackonbusiness,government,and
academiccomputerstargetingpoliticallysensitiveinformationrelatedtotheIndian
governmentandtheDaliLamasoffice(Source:InfoWarMonitor,Shadowsinthe
Cloud:Aninvestigationintocyberespionage2.0).
In2011,McAfeereportedonOperationShadyRat,amultiyearAPTthattargeted
morethan70business,government,andevennonprofitorganizations(Source:
McAfee,Revealed:OperationShadyRat).
NotallAPTsarebroadlytargeted,though.In2011,Symantecmadepublicitsanalysisofthe
Duqumalware,whichusespiecesofthewellknownStuxnetmalwarethattargets
industrialmachinerycontrols.Duquisdesignedtogatherintelligenceonspecificindustrial
targets(Source:Symantec,Duqu:ThePrecursortotheNextStuxnet).Suchattacksmaynot
garnerattentiongrabbingheadlinesbuttheyposesignificantriskstothetargetedvictims.
TheimpactofAPTscanbesubstantialbecauseintellectualpropertyisoftenthetarget.
Competitorswhocanstealbidsformajorcontractsorproductdesignscannegateany
competitiveadvantagethevictimmayhavehad.Untilrecently,APTshavenotgarneredthe
attentionofthepressinthesamewaydataleaksdo.Reportingonthelossofmillionsof
customerspersonaldataisrelativelyeasy,buttrackingdownandexplainingthedetailsof
alongterm,sophisticatedcyberattackismuchmoredifficult.
Theevolutionofcybercrimehasreachedapointwherethreatsarecontinuous,targeted,
andincreasinglywellknown.Databreachesarereadilyunderstoodevenforthosewithout
abackgroundinIT,andcanundermineconfidenceincustomersabilitytoconduct
businessonline.ThesophisticationofAPTsthreatensbusinessesabilitytoconductinternal
operationswithoutlossofinformationconfidentialityandinformationintegrity.Next,we
willexaminewaysinwhichconfidentialityandintegritycanbecompromised.
RiskofDataLossandThreatstoInformationSecurity
Datalosscanoccurinmanyways,fromeavesdroppingandmistakenidentitiestoinsider
abuseandimproperlymanagedaccesscontrols.
InterceptingCommunications
Communicationsanddatatransferscanfollowmanyroutesfromonepointtoanother.
RemotesitesandtravelingexecutivesmayhavetousethepublicInternettoaccess
resourcesatcorporateheadquarters.Thiscanpresentanopportunityforanattackerwho
hastargetedthatbusinessorexecutive.Unlessthecommunicationsareencrypted,
typicallyusinganSSLbasedmechanism,itisatriskofinterceptionbyamaninthemiddle
attack(seeFigure2.5).
Figure2.5:Unencryptedcommunicationscanbeinterceptedusingamaninthe
middleattack.Auserbelievesthereisadirectandsecurelineofcommunications
isbeingintercepted(red). (green)wheninfactthelineofcommunication

10
Thistypeofattackcanbeavoidedbydeployingcommunicationservicesthatencryptdata
beforeitissentovertheInternet.Virtualprivatenetworks(VPNs)candothisforall
networkcommunication.Alternatively,userscanestablishsecureconnectionstoservers
thathaveanSSLcertificateandcanestablishencryptedcommunicationschannelswith
otherdevices.
Spoofing
Spoofingisanotherwayofstealinginformationthatdependsontrickingusersinto
believingamaliciousserverorotherdeviceisactuallyalegitimatedevice.Spoofingcanbe
avoidedbydeployingSSLcertificatesonservers.Doingsoallowsuserstoauthenticatethe
server(thatis,verifytheserverisactuallytheoneitappearstobe)beforetransmitting
sensitivedata.SSLcertificatescanbeprovidedbytrustedthirdpartieswhoverifythe
identityoftheorganizationrequestingthecertificate.Thecertificatesaredesignedto
identifyaserver(orgroupofserversdependingonthetypeofSSLcertificate).Ifadigital
certificateforoneserverwasstolenandplacedonanotherserver,awarningmessage
wouldbegeneratedduringtheauthenticationprocess.
CommonInternetbrowsersareallconfiguredwithinformationaboutthemajorSSL
certificateproviders.Ifauserweretonavigatetoaspoofedserverwithaninvalid
certificate,thebrowsercouldimmediatelydisplayawarningindicatingthespoofedserver
isnotactuallytheoneitpurportstobe.
DirectedAttacks:APTsandInsiderAbuse
Anothersetofriskstobusinesses,governments,andotherorganizationsisdirected
attacks.InadditiontoAPTs,anotherpotentialavenueofdatalossisinsiderabuse.
Insidersareemployees,contractors,andotherswithlegitimateaccesstoinformation.The
waysinsiderscanstealorleaksensitivedataislimitedonlybytheirimagination.The
PrivacyRightsClearinghouse(http://www.privacyrights.org)maintainsadatabaseof
breachesthatincludesdetailsonthewaysdataislost.Someofthemorerecentcasesof
insiderabusehaveincluded:
Awaiterstealingcreditcarddetailsofcustomers.
AVeteransAffairsworkerusingpersonalpatientinformationtocreatefraudulent
dependentinformationandthenusinghistaxpreparationbusinesstosubmit
fraudulenttaxreturns.
Amedicalcenteremployeestealinginformationaboutpersonsresponsiblefor
rds medicalbillpayment,whichwasthenusedbycoconspiratorstoopencreditca
andobtaincashadvances.
Abankemployeedisclosingcustomernames,SocialSecuritynumbers,drivers
licensenumbers,bankaccountnumbers,andotherdetailstococonspiratorsinan
identitytheftring.
Evenwhensoundpracticesareemployed,suchaslimitingaccesstodatatoonlythosethat
eeditandseparatingdutiestoreducetheriskasinglepersoncouldcommitfraud,
eterminedinsiderscanstillsucceedinstealingsensitiveinformation.
n
d

11
ImproperlyManagedAccessControls
Anotherriskfordatalosscomesfromimproperlymanagedaccesscontrols.Atelling
examplewasrecentlyreportedbytheAssociatedPressinNewDataSpillShowsRiskof
OnlineHealthRecords.Thearticledescribesacaseinwhichmedicalinformationabout
300,000Californianswasavailableforpublicviewing.Aprivacyresearcher,Aaron Titus,
found the information using Internet searches and then contacted the firm hosting the data
(as well as the press). The data was intended to be used only by employees with legitimate
need for the data, but proper access controls were not in place, in violation of the firms
policies.
Poorlymanagedandimplementedaccesscontrolswillnotnecessarilyresultinpublic
disclosurebuttheycancreateadditionalrisksnonetheless.Forexample,whenan
employeewhoisresponsibleforaccountspayableistransferredtoworkonaccounts
receivables,hisaccesspermissionsshouldberevisedtopreventaccesstoaccountspayable
systems.Failuretodothiscanunderminetheseparationofdutiesprincipleandcreatean
opportunityforabuse.Thereareawidevarietyofriskstotheconfidentialityandintegrity
ofdata,frominterceptedcommunicationsandspoofingtoinsiderabuseandmismanaged
accesscontrols.
ImpactoftheNewSecurityLandscapeonCustomerTrust
Wecouldeasilykeepourfocusontheinternalconsequencesofthenewsecuritylandscape.
Wecouldconcernourselveswithhardeningourdefenses,improvingourauditingand
monitoringprocedures,andothermeasuresthatreducetheriskthatanattackwouldbe
successful.Wecoulddothisandwewouldbejustifiedindoingit,butwewouldalsobe
missinganimportantaspectoftheserisks:theirimpactoncustomertrust.
WellPublicizedDataBreachesandAttacks
YoudonothavetobeanITprofessionaltobeawareofthestateofinformationsecurity
thesedays.Thepopularpressseemstohaveanalmoststeadystreamofstoriesabout
securityrisks,databreaches,andhackingattempts.
ItisnotjusttheAmericanpressthatispublishinginformationsecuritystories;thisisa
globalphenomenon:
TheHongKongStockExchangesuspendedtradingonsevenstocksafterthe
exchangesWebsitewasattackedandsensitiveresultswerereleasedaccordingto
TGDaily(Source:HongKongStockExchangeHacked,Aug.10,2011).
Privateinformationon35millioncustomersofEpsonKoreawasstolenafterthe
companyWebsitewashacked.Informationdisclosedincludednames,userIDs,
passwordsandresidentregistrationnumbersaccordingtotheYonhapNews
tomers'DataHacked Agency(Source:EpsonKoreasays35MillionCus ,Aug.20,
2011).

