$30 off During Our Annual Pro Sale. View Details »

The first few milliseconds of HTTPS

Joshua Thijssen
January 08, 2014
0
160

The first few milliseconds of HTTPS

What happens when your browser connects to a HTTPS secure site? We all know it has to do something with certificates, blue and green address bars and sometimes your browser will give warnings which we normally click away. But what actually happens under the hood? In this talk I will give a step-by-step explanation on the first few hundred milliseconds during a connection to HTTPS. We will talk about master secrets, shared secrets, cipher suites, x509 certificates and why secure does not (always) mean secure. After this talk you not only can use HTTPS correctly, but also understand their basic foundations as well.

Joshua Thijssen

January 08, 2014
Tweet

More Decks by Joshua Thijssen

See All by Joshua Thijssen
RAFT: A story on how clusters of computers keep your data in sync
jaytaph
0
22
The first few milliseconds of HTTPS
jaytaph
0
150
Paradoxes and theorems every developer should know
jaytaph
0
190
Paradoxes and theorems every developer should know
jaytaph
0
380
The first few milliseconds of HTTPS - PHPNW16
jaytaph
1
160
compiler_-_php010.pdf
jaytaph
0
62
Paradoxes and theorems every developer should know
jaytaph
0
160
Introduction into interpreters, compilers and JIT
jaytaph
1
130
Paradoxes and theorems every developer should know
jaytaph
1
700

Featured

See All Featured
Visualization
eitanlees
131
13k
Building Adaptive Systems
keathley
29
1.6k
Building Your Own Lightsaber
phodgson
97
5.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
645
57k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.9k
Product Roadmaps are Hard
iamctodd
43
9.1k
Faster Mobile Websites
deanohume
296
29k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
Agile that works and the tools we love
rasmusluckow
323
20k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
[RailsConf 2023] Rails as a piece of cake
palkan
17
3.2k
Being A Developer After 40
akosma
52
580k

Transcript

  1. The first 200 milliseconds of HTTPS
    1
    Joshua Thijssen
    jaytaph

    View Slide

  2. 2
    Joshua Thijssen
    Freelance consultant, developer and
    trainer @ NoxLogic
    Founder of the Dutch Web Alliance
    Development in PHP, Python, C, Java.
    Lead developer of Saffire.
    Blog: http://adayinthelifeof.nl
    Email: [email protected]
    Twitter: @jaytaph

    View Slide

  3. ➡ What’s happening in the first 200+
    milliseconds on a HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    ➡ Give you insights in new and upcoming
    technologies.
    ➡ Show you things to you (probably) didn’t
    knew.
    3

    View Slide

  4. This talk is inspired by
    a blogpost from Jeff Moser
    http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
    Unknown fact!
    4

    View Slide

  5. TCP/IP
    5

    View Slide

  6. TCP
    IP
    6
    Network Layer
    Transport Layer

    View Slide

  7. TCP
    IP
    7
    Network Layer
    Transport Layer
    HTTP Application Layer

    View Slide

  8. 8
    HTTPS is not a protocol
    Unknown fact!

    View Slide

  9. RFC 2818
    (7 page RFC)
    9

    View Slide

  10. 2. HTTP Over TLS
    Conceptually, HTTP/TLS is very simple. Simply use HTTP over TLS
    precisely as you would use HTTP over TCP.
    10

    View Slide

  11. HTTPS is the same as HTTP
    Transport layer differs
    11

    View Slide

  12. So this is a talk about TLS
    12

    View Slide

  13. Transport Layer
    Security
    13

    View Slide

  14. TCP
    IP
    14
    Network Layer
    Transport Layer
    HTTP Application Layer
    TLS Session Layer
    HTTPS

    View Slide

  15. Port 80: http
    Port 443: https
    15

    View Slide

  16. You CAN run HTTP
    and TLS simultaneously
    over one port.
    16
    Unknown fact!

    View Slide

  17. TLS can be used for
    transporting other
    protocols as well
    (IMAP, SMTP etc)
    17
    Unknown fact!

    View Slide

  18. Secure Socket Layer
    (SSL)
    18
    A short and scary history

    View Slide

  19. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    apr
    2006
    TLS 1.1
    TLS 1.2
    aug
    2008
    SSL 1.0
    Vaporware
    1994
    19

    View Slide

  20. https://www.trustworthyinternet.org/ssl-pulse/
    Supported versions - november 2013
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    20

    View Slide

  21. RFC 5246
    (TLS v1.2)
    21

    View Slide

  22. ➡ Binary protocol - so no quick
    telnet-to-see-if-it-works*
    ➡ Different records
    ➡ Handshake protocol
    ➡ Alert protocol
    ➡ ChangeCipherSpec protocol
    ➡ Application protocol
    22
    * We can with openssl

    View Slide

  23. 23
    https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

    View Slide

  24. Attention:
    (live)
    wiresharking
    up ahead
    24

    View Slide

  25. 25

    View Slide

  26. 26

    View Slide

  27. Generating
    randomness is HARD
    27

    View Slide

  28. entropy
    (uncertainty)
    28

    View Slide

  29. TIME is NOT random
    thus not a very good
    entropy source
    29

    View Slide

  30. PHP is bad
    when it comes to
    entropy
    30
    Unknown fact!

    View Slide

  31. srand(microtime())
    31
    Unknown fact!

