常時SSL化の落とし穴 / Pitfalls in AOSSL

常時SSL化の落とし穴 / Pitfalls in AOSSL

AKAMAI EDGE JAPAN 2017カンファレンスで発表した『常時SSL化の落とし穴と解決方法』の前半パートです

651c5a5e827110bd522d1175703d93b4?s=128

Hideki Okamoto

November 10, 2017
Tweet

Transcript

  1. 2.

    ©2017 AKAMAI | FASTER FORWARDTM The opinions expressed in this

    slide are my own and do not express the positions, strategies or opinions of
  2. 4.

    ©2017 AKAMAI | FASTER FORWARDTM 26 33 56 40 52

    70 51 57 74 2015 2016 2017 (Oct) )5514ܦ༝ͰಡΈࠐ·Εͨϖʔδͷׂ߹ (%) US France Japan Japan Japan France US US France HTTPS encryption on the web https://transparencyreport.google.com/https/overview
  3. 6.

    ©2017 AKAMAI | FASTER FORWARDTM Not Secure ~ s ince

    J anu ar y 20 1 7 ~ (PPHMF$ISPNF͔ΒϩάΠϯ৘ใೖྗϑΥʔϜ͕44-Խ͞Ε͍ͯͳ͍ͱܯࠂදࣔ
  4. 8.

    ©2017 AKAMAI | FASTER FORWARDTM Not Secure ~ s ince

    O ct o b er 20 1 7 ~ (PPHMF$ISPNF͔Β44-Խ͞Ε͍ͯͳ͍શͯͷೖྗϑΥʔϜʹܯࠂදࣔ
  5. 10.

    ©2017 AKAMAI | FASTER FORWARDTM ͳ͓ɺެऺແઢ-"/ͷ৔߹͸Ոఉ಺ແઢ-"/ͱ͸ҟͳΓɺ ෆಛఆଟ਺ͷར༻ऀ͕઀ଓ͢Δ؀ڥͰ͋ΔͨΊɺ"1઀ଓʹ ඞཁͱͳΔ44*%ͱ҉߸ԽΩʔΛෆಛఆଟ਺ͷར༻ऀͰڞ༗ ͢Δέʔε΋͋Δɻͦͷ৔߹ɺࣗ෼Ҏ֎ͷར༻ऀ΋ಉҰͷ ҉߸ԽΩʔͷ৘ใΛ஌͍ͬͯΔ͜ͱʹͳΓɺ$$.1Λ࠾༻

    ͨ͠҉߸Խ௨৴Ͱ͋ͬͯ΋ղಡ͢Δ͜ͱ͕ՄೳͰ͋Δ https://www.ipa.go.jp/files/000051453.pdf ެऺແઢ-"/Λར༻͢Δࡍɺࣗ෼Ҏ֎ͷར༻ऀͱಉҰͷ ҉߸ԽΩʔΛڞ༗͢Δ"1Ͱ͸ɺ௨৴͕҉߸Խ͞Ε͍ͯΔ ৔߹Ͱ΋౪ௌ͞ΕΔةݥੑ͕͋Δ͜ͱΛೝࣝͯ͠ཉ͍͠ ಠཱߦ੓๏ਓ৘ใॲཧਪਐػߏʰެऺແઢ-"/ར༻ʹ܎ΔڴҖͱରࡦʱ
  6. 12.

    ©2017 AKAMAI | FASTER FORWARDTM ϩʔυόϥϯαʔ͸44-ͷίωΫγϣϯ૿ʹ଱͑ΒΕΔͩΖ͏͔ 44-ূ໌ॻͷ४උΛͲͷΑ͏ʹਐΊΕ͹ྑ͍ͩΖ͏͔ ͋ΔΠϯϑϥ୲౰ΑΓ ݱߦͷΞϓϦέʔγϣϯ͸44-Խͯ͠΋ਖ਼͘͠ಈͩ͘Ζ͏͔ 8FCσβΠφʔʹͲ͏͍͏͓ئ͍Λ͢Ε͹ྑ͍ͩΖ͏͔