12
Storiesaboutfinanciallymotivatedattacksarecomplementedbywhatmightbecalled
humaninterestcybercrimecases:
TheGuardianreportsonacasedemonstratingthatattacksarenotalwaysfinancially
motivated,describinga33yearoldattackersactions,Heaccessedhighlypersonal
dataandphotographsinasophisticatedemailscamfromhismothersfrontroom,
takingcontrolofsomevictimswebcamsremotelytoseeinsidetheirhomes,atone
pointboastingtoafriendthathemadeateenagegirlcrybydoingso.(Source:
ComputerExpertJailedafterHackingVictimsWebcams,Nov.2
FollowingthephonehackingscandalattheBritishnewspaperNewsoftheWorld
thatbecamepublicinthesummerof2011,ScotlandYardbegananinvestigation
intocomputerhackingbytheorganization,accordingtoTheGuardian.Thiswas
spurredinpartbyallegationsthataformerarmyintelligenceofficerreceivedan
emailwithaTrojanprogramthatcopiedemailsfromthevictimandsentthemto
theattacker(Source:ScotlandYardtoSetupupNewComputerHackingTaskForce
3,2010).
,,
July29,2011).
Governmentsandpoliticalorganizationshavealsobeentargetedfororganizedattacks.
Examplesinclude:
DeutscheWellereportsin2010thatnewnationalidentitycardsprovidedto
Germancitizenswhichweresupposedtoimprovesecurityforonlinetransactions
wereeasilyhackedbymembersoftheChaosComputerClub(Source:NewGerman
IDcardeasilyhackedbyordinarycomputernerds,Sep.23,2010).
ATaiwanesepresidentialcampaignwasattackedandtheattacktargetedplanning
information.Policewereinvestigatingallegationsthattheattackerswerebacked
bytheChinesestateaccordingtotheTimesofIndia(Source:TaiwanPoliceProbe
ChinaHackingClaim,Aug.11,2011).
Basedoneventhissmallsamplewecanbegintoseethattheconcernaboutdatabreaches
andpersistentcybercrimeexiststosomeextentanywherethereisInternetaccessand
onlinetransactions.
WellPublicizedCybercriminalandHackingOrganizations
Decadesago,onlyinsiderswouldrecognizethenameofhackinggroupsliketheChaos
Club,buttoday,groupslikeAnonymousandLulzSecaremakingheadlinesalongwithmore
threateningorganizations,suchastheRussianBusinessNetwork(RBN)andstate
sponsoredgroups.
LulzSechasclaimedresponsibilityforstealinginformationfromlawenforcementagencies,
mostnotablytheArizonaDepartmentofPublicSafety,aswellasbusinessessuchasNews
Corporation.Whencomparedwithorganizedcrimesyndicateswhichcommitcybercrimes,
groupslikeLulzSecaremoreakintovandalsthanseriousfelons.Anonymoushasmade
newswithpublicreleasesofstolendocumentsfromBankofAmericaandattacksonSony,
bothinresponsetowhatthegroupconsideredobjectionablecorporatebehavior.
13
Otherorganizedgroupsarefarmorethreatening.TheRBNisreportedtobeagroupbased
inRussiathathasahistoryofdevelopingmalware,conductingDenialofService(DoS)
attacks,andprovidingspamservices.Theyhavealsobeenimplicatedinthetheftoftensof
millionsofdollarsfromCitibankin2009(Source:ComputerWorld,Report:RussianGang
LinkedtoBigCitibankHack,Dec.22,2009).
Morerecently,newsstorieshighlightedOperationShadyRat,thewidespreadAPTattack
onmorethan70organizations,andNightDragon,thetargetattackongas,oil,and
petrochemicalcompanies.Theseattackshaveimplicatedstateactors.
Storiesaboutorganizationsrangingfromcybervandalstostatesponsoredcybercriminals
willlikelyaddtothepopularconcernaboutinformationsecuritygeneratedbyanear
continuousstreamofstoriesfromaroundtheglobeaboutdatabreachesandcyberattacks.
Thisisnotjustalawenforcementproblemorapublicpolicyissue.Howweasconsumers
andcustomersrespondtothesethreatscandirectlyimpacttheeffectivenessofonline
services.
PotentialImpacttoBuildingTrustOnlinewithCustomers
Customersarejustifiediftheyareconcernedaboutthesecurityoftheirpersonaland
financialinformationonline.Itisnotunreasonabletothinkthatcustomerswillmake
choicesbasedonhowwelltheythinkacompanywillprotecttheirinformationinmuchthe
samewaytheynowconsiderprice,productquality,andcustomerservice.
Businessesshouldconsiderhownewevaluationcriteriathatincludesecurity
considerationswillaffectthem.Onecanbeginbyunderstandingthesecurityconcerns
customersmayhave,suchas:
Concernforidentitytheft
ditcardfraud Concernforcre
Lossofprivacy
Organizationssuchasbanksandhospitalsthatrequiremorepersonalandfinancial
informationthanmanybusinessesarelikelytobeespeciallyawareofconcernsabout
identitytheft.Businessesthatprovideservicestobanks,hospitals,governments,and
similarorganizationsthatmayhousesubstantialamountsofconfidentialinformationmust
ensureitstaysprotected.Forexample,theinadvertentreleaseofpatientdatainCalifornia
occurredatafirmprovidingservicestomedicalproviders;itwasnotamedicalprovider
itself.
Theneedtoprotectcreditcardinformationismorewidespread.Manyofususecredit
cardsanddebitcardsroutinelyduringtheday.Thepaymentcardindustryhasestablished
datasecuritystandardsthatcardprocessorsmustcomplywith.Thesearedesignedto
protectbothcustomersandbanksfromfraudandabuse.Thepaymentcardindustryis
builtonaweboftrust.Customersandvendorstrustthebanktopaythevendor,banks
trustcustomerstopaytheirbills,bankstrustvendorstochargeaccurately,andtheyall
trusteachothertomaintaintheintegrityofthesystem.
14
Thelossofprivacycanbeevenmoreofathreattosomepeoplethanthefinancialrisk
associatedwithcreditcardfraudofidentitytheft.Someonewithahistoryofpsychiatric
treatmentmayfearforhisjobifanemployerweretofindoutaboutit.Someonewholives
infearofabusemaynotwantheraddressdisclosed.Thedisclosureofprivateinformation
canhaveunknownandsevereconsequencesforcustomers,clients,andpatients.
Informationsecuritythreatsarerealandsubstantial.Customerswouldnotbeirrationalto
considerhowtheycanbestprotectthemselvesfrompersonalorfinancialharm,andthat
mayincludeassessingwhichbusinessestotrustwiththeirinformation.
HowBusinessesCanRespondtoInformationLoss
Itisclearthatitisinthebestinterestofbusinesses,governments,andotherorganizations
tomitigatetheriskofinformationloss.ThequestionisHow?Answeringthatquestionis
thesubjectofmanybooks,articles,conferencepresentations,andotherresourceswhich
isanindicationofjusthowdifficultthetaskis.
Althoughwecannotgiveadetailedanswertothatquestion,wecanoutlinesomeofthe
characteristicsoftheanswer.Firstandforemost,thereisnosinglesolution,nosilver
bullet.Protectinginformationintodaysonlineecosystemrequiresawidearrayof
securitycontrolsandmeasures,suchas:
nddevices Reliableandtrustworthyauthenticationofpersonsa
Strongencryptionfordataatrestanddataintransit
opriatewiththeneedtoperformbusinessfunctions Accesscontrolsappr
Separationofduties
Malwareprotection
peratingsystems(OSs)andapplications Properlyconfiguredandpatchedo
Constantmonitoringandanalysis
knownvulnerabilities Vulnerabilityscanningandautomaticremediationtocorrect
Intrusiondetectiontodetectpotentiallymaliciousactivities
Inadditiontothesetechnicalmeasures,organizationsshouldhavewelldefinedpolicies
andproceduresinplacethatdocumentwhentouseauthenticationmechanismssuchas
SSLcertificates,whatkindsofinformationshouldbeencrypted,andwhatkindsof
monitoringproceduresshouldbeinplace.Policiesthatarenotenforcedareofnohelp.
Governancepracticesneedtobeinplacetoensurethatpoliciesareimplementedas
expected.Itislittleconsolationtoacustomerwhohasherpersonalfinancialinformation
disclosedthatthebusinesshadanoutstandingprivacyprotectionpolicybutitjustwasnt
followed.

