HTTPS is Not Enough - Speaker Deck

HTTPS is Not Enough

by Tim Perry

Slide 1

Slide 1 text

HTTPS is Not Enough @pimterry

Slide 2

Slide 2 text

@pimterry

Slide 3

Slide 3 text

Don’t try this at home @pimterry

Slide 4

Slide 4 text

Everything is Terrible @pimterry

Slide 5

Slide 5 text

Interception is pretty hard @pimterry

Slide 6

Slide 6 text

Interception is easy @pimterry

Slide 7

Slide 7 text

Open Wifi Interception is easy @pimterry

Slide 8

Slide 8 text

ARP Spoofing Interception is easy @pimterry

Slide 9

Slide 9 text

Evil Twin Wifi Interception is easy @pimterry

Slide 10

Slide 10 text

Interception is easy @pimterry

Slide 11

Slide 11 text

HTTPS will Save The Day @pimterry

Slide 12

Slide 12 text

HTTPS is Not Enough @pimterry

Slide 13

Slide 13 text

You Your Bank https://example.com Secure! HTTPS is not enough @pimterry

Slide 14

Slide 14 text

You Your Bank Me https://example.com http://example.com Secure! Insecure HTTPS is not enough @pimterry

Slide 15

Slide 15 text

You Your Bank Me https://example.com https://exomple.com Secure! Secure! (but useless) HTTPS is not enough @pimterry

Slide 16

Slide 16 text

Pre-HTTPS MitM ≈ HTTPS MitM @pimterry

Slide 17

Slide 17 text

How do you get to HTTPS? Pre-HTTPS MitM @pimterry

Slide 18

Slide 18 text

Enter a URL Securely do things Pre-HTTPS MitM @pimterry

Slide 19

Slide 19 text

Enter example.com Pre-HTTPS MitM Load http://example.com Redirected to https://example.com Securely do things! @pimterry

Slide 20

Slide 20 text

Pre-HTTPS MitM Enter example.com Load http://example.com Hijack request, transparently proxy it without the redirect, and do what you like. GAME OVER N O PE @pimterry

Slide 21

Slide 21 text

Pre-HTTPS MitM Load a page Securely do things Click a link @pimterry

Slide 22

Slide 22 text

Pre-HTTPS MitM Load http://linking-site.com Click link to https://example.com Securely do things! @pimterry

Slide 23

Slide 23 text

Pre-HTTPS MitM Load http://linking-site.com Click link to http://example.com Proxy rewrites all links to HTTP Transparently proxy your request GAME OVER N O PE @pimterry

Slide 24

Slide 24 text

Any insecure step = Easy hijacking @pimterry

Slide 25

Slide 25 text

Is this really a thing? github.com/resin-io-playground/raspberry-pineapple @pimterry

Slide 26

Slide 26 text

Any insecure step = Easy hijacking @pimterry

Slide 27

Slide 27 text

PANIC @pimterry

Slide 28

Slide 28 text

Don’t trust HTTP-only sites with anything Check the URL and certificate, constantly Install HTTPS Everywhere Use a VPN As a user? @pimterry

Slide 29

Slide 29 text

We need a secure web @pimterry

Slide 30

Slide 30 text

We need to disable HTTP @pimterry

Slide 31

Slide 31 text

Disabling HTTP in the browser @pimterry

Slide 32

Slide 32 text

HTTPS-only Features Disabling HTTP in the browser: @pimterry

Slide 33

Slide 33 text

Geolocation Service Workers (i.e. offline, notifications, sync) DeviceMotion WebRTC HTTP/2 HTTPS-Only Features @pimterry

Slide 34

Slide 34 text

Warnings on HTTP Disabling HTTP in the browser: @pimterry

Slide 35

Slide 35 text

@pimterry

Slide 36

Slide 36 text

Disabling HTTP for your site @pimterry

Slide 37

Slide 37 text

Free certificates Disabling HTTP for your site: @pimterry

Slide 38

Slide 38 text

@pimterry

Slide 39

Slide 39 text

Content Security Policy (CSP) Disabling HTTP for your site: @pimterry

Slide 40

Slide 40 text

Automatically switch URLs to HTTPS Content-Security-Policy: upgrade-insecure-requests @pimterry

Slide 41

Slide 41 text

Report switched URLs Content-Security-Policy: upgrade-insecure-requests; report-uri /report-csp; @pimterry

Slide 42

Slide 42 text

Report-only, for testing Content-Security-Policy-Report-Only: upgrade-insecure-requests; report-uri /report-csp; @pimterry

Slide 43

Slide 43 text

Free reporting platform: report-uri.com @pimterry

Slide 44

Slide 44 text

HTTP Strict Transport Security (HSTS) Disabling HTTP for your site: @pimterry

Slide 45

Slide 45 text

HTTP header for your server responses (ineffective basic example) Strict-Transport-Security: max-age=3600 @pimterry

Slide 46

Slide 46 text

Strict-Transport-Security: max-age=31556926 Slightly better example @pimterry

Slide 47

Slide 47 text

Even better example Strict-Transport-Security: max-age=31556926; includeSubDomains @pimterry

Slide 48

Slide 48 text

What about the first request? @pimterry

Slide 49

Slide 49 text

Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Great example Then submit to hstspreload.org @pimterry

Slide 50

Slide 50 text

Needs to be set on root domain (example.com) Required on redirect domains too (example.net) Needs easily recognizable domains You’re committing to HTTPS forever Other gotchas @pimterry

Slide 51

Slide 51 text

We’re saved! @pimterry

Slide 52

Slide 52 text

Nobody uses it :-( @pimterry

Slide 53

Slide 53 text

Serve content with HTTPS only Use upgrade-insecure-requests Use HSTS, and get preloaded Check other sites (securityheaders.io) and complain! Let’s build a secure web @pimterry

Slide 54

Slide 54 text

HTTPS is Not Enough @pimterry