Download presentation
Presentation is loading. Please wait.
1
HTTPS in 2015 Eric Lawrence @ericlaw
2
Quick Introductions Eric Lawrence @ericlaw
3
Why? Bad guys Government snoops Non-neutral networks (Gogo, corporate) “Value adding providers” Rewards Increased user trust Better search ranking More reliable egress (HTTP2; WebSocket)
4
The Stack Your Client Browser HTTP SSL/TLS TCP IP
5
HTTPS Provides… Authentication Confidentiality Integrity
6
How? Public Key Infrastructure for certificate chains Public Key Cryptography for key exchanges Symmetric Cryptography for data transfers
7
Certificates
8
Hash Algorithms MD5 busted SHA1 heading that way SHA256 entering mainstream in 2015
9
Validating the Certificate Validate certificate signature Validate it is within validity period Validate it chains to trusted root Validate Subject CN or SubjectAltName contains hostname of the target… – Wildcards Check to see if it was revoked
10
Extended Validation SSL BankoftheVVest.com phishing site Domain validation and the race to the bottom
11
Ciphers, Hashes, and MACs oh my…
12
Initial Handshake
14
SNI Extension Break the IPEndpoint->Server mapping Important to allow HTTPS virtual hosting Not available on WinXP or Android < v2.3
16
Forward Secrecy If you can record ALL of the traffic… And you’re using RSA… And you can ever steal or crack the private key (at any point in the future… Achieving Forward Secrecy Do not use the RSA key exchange, which does not provide forward secrecy. Instead, look for the string ECDHE or DHE in the cipher suite name. RSA can be used for key exchange and authentication; there is nothing wrong with the latter.
17
Popular Ciphers Triple-DES RC4 AES ChaCha (new)
18
Revocation CRL (Certificate Revocation List) OCSP (Online Certificate Status Protocol) Deployed blocklists
19
Certificate Pinning Built-into browser Distributed with security software like Microsoft EMET New HTTP Public Key Pinning header https://tools.ietf.org/html/draft- ietf-websec-key-pinning-21 https://tools.ietf.org/html/draft- ietf-websec-key-pinning-21 Public-Key-Pins: pin- sha256="GHI..."; pin- sha256="JKL..."; max-age=… report-uri=…; includeSubDomains
20
Certificate Transparency http://www.certificate-transparency.org/ Google Chrome intends to require Certificate Transparency (CT) for all EV certificates issued after 2014. A SCT “Signed Certificate Timestamp” is added to the certificate.
21
Performance
22
https://www.youtube.com/watch?v=0EB7zh_7UE4
24
Session Resumption http://calendar.perfplanet.com/2014/speeding-up-https-with-session-resumption/
25
ECC Public Keys ECC certificates offer stronger security and smaller certificates - e.g. a 256-bit ECC key is equivalent to a 3072-bit RSA key.stronger security and smaller certificates http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/
26
Run Latest Versions
27
I’m in!
30
Enabling HTTPS for your site will be as easy as installing a small piece of certificate management software on the server: https://example.com is immediately live. The Let’s Encrypt management software will: Automatically prove to the Let’s Encrypt CA that you control the website Obtain a browser-trusted certificate and set it up on your web server Keep track of when your certificate is going to expire, and automatically renew it Help you revoke the certificate if that ever becomes necessary. No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.
31
WebDev Errors Critical Mistake #1: Non-HTTPS Login pages (even if submitting to a HTTPS page).
32
WebDev Errors Critical Mistake #2: Mixing HTTP Content into a HTTPS page
33
HSTS
34
http://blogs.msdn.com/b/ieinternals/archive/2014/08/18/hsts-strict-transport-security- attacks-mitigations-deployment-https.aspx Insecure references are upgraded Certificate errors are fatal Use the HTTPS response header: Strict-Transport-Security: max-age=63072000; includeSubDomains Or get on the browsers’ pre-load list (avoid bootstrapping problem)
35
Fiddler Visualization If there’s an exclamation point in the column, you’ve done something wrong!
36
Migration Guide https://t.co/0ORIlnp64Y https://t.co/0ORIlnp64Y Chris Palmer @fugueish Use STS Use Secure attribute on cookies Protocol-relative URLs Run the Qualys SSLLabs Server test
37
SSLLabs
38
HTTPS all the Things!
39
Best Practice Secure everything. It’s very hard to predict future attack scenarios. Yes, really.
40
HTTP Content indicator
42
Not Just Browsers…
43
Hacks
47
HTTPS Traffic Analysis Source IP Destination IP Server Name (via SNI) Higher-level protocol (via ALPN) Client Certificates (if sent before encryption)
49
Implementation Issues Truncation Compression Clickthrough UI
50
Implementation Issues Truncation Compression Clickthrough UI
51
Implementation Issues Truncation Compression Clickthrough UI
52
MITM/MITB Attacks
54
Extended Validation Won’t Help
57
Heartbleed http://xkcd.com/1354/
58
Sometimes, you do attack the crypto
59
Crypto Deep Dive later this morning…
60
Book: Bulletproof SSL and TLS https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ Coupon Code for 25% off CODEMASH Valid January 1st to 31st Free Chapter: https://www.feistyduck.com/books/openssl-cookbook/
61
Thanks for coming! Questions? Find me on Twitter: @ericlaw Email me: e_Lawrence@hotmail.com Go forth and secure all the things!
62
See how lightsabers are built…
63
Combatting breach?
Similar presentations
© 2018 SlidePlayer.com Inc.
All rights reserved.
Ppt on land pollution in india Ppt on e-sales order processing system Ppt on remote operated spy robot Ppt on market value added Ppt on group development model Ppt on indian villages our strength or weakness Ppt on pathophysiology of obesity Ppt on power system reliability Ppt on meeting skills training Time management for kids ppt on batteries