15
Manyofthesemeasuresareessentiallybehindthescenesfromthecustomers
perspective.SecurityprovidedbySSLcertificates,likeauthenticatingaserveror
encryptingabrowsersession,isvisibletocustomers,thankstocueslikelocksandgreen
barsusedwithExtendedValidationSSLCertificates,asFigure2.6shows.(Therewillbe
moreonthistopicinthenextchapter).
Figure2.6:Visualcues,suchasthelockandgreencoloredtextcanhelptoindicateto
customersthatasitehasbeenauthenticatedandcommunicationbetweenthe
browserandtheWebsiteareencrypted.
Summary
Businessesfaceadoublethreatfromcybercriminals:thelossofinformationandthelossof
customertrust.YoudonothavetobeanITprofessionaltohaveanunderstandingofthe
riskofdatalossesandthesubsequentfraudandidentitytheftthatcanfollow.Thesecurity
landscapeisbecomingincreasinglycomplexandthreatening.Cybercrimeishighly
professional,tothepointwhereundergroundmarketsfunctionmuchaslegitimate
businessmarketsdo.Organizedcrimeandstateactorsarerealizingthebenefitsof
informationtheft.Thepotentialpayoffsaresubstantialandasaresultorganizedentities
arewillingtospendconsiderabletimeandmoneytolaunchAPTs.Meanwhile,thepublic
catchesglimmersofwhatishappeningthroughafairlysteadystreamofnewsstoriesfrom
aroundtheglobeaboutdatabreachesandhackattacks.Inadditiontosecuritymeasures,
businessescanhelpmitigatetheimpactofcybercrimebytakingstepstobuildand
preservecustomertrust.

16
Chapter2:HowSSLCertificatesCan
ProtectOnlineBusinessandMaintain
CustomerTrust
WhatunderliesSSLcertificatesisawellestablishedmethodforsecuringcommunication
andauthenticatingservices.TobetterunderstandhowSSLcertificatescanprotectonline
business,ithelpstoknowsomethingabouttheinnerworkingsofSSL.WorkingwithSSL
certificatesisabitlikedrivingacaryoudonotneedtobeanautomechanictodrivea
ourengineandtransmissionwork. car,butitcanhelptoknowthebasicsofhowy
Thischapterisorganizedintothreesections:
HowSSLcertificateswork
dwithoutSSLcertificateprotection Webapplicationswithan
Authenticationandtrust
ThefirstsectionlooksunderthehoodofanSSLcertificatetodescribeitscomponentsand
howtheyworktosecurecommunicationsandsupportauthentication.Thesecondsection
continuesthelookunderthehoodapproachandconsidershowanapplicationwithout
SSLcertificateprotectionsoperatesdifferentlythanoneusingSSLcertificates.Inthethird
section,continuingourregimenofdelvingintotheimplementationdetailsofSSL
certificates,welookathowSSLcertificatesarecreated,thedifferenttypesofSSL
certificates,andtheroleofSSLcertificateprovidersinestablishingandmaintainingatrust
relationshipbetweenprovidersofSSLcertificates,businessesthatusethem,and
customersthatexpectthekindsofprotectionstheyprovide.
HowSSLCertificatesWork
WhenwereceiveanSSLcertificatefromaprovider,wereceiveafile.Thatmayseemlikea
bitofaletdownatfirst.Afterall,thisissomethingthatwillbeusedtoencrypt
communicationsandprovideevidenceforidentityclaimsofservers.Thesearefairly
smallfile?Well,yesandno. importanttasks,andtheyareallenabledbecauseofone

17
Yes,theSSLcertificatefileisessentialforprovidingencryptionandauthenticationservices,
butitisreallyjustonepartofamorecomplexsetofprotocols.Actually,anSSLcertificate
byitselfwouldbeoflittleusetoyouifitwerentfortheestablishedprotocolsthatmake
useoftheinformationstoredwithintheSSLcertificatefile.Theimportantsecuritytasks
arenotenabledsolelybecauseofanSSLcertificatefile.ItisthecombinationoftheSSL
certificateandtheprotocolsthatdefinehowitisusedthatprovidethesecuritycontrolswe
seek.LetstakealookinsideanSSLcertificateandthenexaminetheprotocolsthatmake
useofit.
ComponentsofanSSLCertificate
Figure2.1showthecomponentsofanSSLcertificate.SSLcertificatesusetheX.509
certificatestructure,whichincludesinformationaboutthesubject,suchasadomain,and
theencryptionalgorithmusedtocreateencrypteddatathatcanuniquelyidentifyanentity
(theseareknownassignatures):
Figure2.1:ThedatastructureforrepresentinganSSLcertificateisbasedonthe
X.509certificatestandard.
18
TheversionnumberindicateswhichversionoftheX.509specificationisused.
Newerversionssupportadditionalextensionsandauniqueidentifier.
Theserialnumberisauniquenumberassignedbythecertifyingauthoritythat
issuedthecertificate.Certifyingauthoritiesareresponsiblefortrackingthese
numberssothatthecombinationofissuerandserialnumberisuniqueacrossall
X.509certificates.
ThealgorithmID(referredtoasasignatureintheX.509specification)isthe
identifierofthealgorithmusedbythecertifyingauthoritytogeneratethe
certificate.
Theissueristhenameofthecertifyingauthoritythatissuedthecertificate.In
additiontothenameoftheissuer,thisfieldcancontainthelocationoftheissuer
andtheorganizationalunitwithintheissuingcompanythatwasresponsiblefor
creatingthecertificate.
Thevaliditysectionincludestwodates,onemarkingthestartperiodforwhichthe
certificateisvalidandoneindicatingtheenddatethatitisvalid.
Thesubjectfieldisthenameoftheentityrequestingthecertificate.Thisnameisin
theformofadistinguishednamethatisuniquetothatentitywithinthecertifying
authority.Liketheissuerfield,thisattributecancontaininformationaboutthe
subjectslocationandtheorganizationalunitwithintheentitythatrequestedthe
certificate.
Thesubjectpublickeyfieldcontainsapublickey,whichisastringofcharacters,and
thenameofanalgorithmwithwhichthekeyisused.Whydoweneedthisstringof
charactersknownasapublickey?Thiskeyispartofthetechnologyknownas
publickeycryptography.Wedonotneedtodelveintotoomanydetails,butitis
importanttounderstandthebasics.Hereishowitworks:Whensomeonewantsto
sendyouanencryptedmessagethatonlyyoucanread,thatpersonwouldgetyour
publickeyfromyourdigitalcertificate.(Actually,shewoulduseaprogramsuchas
PGPtodothis).Withthatkeyandthenameoftheencryptionalgorithm,theperson
canthenencryptthemessage.Thepublickeyisnotlikeakeyusedtoopenandlock
doors.Thepublickeyisaonewaykey.Itsonlygoodforlocking(thatis,
encrypting)butitcannotbeusedtounlock(thatis,decrypt)themessage.Forthat,
weneedaprivatekey.
Theprivatekeyiscreatedatthesametimeasthepublickey.Youcanshareyour
publickeywithanyonewhomightwanttosendyouanencryptedmessageandyou
donothavetoworryaboutthemreadinganencryptedmessagesomeoneelsesent
toyou.Theonlywaytodecryptamessageencryptedwithapublickeyistousethe
hasyourprivatekey,theycannot correspondingprivatekey.Aslongasnooneelse
readyourencryptedmessages.