    ͋ΔΞϓϦέʔγϣϯ୲౰ΑΓ ૣ͘44-Խ͠ͳ͍ͱݕࡧΤϯδϯͷϥϯΩϯά͕Լ͕ΔͷͰ͸ͳ͍͔ 44-Խ͢ΔͱιʔγϟϧϘλϯʹӨڹ͕ग़Δͱฉ͍͕ͨʜ ͋ΔϚʔέςΟϯά୲౰ΑΓ 8FCαΠτͰͷ৘ใ࿙Ӯ΍վ᜵ͳͲͷηΩϡϦςΟϦεΫΛ௿ݮ͍ͤͨ͞ ͕ͩϏδωεʹѱӨڹ͸༩͑ΒΕͳ͍ɻ҆શʹ44-Խ͍ͨ͠ ܦӦਞΑΓ Photo by Johny Goerend
  7. 14.

    ©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠ϩʔυόϥϯα΍8FCαʔό͕44-ऴ୺ͷෛՙʹ଱͑ΒΕͳ͍ “On our production frontend

    machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. Many people believe that SSL/TLS takes a lot of CPU time and we hope the preceding numbers will help to dispel that.” - Adam Langley, Google զʑͷຊ൪؀ڥʹ͋ΔϑϩϯτΤϯυϚγϯ্ʹ͓͍ͯɺ44-5-4ͷॲཧʹ͔ ͔Δෛՙ͸ɺ $16࢖༻཰ʹͯ͠ະຬ ɺίωΫγϣϯ͋ͨΓͷϝϞϦ࢖༻཰ ʹͯ͠,#ະຬɺωοτϫʔΫͷΦʔόʔϔουʹͯ͠ະຬͰ͋Δɻଟ͘ ͷਓʑ͕44-5-4͸ଟ͘ͷ$16࣌ؒΛফඅ͢Δͱ৴͍ͯ͡Δ͕ɺզʑ͸લड़ ͷ਺ࣈʹΑͬͯ͜ͷ͍͕ٙ੖ΕΔ͜ͱΛئ͍ͬͯΔ
  8. 15.

    ©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠ϩʔυόϥϯα΍8FCαʔό͕44-ऴ୺ͷෛՙʹ଱͑ΒΕͳ͍ TLS Benchmarks – HiveMQ

    https://www.hivemq.com/tls-benchmarks ҉߸༻ͷ໋ྩηοτ͕$16ʹ࣮૷͞Εͨ͜ͱͰ$16ෛՙ͸ܰ͘ͳ͕ͬͨɺ ͦΕͰ΋ͳ͓44-5-4ͷωΰγΤʔγϣϯ͸ॏ͍
  9. 16.

    ©2017 AKAMAI | FASTER FORWARDTM ղܾํ๏ • "LBNBJԽͯ͠1FSTJTUFOU$POOFDUJPOͰ44-5-4ηογϣϯΛू໿͢Δ Ωϟογϡػೳ΋ซ༻͢Δͱ͞Βʹྑ͍ •

    &$%4"ূ໌ॻ • 5-44FTTJPO3FTVNQUJPO 4FTTJPO*%4FTTJPO5JDLFUT མͱ݀͠ϩʔυόϥϯα΍8FCαʔό͕44-ऴ୺ͷෛՙʹ଱͑ΒΕͳ͍ https://blogs.akamai.com/2013/10/why-early-termination-is-not-a-bad-thing.html https://hpbn.co/transport-layer-security-tls/ ΤοδαʔόʔͰ44-5-4Λλʔϛωʔτ͢ΔͱύϑΥʔϚϯε΋޲্͢Δ
  10. 17.

    ©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠.JYFE$POUFOUT What Is Mixed Content?

    https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content
  11. 18.

