Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSP STS PKP ETC OMG WTF | scotthelme.co.uk Scott Helme.

Published byFay Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "CSP STS PKP ETC OMG WTF | scotthelme.co.uk Scott Helme."— Presentation transcript:

1 CSP STS PKP ETC OMG WTF BBQ… @Scott_Helme | scotthelme.co.uk Scott Helme

2 How security has evolved

3 Browser support

4 Content-Security-Policy Content-Security-Policy-Report-Only X-Webkit-Content-Security-Policy X-Content-Security-Policy Public-Key-Pins Public-Key-Pins-Report-Only Strict-Transport-Security What are security headers? X-Content-Type-Options X-Frame-Options X-XSS-Protection X-Download-Options X-Permitted-Cross-Domain- Policies

5 Content Security Policy

6 Content Injection …

7 Mitigating XSS var message = “Hello World!!!”; alert(message);

8 What is CSP? cache-control: max-age=0, no-cache content-encoding: gzip content-security-policy: [policy goes here] date: Fri, 22 Apr 2016 10:00:00 GMT server: nginx status: 200

9 child-src connect-src default-src font-src frame-src* CSP Directives img-src media-src object-src script-src style-src * deprecated

10 A basic policy Content-Security-Policy: default-src ‘self’ cdnjs.com

11 Fine tuning Content-Security-Policy: default-src ‘self’; script-src ‘self’ cdnjs.cloudflare.com ajax.googleapis.com

12 Fine tuning Content-Security-Policy: default-src ‘self’; script-src [source list]; style-src [source list]; img-src [source list]; child-src [source list];

13 form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests

14 form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests...

15 form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests

16 form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests

17 Testing CSP Content-Security-Policy-Report-Only: [policy]

18 CSP Reporting Content-Security-Policy-Report-Only: [policy]; report-uri https://scotthelme.report-uri.io { "csp-report": { "document-uri": "https://scotthelme.co.uk/ecdsa/", "violated-directive": “script-src ‘self’", "original-policy": “[policy here]", "blocked-uri": https://evil.com...

19 Migrating from HTTP to HTTPS Content-Security-Policy-Report-Only: default-src https:; report-uri https://scotthelme.report-uri.io

20 Public Key Pinning

21 Rogue Certificates scotthelme.co.u k

22 What is PKP? cache-control: max-age=0, no-cache content-encoding: gzip public-key-pins: [policy goes here] date: Fri, 22 Apr 2016 10:00:00 GMT server: nginx status: 200

23 pin-sha256 max-age includeSubDomain s PKP Directives

24 A PKP Policy Public-Key-Pins: pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="; includeSubDomains; max-age=2592000

25 What’s in a pin? scott@scotthelme:~$ openssl x509 -in ecdsa.crt -noout -text Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:82:2a:6e:ae:28:2f:9a:9a:e4:46:14:e4:ed:5e: 8d:01:87:e9:cd:22:56:ec:e5:7b:04:55:66:8f:d4: bc:bb:8a:01:9e:a1:f9:be:b6:0b:c4:ec:b7:32:1e: 77:56:01:6b:cd:69:74:f6:32:65:84:d8:36:88:a1: 0f:35:31:9a:7c ASN1 OID: prime256v1

26 Where to pin? scotthelme.co.u k Let’s Encrypt X3 DST Root

27 Leaf Pin scotthelme.co.u k

28 Intermediate Pin Let’s Encrypt X3 DigiCert CA2

29 Root Pin DST Root DigiCert Root

30 PKP Reporting Public-Key-Pins-Report-Only: [policy]; report-uri https://scotthelme.report-uri.io { “served-chain”: “-----BEGIN CERTIFICATE-----”, “validated-chain”: “----- BEGIN CERTIFICATE -----”, “known-pins”: “pin-sha256=X3pGTSOuJeEVw989IJ/cEtX”, “hostname”: “scotthelme.co.uk”

31 Strict Transport Security

32 Without HSTS GET http://twitter.com 301 https://twitter.com GET https://twitter.com HTTP HTTP S

33 SSL/TLS stripped HTT P HTTP S

34 What is STS? cache-control: max-age=0, no-cache content-encoding: gzip strict-transport-security: [policy goes here] date: Fri, 22 Apr 2016 10:00:00 GMT server: nginx status: 200

35 max-age includeSubDomain s preload STS Directives

36 An STS Policy Strict-Transport-Security: max-age=2592000

37 With HSTS http://twitter.com https://twitter.com HTTP S

38 Subresource Integrity

39 3 rd Party Trust scotthelme.co.u k somecdn.co m

40 What is SRI? <script src=“somecdn.com/jquery.min.js” crossorigin=“anonymous” integrity=“sha256-[base64] sha384-[base64]”>

41 What’s in an SRI hash? scott@scotthelme:~$ cat jquery.min.js | openssl dgst -sha256 -binary | openssl base64 caPmelCaJqLUfkrgijiKos9lChnIL86LgGnFmlLjeQA= scott@scotthelme:~$ cat jquery.min.js | openssl dgst –sha384 -binary | openssl base64 DqDekClqOt9+aTVU7IBnaTpoBsB9xjmmDaRy7qn58sv0IySoFcEbbUPgvR m0L1ZT

42 SRI deployed <script src=“somecdn.com/jquery.min.js” crossorigin=“anonymous” integrity=“sha256- caPmelCaJqLUfkrgijiKos9lChnIL86LgGnFmlLjeQA= sha384- DqDekClqOt9+aTVU7IBnaTpoBsB9xjmmDaRy7qn58sv0IyS oFcEbbUPgvRm0L1ZT”>

43 3 rd Party Trust scotthelme.co.u k somecdn.co m

44 Thanks! @Scott_Helme | scotthelme.co.uk Scott Helme

Download ppt "CSP STS PKP ETC OMG WTF | scotthelme.co.uk Scott Helme."

Similar presentations

SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
Pushing CSP to PROD Case Study of a Real-World Content- Security Policy Implementation.

Pushing CSP to PROD Case Study of a Real-World Content- Security Policy Implementation.
“If you can manipulate the data, game

“If you can manipulate the data, game
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
HTTPS in 2015 Eric Quick Introductions Eric

HTTPS in 2015 Eric Quick Introductions Eric
The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.

The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.
Build 2015 4/16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Build /16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.
HTTPS in 2015 Eric Quick Introductions.

HTTPS in 2015 Eric Quick Introductions.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/1.1 200 OK.

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Web Technologies Computer Security Lecture 9 Tom Chothia.

Web Technologies Computer Security Lecture 9 Tom Chothia.
Krishna Mohan Koyya Glarimy Technology Services

Krishna Mohan Koyya Glarimy Technology Services
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.

Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.

Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.
Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)

Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)
호스트 인증서 신청 방법 How to Request Host Certificate 2007.10.01.

호스트 인증서 신청 방법 How to Request Host Certificate

Similar presentations

Ads by Google