19
WithEnoughTimeandResources
Itisnottheoreticallyimpossibletoreadsomeoneelsesmessagewithoutthe
privatekey.Ifyouhaveenoughcryptographicknowledgeandaccesstolarge
scalecomputingresources(thinklargesecretgovernmentagencylevel
resources),youcouldeventuallydecryptamessagewithouttheprivatekey.
Unlessyouarepassingaroundstatesecrets,thevalueofthedecrypted
messageprobablywouldnotjustifythetimeandexpensenecessarytotryto
crackthemessage.Byoneestimate,ifyoucouldcheckabillion
(1,000,000,000,000,000,000)AESkeyspersectionitwouldtake
3,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000
totryallpossiblekeys(Source:Wikipedia,BruteForceAttack).
Theissuerandsubjectuniqueidentifiersareusedtostoreidentifiersthatwould
uniquelyidentifyanissuerorsubjectincaseswherethenameofeitherentityis
reused.
Extensionswereaddedinversion3oftheX.509standardandsupporttheuseof
additionalattributesthatcanbeusedtostoreseveralcommonextensionsaswellas
privateinformationusedwithinacommunityofusers.
X.509CertificateSpecification
ForamoredetailedandformaldescriptionoftheX.509certificate,seethe
InternetEngineeringTaskForceRFCathttp://www.ietf.org/rfc/rfc2459.txt.
AnSSLcertificatecontainsthreebroadtypesofdata:
edbyit Informationaboutthesubjectthatownsthecertificateandisidentifi
te Informationaboutthecertifyingauthoritythatissuedthecertifica
Cryptographicinformationsuchasthesubjectkeyandalgorithm
YoucanexaminecertificatesonyourWindowsdevicesusingtheMicrosoftManagement
Console(MMC)andtheCertificatesManagementsnapin(seeFigure2.2).Evenifyou
haventinstalledanycertificatesyourself,youcanstillviewcertificatesthatareinstalled
withtheWindowsoperatingsystem(OS).Thesearetypicallyfortrustedentitieslike
certifyingauthorities.Yourorganizationmayalsohaveinstalledadditionalcertificates.
Resource
IfyouarenotfamiliarwiththeMMC,seeMicrosoftManagementConsole3.0
atMicrosoftTechnet.
NowthatwevecoveredwhatisinanSSLcertificate,letstakealookathowthis
informationisused.
20
Figure2.2:TheMMCCertificatessnapintoolprovidesaviewerforreviewingthe
contentsofSSLcertificates.
OverviewofHowSSLCertificatesSecureCommunications
SSLcertificatesplayakeyroleinestablishingsecurecommunications.Theyactually
providetwoservices:identifyingapartyinthecommunicationandprovidingapublickey
thatcanbeusedtoencryptmessagessentbacktotheserver.Aswewillsee,thepublickey
isusedtosetupasecurecommunicationchannel,whichisthenusedtofurtherexchange
informationandestablishanefficientandsecurechannelforexchangingdata.
SSLandTLS:ARosebyAnyOtherName?
TheSecureSocketsLayer(SSL)protocolisthepredecessoroftheTransport
LayerSecurity(TLS)protocol.Theybothareusedforsecurely
communicatingovertheInternet.Althoughtheyaredifferentprotocols,the
generaldescriptionshereaddressconceptscommontoboth.SSL
certificatesisacommontermusedtodescribedigitalcertificatesusedfor
encryptionandauthentication,sothisguidewillusethetermSSLas
synonymouswithTLS,asistypicallydone.

21
Whenyounavigatetoaserverusingasecureprotocol,suchasHypertextTransferProtocol
overSSL(HTTPS),yourcomputer,whichwellrefertoastheclient,willperforma
handshakingprotocoltosetupasecurecommunicationchannel.Thestepsareasfollows:
Theclientrequestsasecureconnectiontoaserverandpresentsalistofsecurity
mechanismsitsupports.Theseareknownasencryptionciphersuitesthathavefunctions
thattheclientcanworkwith.Fromthelist,theserverchoosesthemostsecureoptionthat
itisabletosupportandsendsitschoicetotheclient.TheserversendsitsSSLcertificate,
whichincludestheserversname,publickey,andtheidentityofthecertifyingauthority.
Next,theclientmightsendamessagetothecertifyingauthoritytoverifythatthecertificate
isstillvalid.Thisoptionisavailablebecauseitispossibleforacertificatetoberevoked
duringitsvalidperiod.RevokedSSLcertificatescanbecheckedusingeithertheOnline
CertificateStatusProtocol(OCSP)orcertificaterevocationlists(CLRs).
Atthispoint,theclienthasauthenticatedtheserverandagreedonaciphersuite.The
servermayoptionallyrequestaclientscertificateformutualauthentication.Thisismore
likelyincaseswheretheclientshouldbeknown,suchaswhenusingavirtualprivate
network(VPN);mutualauthenticationislesslikelyincaseswheretheclientiscontactinga
publicWebsitesetupforgeneralcommerce(seeFigure2.3).
Figure2.3:StepstoestablishasecureconnectionusingSSLcertificates.
22
Aftertheclientandserverhaveasecurechannel,theycansecurelyexchangeinformation
thatallowsthemtocreateasecuresessionthatismorecomputationallyefficient.Themore
efficientmethods,knownassymmetrickeycryptography,arefasterbutrequireboththe
clientandservertoknowaboutasharedkey.Thenextstepsallowtheclientandserverto
securelyexchangesuchasharedkey:
ublickey. Theclientgeneratesarandomnumberandencryptsitwiththeserversp
Theserverdecryptstheencryptedrandomnumberusingitsprivatekey.
Theclientandserverestablishasecurecommunicationusingasharedkeyandan
n. encryptionmethodthatrequiresonlyonekeyforbothencryptionanddecryptio
Aftercompletingthesesteps,theclientandserverarereadytosecurelyexchangedata.
OverviewofHowSSLCertificatesSupportAuthentication
PeterSteinersiconic1993NewYorkercartoonofacoupleofdogsinfrontofacomputer
withthecaptionOntheInternet,nobodyknowsyoureadogcapturesafundamental
problemwiththeInternet:Howdoweknowwhoweareinteractingwith?Letsskipthe
philosophicalissuesabouthowwecanknowsomethingandsettlefortrustingthat
someone(orsomethinglikeaserver)iswhoorwhatitpurportstobe.
Wehaveabitofacircularproblemhere.Wewanttoknowhowwecantrustsomeone
onlinewhenwedonttrusttheminthefirstplacewhentheyasserttobesomeoneor
something.AnyofuscansetupaserverandputupaWebpageproclaimingtobeabank.
Wemightevenproduceanauthenticlookingsitebycopyingpagesfromarealbank.How
willcustomersknowthedifference?Theywillknowbecausewewillnotbeabletogetan
SSLcertificatefromatrustedcertifyingauthoritythatvouchesforouridentity.Themajor
browserschangethedisplayofthenavigationbarwhendisplayingcontentfromasitethat
usesSSLforidentificationandencryption(seeFigure2.4).Locksareusedtoindicate
encryptedcommunication.ThegreenbarindicatestheuseofaspecialtypeofSSL
certificateknownasExtendedValidation(EV)SSLcertificate,whichwelltalkaboutabit
laterinthischapter.
Figure2.4:Browsersautomaticallychangethenavigationbardisplaywhen
renderingcontentfromasitewithatrustedSSLcertificateusingencrypted
communication.

