What you should know about HTTPS

Transcript

1. What you should know about HTTPS By Ahmad Alfy http://alfy.me

2. Agenda • What is HTTPS • HTTPS value proposition •

   Components of HTTPS • Certificate authorities • Implementing HTTPS • Additional benefits for HTTPS • Popular incidents

3. What is HTTPS? • HTTPS protocol was developed to ensure

   end to end encryption between 2 entities trying to communicate. • HTTPS primarily protect against a type of security breech called “The Man in the Middle Attack”
4. None

5. • Free WiFi networks at coffee shops • ISPs manipulating

   and inspecting traffic • Nationwide surveillance and inspection

6. Value proposition • Confidentiality
 No one will be able to

   see what is happening between you and the server (confidential information like passwords and emails, cookies … etc.) • Integrity
 Ensuring that the content served from the server has not been modified. (Injecting malicious code like key loggers, trackers … etc.) • Authenticity
 Makes you sure you are actually talking to who you think you are talking to. (Protect against DNS hijacking, phishing attacks … etc.)

7. Components of HTTPS • SSL and TLS • The TLS

   handshake • Certificates handling in browsers and operating systems.

8. SSL and TLS The two terms are used interchangeably but

   they mean two different things. SSL TLS Secure Socket Layer Transport Layer Security Developed by Netscape Defined in 1999 as an upgrade to SSL 3.0 2.0 launched in 1995 1.1 launched in 2006 3.0 launched in 1996 1.2 launched in 2008 In 2014 it because obsolete due to a type of attack called POODLE 1.3 is in working draft early in 2017

9. TLS Handshake Client hello Server hello Client key exchange Server

   finished

10. Client Hello Component • Protocol
 The SSL/TLS protocol version the

    client wishes to use during the session. • Random
 This value is formed of 4 bytes representing the current time • Session id
 The client may decide to reuse previously established session. The session cache is usually shared between normal and privacy modes of the browser. • Cypher suites • Compression methods
 If a compression method is preferred like gzip. • Extensions
 Most notable example is the SNI (Server Name Indication). Source: https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/

11. Certification authorities • These are authorities who are authorized to

    issue certificates. They require legal document • CAs are limited and they undergo a lot of investigation before being added to the list • If a CA commit any violation; they are immediately added to a revocation list where all their certificates become invalid. • CA lists are handled differently according to the operating systems and the browsers.

12. CA list on Mac is accessible from Keychain access. Used

    by Google Chrome

13. Firefox Certificate Manager

14. Implementing HTTPS • Obtaining the certificate. • Paid certificates from

    CAs • Free certificates from Let’s Encrypt or Cloudflare • Installing the certificate on the server • Renewal of the certificate

15. What’s Next?

16. 1. HTTPS everywhere Permanent redirects for traffic from HTTP to

    HTTP

17. 2. Update references of the assets from HTTP to HTTPS

18. None

19. • If the browser attempts to load HTTP url over

    HTTPS; it will evaluate the content • Images will be loaded but the address bar will show a notice of the attempt to load insecure requests. • scripts, iframes, embeddable content will be blocked.

20. 1. Automagically update all the requests

21. 2. Automatically block all insecure requests

22. Loading insecure content

23. 3. HTTP Strict Transport Security (HTST)

24. The problem • The first connection between the client and

    the server can be done over http then the server redirect the client to HTTPS through an 301 redirect. • On this initial connection, a man in the middle attack can happen and redirect the client somewhere else.

25. The solution • Using HSTS header. • HSTS force the

    browser to make a 307 (internal) redirect if the user attempt to load the HTTP version. • The header have the following directives: 1. includeSubDomains 2. max-age = age in seconds
26. None

27. What about the first time you try to connect to

    an https website using http?

28. HSTS Preload

29. Preloaded websites in Chrome

30. Other benefits for using HTTPS

31. 1. Performance improvement • HTTPS take more rounds from and

    to the server during the initial handshake but it happens only during the initial connection. • The client is able to use the same HTTPS connection using the session id. • HTTPS itself doesn’t grant any performance improvement but it open the doors to use HTTP/2

32. Currently HTTP/2 is only supported over HTTPS

33. Source: https://istlsfastyet.com/

34. 2. SEO Benefit Higher ranking for websites using HTTPS

35. 3. Privacy Benefits By design; referer header is not set

    if unsecured HTTP request is referred from an HTTPS request

36. Bonus stuff

37. Debugging HTTPS

38. None
39. None

40. Entity verification vs Domain verification

41. Public Key Pinning (PKP) • PKP is a security mechanism

    delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. • PKP contains: • SHA 256 encryption of the public key • max-age • includeSubmdomains • report-uri

42. Popular Cases

43. FireSheep for Firefox • FireSheep is an extension developed for

    Firefox released on October 2010. This extension used packet sniffing to intercept all insecure traffic from different devices on the same network. • It was being promoted as “The Facebook Hacking Tool” because users used it for session hijacking and gaining access to other users using Facebook on their network. • Mozilla addon website didn’t blacklist or disable it as it was stated it should be used for demonstration and education purposes.

44. Tunisia plants country-wide keystroke logger on Facebook During the Arab

    Spring and specifically right before Facebook forcing HTTPS on their login page; the government injected key loggers on Facebook, GMail and Yahoo login pages to steal login credentials from the users.

45. Source: https://www.theregister.co.uk/2011/01/25/tunisia_facebook_password_slurping/

46. With great power come great responsibility

47. • In 2015, An Egyptian company called MCS Holding was

    given the authority to issue certificates from China Internet Network Information Center (CNNIC) on their behalf in an attempt to bring issuing certificates to the MENA region. • The company successfully issued a few certificates for testing their application and it worked as expected.

48. • Someone tried to see what happen if they issued

    a certificate on behalf of Google and use it for a “Man In The Middle Attack” to decrypt the traffic between a client and Google servers. • The incident was reported immediately and Google published a statement regarding the incident. • Google immediately alerted CNNIC and other browser vendors about the incident and pushed an update to Chrome to block MCS certificates. • Google used this incident to highlight the importance of their Certificate Transparency project.

49. Source: http://www.mcsholding.com/MCSResponse.aspx

50. Source: https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html

51. Port Mortem Analysis How did Google figured this out? PKP

52. Further Readings •How does HTTPS actually work?
 http://robertheaton.com/2014/03/27/how-does-https-actually-work/ •What Is

    An SSL/TLS Handshake?
 https://www.websecurity.symantec.com/security-topics/how-does-ssl-handshake-work •The SSL Handshake
 http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1363-00/en_US/HTML/ss7aumst18.htm •Is TLS Fast Yet
 https://istlsfastyet.com/ •Anatomy and Performance of SSL Processing
 http://www.cs.ucr.edu/~bhuyan/papers/ssl.pdf •Dissecting SSL handshake
 https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/ • The Transport Layer Security (TLS) Protocol Version 1.2 - Hello Request
 https://tools.ietf.org/html/rfc5246#section-7.4.1.1

53. Questions?

54. Thank you!