    ©2017 AKAMAI | FASTER FORWARDTM "DUJWF.JYFE $POUFOU • )5514Ͱ഑৴͞Ε͍ͯΔ)5.-ʹຒΊࠐ·Εͨ+BWB4DSJQU $44΍ɺ

    9.-)UUQ3FRVFTUʹΑΔϦΫΤετ͕)551ͷͱ͖ʹൃੜ • 8FCϒϥ΢βʹΑΓϒϩοΫ͞ΕΔ མͱ݀͠.JYFE$POUFOUT 1BTTJWF.JYFE $POUFOU • )5514Ͱ഑৴͞Ε͍ͯΔ)5.-ʹຒΊࠐ·Εͨը૾ɺಈըʹΑΔϦΫΤετ ͕)551ͷͱ͖ʹൃੜ • ϒϩοΫ͸͞Εͳ͍͕ϖʔδࣗମ͸/PU4FDVSFͱΈͳ͞ΕΔ ೥࣌఺
  12. 20.

    ©2017 AKAMAI | FASTER FORWARDTM 44-ԽͷਐΊํͷྫ  ෳ਺αΠτʹ·͕ͨͬͯը૾΍"1*ΤϯυϙΠϯτͳͲͷϦιʔεΛڞ༗͍ͯ͠Δ৔߹͸ɺαΠτؒͷґଘ ؔ܎Λચ͍ग़ͯ͠)5514ʹରԠͤ͞Δॱ൪ΛܾΊΔ 

    αʔόʔଆͰ)5514௨৴͕Ͱ͖ΔΑ͏ʹ͢Δ ϖʔδ่ΕΛى͍ͯ͜͠ΔαΠτΛ֎෦ʹݟͤͳ͍ͨΊʹɺ ͜ͷ࣌఺Ͱ)5.-ʹରͯ͠֎෦͔Β)5514ͰϦΫΤετ͕དྷͯ΋)551ʹϦμΠϨΫτ͢ΔઃఆΛೖΕΔͱ ͳ͓ྑ͍  )5.-ɺ+BWB4DSJQUɺ$44ɺΞϓϦέʔγϣϯίʔυͷதͰ IUUQͱϋʔυίʔυ͞Ε͍ͯΔͱ͜ΖΛ ݟ͚ͭͯద੾ʹॻ͖׵͑Δ ػցతʹ IUUQTʹஔ׵͢Δͱةݥͳ͜ͱ͕͋ΔͷͰ஫ҙ  ಺෦Ϣʔβʔ͚ͩʹ)5.-Λ)5514௨৴ͰݟͤΔΑ͏ʹͯ͠ಈ࡞֬ೝΛ͢Δɻ8FCϒϥ΢βʔͷ։ൃऀί ϯιʔϧ΍$POUFOU4FDVSJUZ1PMJDZ3FQPSU0OMZΛ׆༻ͯ͠.JYFE$POUFOUΛચ͍ग़͢  ҰൠϢʔβʔʹ)5514ܦ༝Ͱ)5.-ΛݟͤΔΑ͏ʹ͢Δ  )551ˠ )5514΁ͷϦμΠϨΫτΛೖΕΔ  ҰఆͷܦաظؒΛ͓͍ͯ)5514USJDU5SBOTQPSU4FDVSJUZͷ༗ޮԽɾ$PPLJFͷTFDVSFଐੑ༗ޮԽ མͱ݀͠.JYFE$POUFOUT
  13. 21.

    ©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠.JYFE$POUFOUT ղܾํ๏ Content Security Policy

    (CSP) https://developer.mozilla.org/ja/docs/Web/Security/CSP Ͱಈతʹϖʔδ಺ͷ IUUQΛ IUUQTʹஔ׵Ͱ͖ͳ͍ͷͰ͔͢ • $POUFOU4FDVSJUZ1PMJDZҧ൓ϨϙʔτػೳΛ࢖͏ Ϣʔβʔͷ8FCϒϥ΢ βʔͰ.JYFE$POUFOU͕ൃੜ͢Δͱࢦఆͨ͠ΤϯυϙΠϯτʹใࠂͤ͞Δ • ใࠂ؅ཧπʔϧͱͯ͠ SFQPSUVSJJP ͕༗໊
  14. 22.