23
ThechangesinthebrowserdisplayareavisualcuethatthesitehasanSSLcertificatethat
hasbeenprovidedbyatrustedcertifyingauthority.Browserscomepreconfiguredwitha
setoftrustedcertifyingauthorities.Whenaconnectionismadetoaserver,theserver
sendsitsSSLcertificatetothebrowser.Thebrowserthenmakesanumberofchecks:
VerifyingthatthedomainnameofthesitematchesthedomainnameoftheSSL
certificate
Verifyingthecurrentdateiswithinthevaliddateranges
Checkingtheissuerandverifyingitisoneofthetrustedcertifyingauthorities
knowntothebrowser
Whenacertificateisissuedbyacertifyingauthoritythatisnottrustedbythebrowser,
mostbrowserswilldisplayawarningmessage(seeFigure2.5).
WarningmessagessuchastheonethatFigure2.5showsasaruleshouldnotoccurwhen
workingwithtrustedcommercialorgovernmentsites.Youarelikelytoseeawarningif
younavigatetoasitethatisusinganinvalidcertificateoracertificatethatwasgenerated
byanuntrustedauthority.Certificatesmaybeinvalidbecausetheyhaveexpiredorthe
domainnameofthesitedoesnotmatchthesubjectnameonthecertificate.Youmayalso
seesuchmessageswhenusingselfsignedcertificates,whichwecreateforourselves,for
example,inadevelopmentenvironment.
Figure2.5:AnexamplewarningmessagepresentedbyabrowserwhenanSSL
certificateisusedbyacertifyingauthoritythatisnottrustedbythebrowser.
24
NowthatithasbeenestablishedthatSSLcertificatesprovidethemeanstoencrypt
communicationsandauthenticateservers,itistimetoconsiderhowthesecapabilities
workwithWebapplications.
WebApplicationsWithoutandWithSSLCertificateProtection
Letsconsidertwoscenarios:WebapplicationswithoutSSLcertificateprotectionandWeb
applicationswiththeirsecuritybenefits.Wellstartwiththeunsecuredexamples.
Scenario1:WebApplicationsWithoutSSLCertificateProtection
ConsideranexecutiveworkingwithaWebcollaborationapplication.Theapplication
supportscommonfunctionsneededforgroupworkincludingtheabilitytouploadfiles,
searchcollectionsofdocuments,andaddnotesandothermetadataaboutthedocuments.
ThecollaborationapplicationdoesnotuseSSLcertificatesandinsteadreliesonother
securitymeasures,suchasaccesscontrolsandnetworksecurity,toprotectitsusers.
Theexecutiveinourscenarioisworkingonaproposalforanewclient.Thevalueofthe
potentialcontractissubstantial,andtherearemultiplecompetitorsvyingforthework.
Today,theclientdecidestogetawayfromtheofficetoworkontheproposal.Sheheadsto
thecoffeeshopdownthestreetandsetstowork.Afteracoupleofhours,theexecutiveis
readytouploadtheproposaltothecollaborationserver.Sheconnectstothecoffeeshops
WiFi,startsthecollaborationapplication,anduploadstheproposal.Unknowntoher,
someoneelseinthecoffeeshopwasmonitoringnetworktrafficinsearchofsomeuseful
competitiveintelligence.Figure2.6illustratesthisscenario.
Figure2.6:Unsecuredcommunicationscanbedet

ectedandcapturedbyothers.
25
ThecommunicationwasnotencryptedbytheapplicationserverorontheWiFinetwork,
sothedocumentwassentascleartext.Thisallowedathirdpartytopickupthenetwork
trafficanddiscoverthecontentsofthedocument.Whatevercompetitiveadvantagethe
executivesfirmhadcouldhavebeenunderminedbythisdataleak.
Note
Althoughthisexampleisfictitious,thiskindofattackisnot.See,forexample,
cyberattacksonenergycompaniesforproposaldata.
UnauthorizedmonitoringofcommunicationisonlyoneproblemwithnotusingSSL
certificates.Anotherproblemisthepotentialforsomeonecreatingaserverthatappearsto
belegitimatebutisactuallyonlymasqueradingasalegitimateserver.Thisisknownas
spoofing.
Consideranotherscenario.Oneofyourregularcustomersdecidestocometoyour
companysitetoplaceanorder.Shehasdonethisdozensoftimesanddoesntthinkmuch
aboutit.Shetypesinyoursitesdomainnameandseestheusualorderpage.Shetriesto
startaneworderbutreceivesanerrormessage.Itseems,accordingtotheWebpage
displayed,thatyourcompanyhaslostsomecustomerdataincludinghers.Sheisprompted
toenterhernameandbankaccountinformation.Theproblemis,thisisnotyourbusiness
siteandyourcustomerhasnowaytotell.
Unknowntothecustomer,theservicethattranslatesdomainnamesintoInternet
addresses(domainnamesystemDNS)forherhasbeencompromised.Itseemsher
companyhasbeenthevictimofaDNScachepoisoningattack.DNSserverstranslate
domainnames,suchaswww.example.com,intoanumericaddress,suchas192.169.0.1.
WhenaDNScacheispoisoned,someonechangesthelegitimatenumericaddresstoone
assignedtoanattackercontrolledserver.Yourcustomerstrafficisroutedtotheattackers
serverwithnoobviousindicationsomethingiswrongasFigure2.7shows.
26
Figure2.7:WithoutauthenticationprovidedbySSLcertificates,userscanbeluredto
usespoofedserversandapplicationsthatappeartobelegitimateserversand
applications.
Incaseyoumightbetemptedtothinkthateavesdroppingonyourcommunicationsor
serverspoofingisonlyatheoreticalproblemthatisnotlikelytoaffectyou,considerthese
additionalpoints:
Sidejackingattacksinvolveusingunencrypteddatatoallowanattackertostealyour
sessioninformationandinteractwithaWebsiteasiftheattackerwereyou.Seethe
Firesheeptoolforademonstrationofhowthiscanbedone.
AttackerscanfindwirelessnetworkswithtoolslikeNetStumbler,andevenifthe
networksarenotbroadcastingidentificationdata,toolslikeKismetcanbeusedto
getthatdata.
Auditingandtestingtools,suchasDSNiffcanbeusedtoscannetworktrafficgreat
fortestingweaknessinyournetworkbutthesetoolsarejustasusefultoattackers
withmaliciousintent.
27
WithouttheencryptionandauthenticationprotectionsenabledbySSLcertificates,weand
ourcustomersandcollaboratorsarevulnerabletoavarietyofattacks.Letsconsiderthe
earlierscenariosbutwithSSLcertificatesinplace.
Scenario2:WithSSLCertificateProtection
Inthecaseoftheexecutiveworkinginthecoffeeshop,hadthecollaborationserverused
SSLcertificates,theexecutivecouldsendsecurecommunicationstotheserver.Intheevent
thatanattackerinterceptedthetraffic,itwouldappeartobearandomstreamofdata,nota
valuableandconfidentialbusinessproposal(seeFigure2.8).
Figure2.8:WithSSLcertificatebasedencryption,datatransmittedoverwireless
sents. networkswillappeartobemorelikerandomdatathanwhatitactuallyrepre
Thecaseofthecustomerwhomaliciouslyredirectedfromherintendedtargettoan
attackercontrolledWebsitewouldturnoutdifferentlyaswellifSSLcertificateswere
used.Oneoftheproblemsforthecustomerwasthattherewasnoindicationthatshewas
atamalicioussite.WithSSLcertificateauthentication,shewouldhavereceivedawarning
fromherbrowserthatsomethingwasnotconsistentwiththemalicioussite.
IfthemalicioussitewasusinganSSLcertificate,itwouldhaveinconsistentinformation
becauseeitherthecertificatesubjectentitywouldbesomethingtheattackercouldgeta
certificatefor,whichwouldnotmatchthespoofeddomainname,ortheattackeracquired
anSSLcertificatefromanuntrustedprovider.Ineithercase,theuserwouldbealertedto
thefactthatsomethingwasnotasitusuallyis.
28
Figure2.9:Aspoofingattackwouldtriggeranerrorontheclientbrowserandalert
thecustomertothefactthatthereissomekindofproblemwiththesite.
SSLcertificatesenableencryptionandauthentication,butbusinessesneedmorethanthat.
Businessesneedtoknowtheycantrustwhotheyaredealingwith.Thatistheultimate
reasonwedeploySSLcertificates.
AuthenticationandTrust
Trustcannotbereducedtodigitalcertificatesorencryptedmessages.Trustisestablished
overtimeandrequiresonepartytobeconfidentthatanotherpartywillfunctionas
expected.Wecanthavetrustwithbusinessesorindividualswenevermetorhavenot
heardof.Wecan,however,establishatrustrelationshipwithanunknownpartywhenwe
trustathirdpartyandthatthirdpartyassuresusthattheunknownpartyistrustworthy.
Thisroleoftrustedthirdpartyisplayedbycertifyingauthorities.Thesearecompaniesthat
havebuiltabusinessandareputationaroundthebusinessofverifyingidentities.
29
HowCertifyingAuthoritiesAuthenticate
TheInternetcommunityhasdifferentlevelsofneedwhenitcomestoverifyingidentities.
Forexample,wemightbereadytoputinformationaboutourcalendarintoasite
establishedtoschedulecompanysoftballgameswithminimalverificationbutwearemuch
morecarefulaboutouronlinebankingpractices.Certifyingauthorizeshavecreated
differentproceduresforverification,dependingontheleveloftrustthatisneeded:
Domainlevelverificationsareusedwhenthecertifyingauthorityneedstoestablish
thattherequestorofacertificateistheownerofadomainname.Checkingthe
domainregistrymaybesufficientforthis.(Seewhois.netoranyoneofmanyother
servicesthatprovidedetailsaboutdomainowners.)
Businessverificationisusedwhenacertificateistobeprovidedtoabusinessand
moreevidencethandomainownershipisrequiredtoestablishidentity.
n,
Extendedvalidation(EV)certificatesrequirethemostcomprehensiveverificatio
includinglegaldocumentationandchecksonthephysicallocationofthebusiness.
Certifyingauthoritiesgothroughvaryinglevelsofduediligencetoverifytheidentityof
domainsorbusinessesthatreceivetheircertificates.Thatisonlyonepartoftheprocess
forestablishingtrust.Anotherpartiseducatingusersaboutthesepracticesandproviding
informationonhowtoensurethatlegitimatecertificatesareinplace.
DevelopingTrust
Businesseshavelongusedmarkstoindicateaproductorserviceistrustworthy.Marks
rangingfromtheUnderwritersLaboratoriesULsymboltotheBetterBusinessBureau
logohavebeenusedtoindicatethesafetyofproductsandthetrustworthinessof
businesses.Withtheemergenceofonlinebusinessactivity,itwouldhelptohavetrust
markssuitablefortheInternet.WehavetrustindicatorswithSSLcertificates,whichusea
lockinthebrowseraddressbartoindicateasecurecommunicationschannel.Greenbar
indicatorsareusedwithEVSSLcertificates.Businessescanhelppromoteknowledgeabout
thesetrustmarksbyeducatingcustomersabouttheiruseandbyusingthemonbusiness
sitesaswellaspromotingothersafeonlinepractices.Trustcanbefurtherreinforcedwith
trustmarkssuchasatrustedsealfromacertifyingauthorityoranestablishedorganization
suchastheBetterBusinessBureau.
BusinessesshouldalsousetheappropriatetypeofSSLcertificatefortheirneeds.When
lowtrustisrequiredbyusers,asimpledomaincertificatecanbeused.Sitesthatdonot
collectconfidentialorprivateinformation,donotrequirefinancialinformationorcredit
carddata,anddonotdealwithotherhighlyvalueddatamaybewellservedby
conventionaldomainorbusinesslevelcertificates.Whenadditionalverificationis
requiredtohelpassureusersthatthesiteislegitimate,EVcertificatesshouldbe
consideredbecausetheyprovidehighlyvisibletrustindicatorssuchasthegreenbarand
thedisplayoftheorganizationname.

