The PKI Guy talks authentication with author Ivan Ristic

Q&A with Ivan Ristic, author of Bulletproof SSL and TLS and founder of Hardenize

TPG: Tell us about your book, Bulletproof SSL and TLS. What are the biggest takeaways for IT security professionals?

IR: Bulletproof SSL and TLS came out of my frustrations with the complexities of the TLS and PKI ecosystem and especially the lack of good documentation. Making the right decisions is easy when you know how things work, but getting to that point used to require months of research and reading. Thus, I decided to go through all that and document my journey so that it would be easier for others, or for me, when I inevitably forget. I’d been writing the book in parallel with my work on SSL Labs, which started in 2009. So, I like to say that it took me five years to write the book, which is not far from the truth.

TPG: Explain eavesdropping and impersonation. How do these work?

IR: Eavesdropping used to be much more prevalent some years back when encryption wasn’t as ubiquitous as it is today. All this network traffic would travel along the Internet in plaintext, making it easy to collect and modify, either locally (in your favorite cafe) or at scale (think government agencies). Impersonation would be somewhat more involved, but not that difficult. It’s trivial to simply hijack the communication channel and claim to be someone else. I mean, in real life, would you be able to tell if a typed letter you receive in the post came from a specific person? Encryption defeats both of these threats, by layering encryption (ensuring your communication stays confidential and unchanged) on top of authentication (ensuring you’re talking to the right entity on the other end).

TPG: What are the three most important things organizations can do to protect their systems?

IR: I would say that the most important thing is to develop a strong security culture that involves developers and system administrators. There’s always going to be the need to monitor and test security, but only those who are building and maintaining systems can get it right.

After that, focus on standardization and automation; these two together will ensure that things are secure by default as well as that you can iterate quickly to deal with challenges as they come.

TPG: What do you see as the biggest vulnerabilities for organizations today?

IR: I am going to cheat a little answering and say that the biggest vulnerability is the lack of a strong security culture. It’s a meta vulnerability, really, because without a system in place to deal with security you’re just introducing new problems all the time. There is little hope that you will ever be able to clean up after the fact.

TPG: What types of attacks are generally executed using TLS encryption?

IR: About a decade ago we had a period when problems with encryption were rife, and it seemed that a new problem would be discovered every day. These days it feels that we’ve run out of problems. Even TLS 1.3 got released, after many, many years in development, and so maybe we can finally move on. On the other end, Certificate Transparency helped a lot by adding visibility to the entire PKI system. That said, if there’s one thing that we’ve learned in the past decade, it’s that the traffic metadata is very important. In many cases, you don’t need to know what was talked about, if you know the parties involved in the conversation. Just a couple of days ago I saw a research paper that claims that you can know what sites someone is visiting purely by monitoring which IP addresses they communicate with.

TPG: What are your top recommendations for a PKI implementation?

IR: Standards for TLS configuration, plus automation for certificate deployment. Automation is very important because you don’t want your best employees to spend their time doing menial work. Monitoring is also important, because things break. And there is sometimes danger, when you automate something, to think that it will run forever. I am a big fan of monitoring via Certificate Transparency, which is a fantastic and very easy way to monitor how your domain namespaces are used and secured. What can be done to make servers more secure? Two things: First, we need to make sure our components are secure by default. Second, we need to assemble the components in secure ways. Both of these are enormously challenging. On the development side, the predominant deciding factor for technology selection is still popularity, rather than security. On the assembly side, we’ve had made great strides recently with the DevOps movement, but things are still done in a way that’s equivalent to duct tape everywhere.

TPG: What are you working on now? Tell us about Hardenize.

IR: Hardenize is my latest attempt to assist organizations small and large to understand what issues they’re dealing with and, above all, help them build systems that are secure from the first day. It’s my attempt to make it possible to make quick decisions with as little time as possible, and certainly without having to become a security expert. So, if you come to the homepage of Hardenize today, we give you a free and comprehensive report that will analyze your web site and help you straight away. We know you don’t want to register, ask us for a quote, get your budget approved, and so on. Commercially, we focus on continuous monitoring of your entire infrastructure, with emphasis on automated discovery, certificate and Certificate Transparency monitoring, and so on. Overall, we want to help you find your properties, keep them working, understand how they’re configured, and guide you to make them more secure!