for Internet-facing service. - Auditor came. - Hey, you are using weak ciphers. Your traffic is not encrypted. - Okay. I fix it. - Heartbleed on the news. - Hey, you should generate new private keys. - Okay. I fix it. - Thai’s on the news - Hey, you should disable SSLv3. - Okay. I fix it. - Certificates expired. SHA-2 is rolling out - Update nowwww. - Okay. I fix it. 2
Get a 2048-bit Certificates from CA. Better if it supports SHA-256. 3. Analyze legacy. 4. Grab the configuration on the Internet. Apply. 5. Verify TLS configuration with your own hands. 3
costs. • Session IDs were cached on server then sent to client. • Session Ticker session data was encrypted by server, sent to client for resubmission. • Compromise server cache => access session keys 20
to transmit only HTTPS by enable header: “Strict-Transport-Security” • Strict-Transport-Security: max- age=expireTime [; includeSubdomains] • IE supports since v12. Firefox, Chrome support since v4 21