30
Also,todeveloptrust,trytoavoidsituationsinwhichyourSSLcertificateswillgenerate
errormessagesoncustomerbrowsers.Thesecanoccurforanumberofreasons,sobesure
tofollowbasicguidelinesforgoodSSLcertificatemanagement:
ervers Donotuseselfsignedcertificatesforcustomerorotherexternallyaccesseds
jorbrowsers Usecertificatesfromcertifyingauthoritiesrecognizedbyallma
Keepcertificatesuptodateandrenewthembeforetheyexpire
Acombinationoffactorsgoesintoestablishingtrust:workingwithknownandtrusted
certifyingauthorities,usingtheappropriatetypesofSSLcertificates,andusingtrustmarks
andeducatingusersaboutrisks.
Summary
SSLcertificatesenableencryptionandauthentication.TheseareessentialforsecuringWeb
applicationsandprotectingcustomersfromeavesdropping,dataleaks,andspoofing
attacks.SSLcertificatesenablekeyfunctionalityrequiredtobuildatrustrelationship
betweenbusinesspartnersthatmightnothaveapreexistingrelationship.Thebest
designedapplicationcanhaveallthefeaturesandcapabilitiesthatuserswant,butifusers
ed. donottrusttheapplication,thosefeaturesmaynotbeus

31
Chapter3:Planning,Deploying,and
MaintainingSSLCertificatestoProtect
AgainstInformationLossandBuild
CustomerTrust
SSLcertificatescanplayanimportantroleinsecuringWebapplicationsbutaswithanyIT
system,especiallysecuritymechanisms,itpaystoplanhowyouwilldeployandmaintain
thatsystem.Inthepreviouschapters,wehaveexaminedhowdatalosscanundermine
customertrustandhowSSLcertificatescanbeusedtoprotectonlinebusinessand
maintaincustomertrust.NowthatwehavecoveredtheconceptualelementsofwhatSSL
certificatesdoandhowtheywork,itistimetodiscussimplementationdetails.
ThischapterwillassumeyouunderstandthebasiccomponentsofanSSLcertificateand
howitworks,andareinterestedinimplementingSSLcertificatestoprotectyourWeb
applica mainsections: tions.Thischapterisdividedintofour
certificates PlanningfortheuseofSSL
DeployingSSLcertificates
MaintainingSSLcertificates
ChoosingtherighttypeofSSLcertificateforyourneeds
ThischapterwillprovideguidancetohelpyoudeploySSLcertificatesinawaythatcanbe
sustainedforthelongtermwithoutcreatingundomanagementburdens.Therewilleven
betipsandinstructiononhowtodobasicSSLcertificatemanagementtasksinWindows
andLinuxoperatingsystems(OSs);however,thischapterisnosubstituteforsystem
documentation.
PlanningfortheUseofSSLCertificates
TheplanningstageofdeployingSSLcertificatesconsistsoftwomaintasks:identifying
applicationsandserversthatwillbenefitfromhavinganSSLcertificateanddetermining
hichtypeofSSLcertificateisappropriateforeachusecase. w

32
ProcessandAssetInventory
Thismaysoundstrange,butforthenextseveralparagraphsforgetaboutSSLcertificates.
SSLcertificatesaretoolstheyareameanstoanend.Fortherestofthissection,weare
notinterestedinhowSSLcertificatescanprotectourWebapplications.Instead,oursole
focusisonwhatneedstobeprotectedandwhyitneedstobeprotected.
Tounderstandourneeds,wewillstartwithafewbasicquestions.First,whatapplications
andser ycustomers?Thesemightinclude: versareaccessedb
site CompanyWeb
Onlinecatalog
al Customersupportservicesport
Customerfeedbackapplication
lication Ashipmenttrackingapp
Productdocumentation
Thisisawidevarietyofapplicationtypesandeachhasadifferentpatternofcustomer
interaction.Considerhowyouwouldworkwitheachoftheseifyouwereacustomer.
TheobjectofthisexerciseistounderstandyourrisktolerancewithregardstousingSSL
certificates.Insomecases,anorganizationmaywanttouseSSLcertificatesoneveryserver
andworkstation.Thiswouldbereasonableincaseswhereanunusuallyhighlevelof
securityisrequired.AmiddlegroundapproachistoinstallSSLcertificatesonallWeb
accessibleservers.Anorganizationwithahightoleranceforriskmaypickandchoose
whichoftheirWebfacingserverswarrantanSSLcertificate.Inthefollowingsections,we
willconsiderfactorsthatmayinfluencesuchadecision.
CompanyWebSite
ThecompanyWebsiteistheonlinepublicfaceofthecompany.Itprobablycontainsthe
usualinformationlikeadescriptionofthecompany,newsandevents,product
descriptions,andifyouhavephysicallocations,servicessuchasstorefinders.Itwilllikely
includelinkstoonlinecatalogs,customersupport,andotherapplications,butthosearenot
consideredpartofthecompanyWebsiteforourpurposes.Thosearesubstantial
applicationsthathavetheirowndesign,deployment,andmaintenancelifecycles
independentofthecompanyWebsite.Forthisexercise,thecompanyWebsiteprovides
therelativelystaticinformationaboutacompanyaswellaslinkstootherWeb
applications,suchasanonlinecatalog.