    ©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠$SPTT0SJHJO3FTPVSDF4IBSJOH $034 http://www.example.com/ https://api.example.com/ https://api.example.com/article/1234

    Access-Control-Allow-Origin: http://www.example.com It Works! Ϩεϙϯεͷ "DDFTT$POUSPM"MMPX0SJHJOϔομʔͱΞΫηεݩυϝΠϯ͕ εΩʔϜ IUUQIUUQT ΛؚΊͯ Ұக͍ͯ͠Δ Cross-Origin Resource Sharing (CORS) https://developer.mozilla.org/ja/docs/Web/HTTP/HTTP_access_control
  15. 23.

    ©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠$SPTT0SJHJO3FTPVSDF4IBSJOH $034 https://www.example.com/ https://api.example.com/ https://api.example.com/article/1234

    Access-Control-Allow-Origin: http://www.example.com XMLHttpRequest cannot load https://api.example.com/article/1234. Origin https://www.example.com is not allowed by Access-Control-Allow-Origin.
  16. 24.

    ©2017 AKAMAI | FASTER FORWARDTM ղܾํ๏ • ϦΫΤετͷ0SJHJOϔομʔΛݟͯద੾ͳυϝΠϯ͔Βདྷ͍ͯͨΒɺͦͷ஋ Λಈతʹ"DDFTT$POUSPM"MMPX0SJHJOʹ͚ͭΔ •

    ্هॲཧΛ"QBDIF΍OHJOYͳͲͰ࣮૷͢Δ • "DDFTT$POUSPM"MMPX0SJHJOˎ Λ࢖͏ ඇਪ঑ མͱ݀͠$SPTT0SJHJO3FTPVSDF4IBSJOH $034 Access-Control-Allow-Origin Multiple Origin Domains? https://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
  17. 25.

    ©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠େྔͷ5-%ΛؚΉ44-ূ໌ॻͷऔಘ Photo by Andrew Butler

    www.example.com www.example.co.jp www.example.de www.example.co.uk www.example.fr ೝূہͷυϝΠϯ֬ೝ͕େม www.example.de www.example.ar www.example.ru www.example.th www.example.br
  18. 27.

    ©2017 AKAMAI | FASTER FORWARDTM <>΍ͰϦμΠϨΫτ͢Δͱ1045ϦΫΤετ͕(&5ϦΫΤετʹͳΔ <>63-ͷεΩʔϜ͕มΘΔͱγΣΞϘλϯͷΧ΢ϯτ਺͕ফ͑Δ <>$JQIFS4VJUFΛద੾ʹબ୒͠ͳ͍ͱݹ͍8JOEPXTɺ"OESPJE͔ΒΞΫηεͰ͖ͳ͘ͳΔ <>)5514ˠ)551αΠτʹભҠ͢ΔͱભҠઌͰ3FGFSFS͕औΕͳ͍ <>)551)5514ࠞࡏ؀ڥͰMPDBM4UPSBHFͷऔΓѻ͍

    <>$PPLJFʹTFDVSFଐੑͱ)454Λ༗ޮԽ͢ΔλΠϛϯά ͦΕҎ֎ͷ஫ҙ͢΂͖఺ <>IUUQLJSJSJNPEFIBUFOBCMPHKQFOUSZQ <>IUUQTXXXBSLXFCKQCMPHBSDIJWFTIUUQT@GBDFCPPL@MJLFIUNM <>IUUQTXXXTTMMBCTDPNTTMUFTUDMJFOUTIUNM <>IUUQTUPPMTJFUGPSHIUNMSGDTFDUJPO <>IUUQQPTUEDDXFCTUPSBHFUIFMFTTFSFWJMGPSTFTTJPOUPLFOT <>IUUQTJOTJEFQJYJWCMPHDBUBUTVZ ߟྀ఺ɾରࡦ