SSL

SSL was developed in the first half of the 90s. The first version (1.0) was never published. The second version (2.0) "saw the light of day" in 1995 and was characterized by many security flaws. Their refinement led to the development of the third version of SSL (3.0), released in 1996. The SSL v.2 protocol was officially upgraded in 2011 in accordance with the technical specification RFC 6176.

For almost 20 years, SSL has been used to protect against attacks based on listening to a network connection. During this time, many vulnerabilities with different levels of criticality were discovered, which were eliminated. The experience of developing and developing SSL served as the basis for the creation of the TLS protocol. TLS developers took into account the experience and errors of their predecessors, and created the safest way to encrypt data to date.

2022: Russian organizations began to face revocation of SSL certificates. The problem was noticed at VTB, the Central Bank and Promsvyazbank. What should I do?

On February 28 and March 1, a number of Russian organizations noticed the revocation of SSL certificates. In particular, information appeared that the sites of the Central Bank of the Russian Federation and PSB were not opened using the https protocol due to the revoked certificates by the certification centers^[1]A similar problem was observed and the site VTB U^[2] organizations fell under Western sanctions against the background of Russia's military operation in Ukraine, which began on February 24.

In addition, the domain name registrar hosting Namecheap announced on February 28 that it would stop serving users from Russia and gave them until March 6 to transfer top-level domains to other providers.

An information security expert, a business consultant on information security Cisco Alexey Lukatsky March 1, warned that even those who are not under sanctions should think about backup options, since companies can stop supporting Russian enterprises and individuals simply by their own decision.

Revocation of SSL certificates from companies that have fallen under sanctions, in the current situation, quite a possible development of events (there are already examples). It is worth thinking about backup options. Moreover, even those who are not on the sanctions lists, since companies within the framework of support for Ukraine can, at will, stop supporting Russian enterprises and individuals, the expert wrote on his[3] Telegram channel].

Alexey Lukatsky explained to the Non-Digital Economy Telegram channel what are the backup options for SSL certificates:

Reserve options today, alas, are not so many and all of them have not been fully worked out, since hardly anyone assessed how much restrictions will affect the digital economy. Financial institutions can be helped by the Bank of Russia certification center that has earned since January 1 of this year (a slightly ironic situation - certificates will be issued by the organization from which the certificate was revoked itself). Government organizations can contact the Federal Treasury Certification Center. The rest of the organizations could help the TC FTS, but now it is not entirely clear whether he is ready for such a turn of events. The country also has the Main and National Certification Centers (HTC and NTC), but all the necessary regulatory framework has not yet been adopted for their functioning.

Also, the expert says, it is possible to switch to self-signed certificates, but in this case the entire meaning of the public key infrastructure on which e-commerce is built is lost, since there will be no single root of trust, if trust can be talked about at all in the current realities^[4].

2020: Russia entered the top ten countries in the use of SSL certificates

At the end of June 2020, the largest Russia hosting domain provider and registrar Reg.RU and the oldest certification center GlobalSign published a study in which they talked about the leading SSL certificate user countries, as well as how the global market was changing at the time of the coronavirus pandemic. COVID-19

Russia was in the top ten countries in terms of the number of SSL certificates used - their number in March 2020 was 1,476,822, in March it fell to 1,297,920. In April, the figure reached 1,325,999 certificates. Despite the difficulty of forecasting in the current situation, over the past 4 years, there has continued to be significant dynamics in the growth of SSL certificates across all countries, the report says.

Russia in a dozen countries in terms of the number of valid SSLs

The championship in the number of sites continues to hold the United States. The list of traditional leaders of the largest countries in Western Europe this year was joined by Japan, which took 3rd place. Also this year, China entered the top 10 countries, closing the list of leaders. Russia continues to occupy the 9th line of the rating, leaving behind Italy, Austria, Switzerland and Spain.

 The top 5 certification centers in terms of the number of SSL issued in.RU include:

• Let's Encrypt (960000);
• Cloudflare (110000);
• DigiCert (85000);
• GlobalSign (75000);
• Sectigo (55000).

Let's Encrypt's significant advantage is associated with the ability to receive free SSL certificates there for up to 90 days.

In.RU, the most certificates with a validity period of less than a year (81%) and 1 year (18%). The most popular format for using one SSL certificate for one domain is more than 1 million. But multi-domain certificates (SANs) are also in demand. So, in total, the number of those that fall on 3-10 domains is about 80 thousand.