33
WhencustomersorotheruserscometothecompanyWebsite,theyareprobablylooking
forbasicinformation,suchascontactnamesandemailaddresses,productinformation,
locations,timesofoperations,etc.Businessesoftentakeadvantageofthiscustomer
interactiontocollectinformationformailinglists,surveys,andsoon.Ifthesiteisnot
protectedwithSSLcertificates,customersmaybehesitanttoprovidepersonalinformation,
leavingthebusinesstopursuemorecostlymeanstocollectthatinformation.Acompany
withconventionalrisktolerancewouldwantcustomerstobeabletoauthenticatethe
companysWebsite(seeFigure3.1).
Figure3.1:SSLcertificateprotectionisnotrequiredwhenprimarilypublic
informationisexchangedbutthereisaneedtoauthenticatetheserverwhen
collectingcustomerdata,suchasnamesandaddresses.
OnlineCatalog
Theonlinecatalogallowscustomerstobrowseandsearchforproducts,collectsetsof
itemstobuy,payforthem,andthenhavethemshipped.Thereisprobablysometypeof
databaseapplicationbehindthisWebsiteaswellaslinkstosupportingservicessuchas
creditcardprocessingservices.Theusersinteractionswithanonlinecatalogare
substantiallydifferentfromthosewithacompanyWebsite.Forexample,acustomeris
likelyto:
fproductorsearchforaspecificproduct Browseaparticulartypeo
Reviewmultipleproducts
s,andothermaterialaboutproducts Readdescriptions,review
Selectitemsforpurchase
Providepersonalinformationincludingnames,addresses,andcreditcardnumbers
Theinteractionsinthiscaseincludesbothgettinginformationfromtheapplication,similar
ginformationtotheapplication. towhatwesawwiththecompanyWebsite,andprovidin

34
Thefactthatthecustomerisprovidinginformationtothebusinessisafundamental
differenceamongapplications.Whenitcomestopersonalinformation,suchasnames,
addresses,andpaymentaccountinformation,itisprobablyagoodbettoassumethatthe
customerwantstokeepthatprivate.Asyourcustomer,Imayhavenoproblemsharingmy
creditcardnumberwithyou,butIdontwantanyoneelsetohaveaccesstoit.
Dependingonthesizeofthetransaction(andthecreditlimitonthepaymentcard),
customersmaybeparticularlycautiousaboutprovidingpaymentcardinformationtoan
unfamiliarcompany.Ifthecustomerisshoppingattheonlinestoreforanationalretail
chain,shemayfeelconfidentthatthesiteandthebusinessbehinditarelegitimate.Ifthisis
thefirsttimethecustomerhasvisitedthissiteoritisnotwellknown,majorbrandthere
maybesomehesitationabouttrustingthissite.
Thisapplicationcollectsconfidentialinformation,sotheWebandapplicationservers
supportingitshouldbeauthenticatedwithSSLcertificates(seeFigure3.2).Theywould
alsobeusedtoenableencryptedcommunicationbetweentheapplicationandthe
customer.ThebusinessshouldconsiderandExtendedValidation(EV)SSLcertificateto
demonstratecompliancewithstricteridentityverificationstandards.
Figure3.2:Confidentialinformationisexchanged,sothereisaneedtoauthenticate
theserverandprovidedencryptedcommunications.AnSSLcertificateisrequiredin
thisscenarioevenforhighlyrisktolerantorganizations.
CustomerServiceSupportPortal
ThecustomerservicesupportportalisaWebapplicationdesignedtoallowcustomersto
managetheiraccounts,reviewpastpurchasesandinvoices,andsetpreferences,suchas
shippingandbillingmethods.Customerswillwanttokeeptheirinformationprivate,so
accesscontrolsareinplaceandcustomerswillhaveaccessonlytotheiraccount
information.Theseaccesscontrolswillkeepcustomerdataprivatewhenitisstoredinthe
applicationdatabasebutdoesnothelpwhendataistransmittedfromtheapplicationtothe
customer,soencryptionisrequiredforalltransmitteddata.
35
Thisapplicationcollectsconfidentialinformation,sotheWebandapplicationservers
supportingitshouldbeauthenticatedwithSSLcertificates.Theywouldalsobeusedto
enableencryptedcommunicationbetweentheapplicationandthecustomer.
CustomerFeedbackApplication
Thecustomerfeedbackapplicationcollectscommentsandemailsthemtoaspecialemail
accountcreatedtotracksuchmessages.Thesecommentsshouldbeconsideredprivateand
confidentialbecausethebusinesswouldwanttocollectfrankandclearcomments,whicha
customermightnotwanttodisclosetoothers.Thisapplicationshouldbeprotectedwith
SSLcertificatestoensuredataisencryptedduringtransmission.Theauthenticationservice
enabledbytheSSLcertificatewillhelpassurethecustomerthatsheisworkingwitha
legitimateapplication.Hereagain,riskadverseorganizationswilluseSSLcertificatesto
authenticatetheircompanysapplications.
TrackShipmentApplication
Insomecases,atrackshipmentapplicationisarelativelysimpleapplicationthatactsasa
frontendtoservicesprovidedbythemajorshippersusedbythecompany.Customers
enteranordernumberandtheapplicationlooksuptheshippingcompanyforthatorder,
contactsthatcompanystrackingWebservice,anddisplaystheresults.Inmorecomplex
trackingsystems,customersmayprovidefeedback,whichshouldbeconsidered
confidential,soSSLbasedencryptionshouldbeused.
SSLcertificatesarenotrequiredforsimpletrackshipmentapplicationsinhighlyrisk
tolerantorganizations,butformoderaterisktoleranceprofilesorincaseswhere
confidentialinformationisexchanged,SSLcertificatesshouldbeused.Inaddition,the
shippingcompaniesshoulduseSSLcertificatesfortheirserverssothatcompaniessuchas
theonedescribedherecanauthenticatetheservertheyarecommunicatingwith.
ProductDocumentation
Aproductdocumentationapplicationallowscustomersandemployeestosearcha
databaseofcontentofusermanuals,technicaldocuments,andothermaterialtohelp
customersandemployeesuseproductssoldbythecompany.Productdocumentationis
oftenconsideredproprietaryinformationandshouldbeprotectedassuch.
Inthisscenario,thecompanyisconcernedaboutmaintainingtheconfidentialityand
integrityofthedocumentation.Theyhaveestablishedstrictaccesscontrolstomitigatethe
riskofincorrectdocumentationbeingplacedinthedatabase.Thereissomeconcernthatif
amaliciouspranksterspoofedthesiteandluredcustomerstoafakeversionofthesite,the
companysreputationcouldbedamaged.
36
Figure3.3:Publicinformationdistributedtobothinternalandexternalusersdoes
notrequireSSLcertificateprotection.
SSLcertificateprotectionisrequiredforencryptionandauthentication.Iftheperceived
riskishighandtheexpectedimpactofapossiblespoofingattackisgreatenough,anSSL
ertificateshouldbeusedforauthentication. c

37
MultiTierApplications
HavingcompletedtheapplicationbasedassessmentofourSSLcertificaterequirements,
wenexthavetodelveintoserverlevelrequirements.Incasesofsimpleapplicationsthat
runonasingleserver,onewouldonlyneedacertificateforthatserver.Manybusiness
applications,however,requiremultipleserverssuchasWebservers,applicationservers,
anddatabaseservers.
Figure3.4:Multitierapplicationsdependonmultipleservers.Iftheapplication
. requiresSSLcertificates,thenusuallyallserverswillrequireSSLcertificates
Figure3.4showsamultitieredapplication.Inthisscenario,confidentialdata,suchas
paymentdataorcustomeraccountdata,movesthroughseveralservers.Thetrustthata
customerhasintheapplicationhastobuildontrustintheserversthatimplementthe
application.Insuchcases,themostsecureoptionistouseSSLcertificatesonallserversin
themultitierarchitecture.Itisconceivablethattheremaybeaserverprovidingsome
basicfunctionthatneverreceivesorprocessesconfidentialinformation.Insuchacase,one
couldargueagainstauthenticatingthatserverviaanSSLcertificate;however,giventhat
requirementsmightchangeandthatconsistencyofteneasesmanagementburdens,it
mightbeworthwhileusingSSLcertificatesonallserversinthearchitecture.
38
Ingeneral,theplanningprocessconsistsofasimilarexercisetotheonedescribedearlier.
Assessthewayprivateandconfidentialinformationflowsfromthebusinesstocustomers
andfromserversanddevicesimplementingtheapplication.Specifically,besuretoaskthe
followingquestions:
Whatapplicationsandserversareaccessedbycustomers?
lications? Whatapplicationsandserversareaccessedbyothertrustedapp
Whatapplicationsaccessconfidential,private,orsensitivedata?
Withanswerstothesequestions,wecandeterminewhichapplicationsandserversneed
SSLcertificateprotection.ThenextquestiontoaddressiswhattypeofSSLcertificate
shouldbeused.
DeterminingtheTypeofSSLCertificateRequired
AlthoughallSSLcertificatesarefundamentallythesameintermsofformandfunction,
therearedifferences.Therearecertificatesforsingleservers,formultipleserverswithina
domain,andthereareevensomethatworkespeciallywellwithemailservers.Letslookat
criteriaforchoosingbetweenthese.
Asingleservercertificateisappropriateforaserverthatismanagedanddeployed
relativelyindependentlyofotherservers.Adomainwildcardcertificateallowsmultiple
serverstousethesamecertificate.Theseserversuseasubjectssuchas*.example.com
whichmatchesanyserverintheexampledomain.Thisisusefulwhenanumberofservers
inadomainrequirecertificates.Usethesecarefully,though.Thiscertificatecanbecopied
andusedonanyserverinthedomain,whichcouldresultineitherunauthorizeduse
and/ordifficulttomanagecertificatesiftheyarenotproperlytracked.
EVSSLcertificatesareappropriateforcustomerfacingWebsitesandapplicationsthatwill
processhighvalueprivateandconfidentialinformation,suchasbankaccountinformation
orpersonalhealthcareinformation.Businessesandorganizationsthatmaybetargetsfor
cybercriminalsshouldconsiderthevalueofhavinganEVSSLcertificateandthe
correspondingvisualcuespresentedtocustomers.Thisisonewaytohelpcustomers
distinguishbetweenalegitimatesiteandafraudulentone.
AttheotherendofthetrustspectrumfromEVSSLcertificatesareselfsignedcertificates.
Thesecertificatesdonotinvolveatrustedthirdpartyasacertifyingauthorityinstead
someonewithinacompanycreatesanSSLcertificatehimself.Thereisnotmuchpointin
havinganSSLcertificatethatassertsTrustmebecauseIsaysoonapublicfacingWeb
site.ExternalfacingapplicationsneedanSSLcertificatethatassertsTrustmebecausea
trustedthirdpartyhasvouchedformyidentity.Selfsignedcertificatesareusedfor
internalpurposessuchasdevelopmentandtesting.

39
Selfsig erofadvantagesfordevelopmentandtesting: nedcertificateshaveanumb

Theycanbecreatedquickly
Theyincurminimal,ifany,cost
Theycanbecustomizedtomeetspecificneeds;forexample,validationperiods,wild
cardsubjects,etc.
Theyaremanagedcompletelyinternallyanddonotdependoninteractionswitha
thirdparty
PlanningSSLcertificatedeploymentsisacriticalstepthatallowsyoutoidentifywhich
applicationsandserversneedSSLcertificates.Thisstepinturnallowsyouthentoselect
thebesttypeofSSLcertificatesforyourrequirements.Thenextsteptofollowafterthis
processistoactuallydeploytheSSLcertificatestoyourservers.
KeyPointsAboutChoosingandDeployingSSLCertificates
Asyouareplanning,deploying,andmanagingSSLcertificates,keepinmindseveralkey
pointsaboutchoosinganddeployingthem.SSLcertificatesareusedfortwosecurity
operations:securingcommunicationsandauthenticatingsystems.
Securecommunicationsarerequiredforwhenconfidentialorprivateinformationis
exchanged.Thisiscertainlythecasewhendatasuchascreditcardnumbersareexchanged,
butthisisnottheonlyscenario.Sometimesattackerscanpiecetogetherinformation
incrementallyovertime.Theremaybenocasewhereasingletransactionhadallthe
detailstheattackerneededtostealinformationorcompromiseasystem,butiftheattacker
hasaccesstomultipletransactionsordataexchanges,itispossibletoculluseful
informationtofurthertheattackersobjectives.
AuthenticationwithSSLcertificatesallowsclientdevicestoverifythattheservertheyare
workingwithpossessesacertificatefromatrustedthirdpartycreatedforuseononlythat
server(orsetofserversinthecaseofwildcardorSANcertificates).Confidenceyouare
workingwithalegitimateserverisabuildingblocktosomethingmoreimportant:building
thetrustbetweenacustomerandabusiness.
WeuseSSLcertificatestomitigatetheriskthatuserswillbeluredintousingillegitimateor
otherwisemaliciousdevices.Customershavevisualcues,suchaslocksandgreenbar
indicatorsthatreinforcetheideathatparticularsecuritymeasuresareinplacetoprotect
thiscustomer.Ideally,customerswillunderstandthatlackofsuchcuesonsitesthat
usuallyhavethemisanindicatorofapotentialproblem.
SSLcertificatesarelikeanyITasset,theyrequiremaintenance.Fortunately,thisisminimal.
Thekeythingsweneedtokeepinmindoncewehaveselectedtheappropriatetypeof
certificateistomonitorthevaliddatesofuseandtotracktheuseofwildcardcertificatesso
thattheyarenotusedonserversforwhichtheyarenotintended.Alsoconsiderwhether
youhavespecialrequirementsthatmightnecessitateaSANSSLcertificate.
40
Summary
WebapplicationsoftenrequiretheuseofSSLcertificatesinordertoenablebasic
authenticationandencryptionservices.PlanninghowtobestdeploySSLcertificatesbegins
withassessingthekindsofoperationsperformedbyapplications.Dotheyexchangeprivate
orconfidentialdata,suchascreditcardinformation?Ifso,thenSSLcertificatesshouldbe
usedtoenableencryptionandpreserveconfidentiality.Isthereariskofcustomersbeing
luredtomalicioussitesthatappeartobeoneofyourbusinesssites?Ifso,thenSSL
certificatesareneededforauthentication.
DeployingSSLcertificatesisnotdifficult,buttheprocessisoftenspecifictoyourOSor
application.Someapplications,suchasMicrosoftIIS,havespecializedtoolsformanaging
SSLcertificates.Fortunately,onceSSLcertificatesaredeployed,theyhaverelativelylow
aintenancerequirements. m
DownloadAdditionalBooksfromRealtimeNexus!
RealtimeNexusTheDigitalLibraryprovidesworldclassexpertresourcesthatIT
professionalsdependontolearnaboutthenewesttechnologies.Ifyoufoundthisbookto
beinformative,weencourageyoutodownloadmoreofourindustryleadingtechnology
booksandvideoguidesatRealtimeNexus.Pleasevisit
ttp://nexus.realtimepublishers.com h .

Web SSL

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Web SSL

Загружено:

Авторское право:

Доступные форматы

The Shortcut Guide To

The Shortcut Guide To

Selfsig erofadvantagesfordevelopmentandtesting: nedcertificateshaveanumb

Вам также может понравиться