According to experts, the COVID-19 pandemic has affected the economies of almost all countries and industries. Due to the situation with the pandemic since the beginning of 2020, compared to the same period last year, there is a slight lag in the growth of SSL certificates, which affected most countries.^[5]

2019

The most common encryption of Internet traffic makes users defenseless against hackers

The widespread increase in the use of SSL enciphering traffic leads to the fact that corporate security systems do not see about half cyber attacks directed at end users inside the perimeter. This follows from the results of a study of threats in the field of cloud security of the company Zscaler^[6]

Attackers are eager to use SSL encryption, since, as indicated in the study, now it has become very easy to obtain the corresponding certificates.

"As data privacy concerns have grown, there has been a powerful trend towards encrypting Internet traffic by default," said Amit Sinha, Senior CTO and Vice President of Zscaler. "For privacy, this is really a great solution, but for IT security, this is a new problem. Decryption, research and re-encryption of traffic is a non-trivial task, in traditional network security devices it causes a sharp decline in performance, and most organizations do not have technical equipment to inspect encrypted traffic in the proper volumes. "

According to him, today a significant part of cyber threats are "delivered" through encrypted traffic, and the security systems of organizations do not see more than half of the malware that is sent to employees of these organizations.

Russia - in the top 10 countries in terms of the number of valid SSLs

On February 19, 2019, it became known that hosting-provider and the registrar domains REG.RU certification center GlobalSign and presented data about the leading countries-users of SSL certificates. Russia ranks 9th in the ranking, ahead of,, and China Denmark Switzerland other countries.

As reported, the information security (IS) market has increased in rapid steps over the past few years. Companies began to invest more in cybersecurity, conclude more contracts. The global digital security goods and services market is growing, in particular, the SSL industry. In the global market, the number of sites that have switched to a secure HTTPS connection has increased by an average of 2 times over the past year. Such dynamics apply to both developed and many developing countries.

For the past five years, the championship in the number of sites protected by SSL has been held by Western and North America Europe. Japan This is due historically to the leading role that information security occupies in these countries, as well as the adoption of cryptographic algorithms RSA/SHA as national ones, which allows, adhering to standards, to implement information security products faster than in those countries that have their own cryptographic standards and uncertain legal norms in using SSL, as, for example, in where Russia GOST cryptographic algorithms exist.

However, Russia has made a strong push towards safe traffic: since 2017, the number of protected sites with certificates has increased by 3 times. As of February 2019, Russia ranks 9th in the world ranking.

The breakthrough jump in the Russian SSL market was facilitated not only by the appearance of a variety of certification centers on it, but also by special programs. For example, since 2015, REG.RU and GlobalSign have launched the issuance of SSL certificates for 1 year, complete with a domain or hosting as part of the SSL popularization program. REG.RU clients have the opportunity to use the valid SSL certificate for free and test its work in practice. As of February 2019, since the work of the program, more than 300 thousand certificates have been issued.

According to the analytical resource StatOnline.ru, in January 2019, 896 thousand SSL certificates were active in the .RU zone, and 98 thousand in the RF, including self-signed ones. Moreover, the number of valid SSLs significantly exceeds the number of invalid ones - 880 thousand certificates issued to domains in the.RU and.RF zone.

In Russia, as of February 2019, there are 3 leaders among certification centers in terms of the number of SSL issued in.RU: Let's Encrypt, COMODO CA Limited and GlobalSign. Let's Encrypt's significant advantage is due to the ability to receive free SSL certificates in this CA for up to 90 days.

In.RU, the most certificates with a validity period of less than a year (80%) and 1 year (18%). The most popular format is to use one SSL certificate for one domain. But multi-domain certificates (SANs) are also in demand.

In the regions of Asia, Eastern Europe, Latin America, the growth of SSL market share is low, but stable. This allows us to say with confidence that the positive trend of the transition of sites to HTTPS around the world will continue in the coming years.

We can mention several changes that have occurred in the SSL industry in recent years and speak in favor of continuing to grow the share of secure sites: this is an increase in the position of HTTPS sites in search results, Google marking HTTP sites as unsafe in, browser Chrome an increase in demand for OV- and EV-level certificates, a reduction in the maximum validity period of SSL certificates from 3 to 2 years, as well as a transition from an outdated cryptographic hashing algorithm SHA-1 to SHA-2. Dmitry Ryzhikov, Executive Director of GMO GlobalSign Russia

As of February 2019, in the era of digitalization of the economy and the transition to the online predominant part of goods and services, it is especially important to take care of the security of the Internet project and its customers. SSL certificate is an integral element of commercial projects on the Web. We and our partner GlobalSign will continue to provide everyone in the Russian market with an affordable tool, including an SSL certificate for one year complete with hosting or domain. Alexey Korolyuk, REG.RU CEO

2017

Comodo sold its SSL certificate business

Gray scale - the percentage of sites using SSL certificates; green scale - market share

Comodo suddenly sold its website security certificate business to a major venture capital firm, Francisco Partners, focused on investing in high-tech businesses, it learned in late October 2017.^[7] The deal was not disclosed. Read more here.

Comodo until recently was the leading certification center in the world. According to the company itself, it has issued 91 million certificates and, as of November 2017, serves 200 thousand customers in 150 countries. Comodo accounts for 38.7% of the market, according to W3Techs; The company provides SSL certificates to 16.6% of all sites on the Web.

Russian state encryption standard

The Russian authorities have begun implementing a plan to introduce digital encryption certificates (SSL). The Sputnik search engine and the public services portal will be the first to switch to using domestic encryption certificates.

Pavel Khramtsov, head of the Netoscope project, confirmed the information about the creation of the state encryption standard, which is actively used in electronic digital signatures.

Russia is a "certificate-dependent" country. Today, almost all Russian sites use foreign SSL certificates, which can be easily revoked by foreign organizations.

Ilya Massukh, director of the competence center for import substitution in the field of information and communication technologies, noted that Russian certificates must be introduced gradually. First, you need to pay attention to services that store personal data, legal information and financial transactions^[8].

Russia: the number of sites with SSL certificates has quadrupled over the year

According to the analytical service StatOnline, in Russian national domain zones, the number of sites using SSL certificates has quadrupled over the year. In July 2015, in the.RU zone, the number of such resources was 109 thousand, in the same month of 2016 - 189 thousand, and in July 2017 - 531 thousand. The indicators of the RF zone amounted to 18 thousand, 21 thousand and 65 thousand, respectively.^[9]. At the same time, the most common period of validity of an SSL certificate is less than 1 year. So, in the.RU zone, the number of such certificates is 82% of the total, and in the.RF zone - 95%. You can read more about this here.

Google will stop supporting SSL certificates from Symantec

Starting October 2018, Google will completely discontinue support for SSL certificates issued by Symantec. This decision is based on the results of the Symantec Certification Authority (CA) investigation.^[10]

In 2016, Google and Mozilla engineers discovered that Symantec had violated rules agreed by the CA/B Forum, which regulates SSL certificate issuance procedures. In March 2017, researchers revealed that Symantec violated the rules for issuing 127 SSL certificates. On this fact, Google initiated an investigation, during which the initial estimate increased to a colossal figure exceeding 30 thousand certificates.

As a result, Google announced its intention to gradually remove support for Symantec certificates in Chrome. Mozilla, Microsoft or Apple, dissatisfied with Symantec's numerous violations of SSL certificates, allowed Google to lead the investigation, which lasted several months.

Symantec SSL Certificate Issuance Process will be changed

Symantec denied the results of the above investigation, calling them "exaggerated and misleading," but eventually agreed to negotiations. During the negotiations, the parties agreed to some concessions and divided the entire process of changing the issuance of certificates into 3 phases.

The first phase is December 1, 2017. Symantec will have to work with another CA, which in turn will issue SSL certificates on behalf of the company. Thus, from a technical point of view, Symantec will become a Subordinate Certificate Authority/SubCA, but will be able to issue new SSL certificates and retain its clients.

The second phase will begin with the release of the Chrome 66 browser (presumably in April 2018). Starting with this version, Chrome will display errors for Symantec SSL certificates released before June 1, 2016.

The third phase will begin with the release of Chrome 70 (tentatively, October 2018). Chrome will cease to trust all sites with SSL certificates from Symantec released before December 1, 2017. Website owners and other developers using SSL certificates from Symantec within their application will need to contact Symantec for a new SSL certificate or contact another service provider.

GlobalSign leads the market for SSL certificates in Russia in terms of sales

GlobalSign became the leader in the SSL certificate market by sales volume in Russia according to Netcraft, published in the statistical report for June 2017. GlobalSign's market share in the reporting month was 48.74% versus 26.26% and 16.52% for WoSign and Symantec, respectively.^[11]

According to Netcraft, the number of websites using GlobalSign SSL certificates on the Russian market in June 2017 exceeded 15 million, which is 3 times higher than in June 2016.

Reggie Oishi, Managing Director of the Russian office of GlobalSign, noted: "It was possible to achieve positive sales growth dynamics thanks to the opening of the Russian subsidiary in 2013 and its active work over the past years. GlobalSign pays special attention to customer support, which allows you to provide full-featured Russian-language administrative and technical support to customers and partners. We also offer customers flexible terms and competitive pricing. "

The analytical report was compiled taking into account websites using SSL certificates of recognized certification centers whose common name in the certificate coincided with hostname. The subject country field was the Russian Federation. Self-signed certificates were not considered in the study.

In general, according to Netcraft estimates, over the past few years there has been a confident and positive trend in the growth of the SSL market in Russia. The total volume of the certificates market continues to increase and amounted to 32.2 million certificates in June 2017.

Dr.Web: bank-client applications using SSL v.2 are not secure

At the beginning of the year, the Dr.Web technical support service received requests from users of company products who are simultaneously users of bank-client applications using the insecure SSL v.2 protocol. In this regard, Dr.Web issued the following clarification.

Due to numerous vulnerabilities in SSL v.2, the use of this protocol, as well as applications using it, is unsafe.

In particular, when using this protocol, man-in-the-middle attacks (MITM attacks) and attacks that allow you to change the course of data transfer are possible. The MD5 hashing algorithm used in SSL v.2 is currently also compromised and is not recommended for use.

As it became clear from the requests of Dr.Web users to the technical support service, the bank-client applications of some Russian banks continue to use the unsafe SSL v.2 protocol. Employees of the customer support services of these banks even advised our users who had problems working with banking applications due to the work of Dr.Web to uninstall Dr.Web antivirus, putting the funds of their own clients at serious risk.

Doctor Web recommends that users of unsafe applications update them. If it is not possible to update, users can allow their use, including the use of an unsafe protocol, in the Dr.Web product settings.

If you decide to use the bank-client system, ask the bank for the security of the protocol used in the application, and if you use SSL v.2 or SSL v.3, refuse to use the application.

2016

When issuing SSL certificates in the Russian Federation, domestic encryption algorithms will be used

The Russian government plans to abandon foreign encryption tools and replace them with domestic ones. In particular, encryption algorithms developed in Russia will be used when issuing SSL certificates. This position is supported by the Ministry of Communications and the FSB, Kommersant reports with reference to the head of the working subgroup "Internet + sovereignty" under the presidential administration Ilya Massukh^[12].

According to the expert, the Russian Federation has its own encryption tools and ready-made versions of the TLS protocol using cryptographic algorithms corresponding to GOST. According to Massukh, there are already beta versions of the Sputnik and Yandex browsers using domestic encryption algorithms. True, representatives of Yandex refute this information.

Earlier it was reported that the presidential administration of the Russian Federation was considering the possibility of creating a state certification center (CA). According to Massukh, the issuance of SSL certificates with encryption algorithms developed in the Russian Federation will be handled by the Voskhod Research Institute certification center or another UT accredited by the Ministry of Communications. In domestic browsers, CA data will be added to the trusted list by default.

As Massukh explained, first of all, SSL certificates with Russian encryption algorithms from the local certification center will use government resources and the public services portal. In this regard, amendments will be made to the Federal Law "On Ensuring Access to Information on the Activities of State Bodies and Local Self-Government Bodies."

According to the general director, Qrator Labs Alexandra Lyamina the use of a set of SSL certificates on one domain, including from the Russian CA, is quite possible. The expert noted that from the point of view of national security, this is very reasonable, although it "gives up paranoia." In addition, the local CA can cause man-in-the-middle attacks, because everyone who has access to the root certificate will be able to intercept and decrypt the transmitted data. As an example, Lyamin cited the case with China and. Google Due to frequent incidents of traffic interception, the company even planned to remove the local CA certificate from the list of trusted persons. browser Chrome

90% of public SSL VPN servers use untrusted or outdated encryption

High-Tech Bridge conducted a study to find out the current state of affairs in the SSL VPN services market. The study was conducted using a free SSL scanner developed by the company.

Experts checked 10,436 randomly selected public SSL VPN servers from Cisco, Fortinet and Dell vendors.

77% of verified SSL VPN servers use the unreliable SSLv3 protocol, while several dozen servers use version SSLv2. A number of security standards, including PCI DSS or NIST SP 800-52, prohibit the use of the SSLv3 protocol due to numerous vulnerabilities.

As it turned out, 76% of SSL VPN servers use untrusted SSL certificates. These certificates allow a remote attacker to intercept traffic using a man-in-the-middle attack. 74% of certificates are signed using SHA-1, and 5% use the outdated MD5 hash algorithm, the study showed.

According to the data obtained, 41% of SSL VPN servers use digital certificates containing 1024-bit RSA keys, and 10% of servers that support OpenSSL are affected by the Heartbleed vulnerability. As it turned out, only 3% of servers meet PCI DSS standards, but none of the tested servers meet the requirements of USA The National Institute of Standards and Technology (NIST).

According to the results of the study, only 3% of the analyzed SSL VPN servers received the highest assessment of the reliability of SSL/TLS encryption, while 86% earned the lowest score.

See also

• TLS (Transport Layer Security)

• PKI
• PCI DSS
• Https

Notes