    View Slide

  32. rand()
    mt_rand()
    uniqid()
    32

    View Slide

  33. openssl_pseudo_random_bytes()
    read from /dev/random
    read from /dev/urandom
    Use a HRNG
    “A million random digits”
    https://github.com/ircmaxell/RandomLib
    33

    View Slide

  34. 34

    View Slide

  35. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    35

    View Slide

  36. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Used for exchanging
    key information
    Used for authenticating
    key information
    Used for message
    authenticating
    Actual cipher (and
    length) used for
    communication
    Block cipher mode
    36

    View Slide

  37. TLS_RSA_WITH_AES_256_CBC_SHA256
    37

    View Slide

  38. TLS_NULL_WITH_NULL_NULL
    38

    View Slide

  39. Client gives cipher options,
    Server ultimately decides on cipher!
    39

    View Slide

  40. THIS IS WHY YOU SHOULD ALWAYS
    CONFIGURE YOUR CIPHERS
    ON YOUR WEBSERVER!
    40
    Unknown fact!

    View Slide

  41. SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
    EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
    EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    Apache
    Nginx
    41
    https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

    View Slide

  42. https://www.ssllabs.com/ssltest/
    42

    View Slide

  43. 43

    View Slide

  44. 44

    View Slide

  45. 45

    View Slide

  46. SSL
    Certificates
    (X.509)
    46

    View Slide

  47. 47

    View Slide

  48. 48
    ➡ X.509 Certificate
    ➡ Owner info (who is this owner)
    ➡ Domain info (for which domain(s) is
    this certificate valid)
    ➡ Expiry info (from when to when is this
    certificate valid)

    View Slide

  49. ➡ But.. what if somebody is lying in their
    SSL certificate?
    ➡ Changing some data in the certificate?
    49

    View Slide

  50. 50

    View Slide

  51. 51
    github.com
    Root
    CA
    Intermediate
    CA

    View Slide

  52. 52
    IMPLIED TRU$T

    View Slide

  53. ➡ (Root) Certificate Authorities
    ➡ They are built into your browser / OS
    and you will automatically trust them.
    53

    View Slide

  54. 54
    wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
    174

    View Slide

  55. ➡ We are forced to trust companies that make
    a living on selling as many certificates as
    possible..
    ➡ It’s a flawed system, but the best we have :(
    55

    View Slide

  56. 56

    View Slide

  57. 57

    View Slide

  58. Generation
    of (lots of)
    secrets
    58

    View Slide

  59. PRE MASTER
    SECRET
    59

    View Slide

  60. 60
    Pre
    Master
    Secret
    Random
    Server
    Number
    Random
    Client
    Number
    + +
    Master Secret
    =

    View Slide

  61. 61
    MASTER SECRET
    client write MAC
    client write KEY
    client write IV
    server write MAC
    server write KEY
    server write IV

    View Slide

  62. https://github.com/jaytaph/TLS-decoder
    62
    http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/
    Try it yourself, php style:

    View Slide

  63. 63

    View Slide

  64. 64

    View Slide

  65. 65

    View Slide

  66. 66

    View Slide

  67. 67
    Wireshark CAN decrypt your HTTPS traffic
    Unknown fact!
    SSLKEYLOGFILE
    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

    View Slide

  68. 68
    launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
    on a mac:

    View Slide

  69. 69

    View Slide

  70. ➡ TLS overhead
    ➡ Initial handshake (costly)
    ➡ 5+X bytes overhead
    1 byte content-type, 2 byte TLS version, 2
    byte data length, X bytes HMAC
    ➡ Encrypting / Decrypting
    ➡ HMAC integrity check
    70

    View Slide

  71. ➡ Some ciphersuites are better, but slower
    ➡ Speed / Security compromise
    71

    View Slide

  72. 72
    PRE MASTER
    SECRET

    View Slide

  73. What if somebody*
    got hold of the site
    private key?
    73

    View Slide

  74. 74

    View Slide

  75. 75

    View Slide

  76. 76

    View Slide

  77. 77
    Playing the waiting game...

    View Slide

  78. 78

    View Slide

  79. 79

    View Slide

  80. (PERFECT)
    FORWARDING
    SECRECY
    80

    View Slide

  81. Compromising the
    pre-master secret does
    not compromise our
    communication.
    81

    View Slide

  82. PFS:
    Can’t compromise
    other keys with a
    compromised key.
    82

    View Slide

  83. Unfortunately..
    83

    View Slide

  84. 84
    PFS needs server
    AND browser support

    View Slide

  85. 85
    http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

    View Slide

  86. 86
    http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

    View Slide

  87. All bets are of when
    using MS and Apple.
    87

    View Slide

  88. Update your cipher
    suite list and place
    PFS ciphers at the top
    88

    View Slide

  89. But beware:
    heavy computations
    89

    View Slide

  90. 90
    SSL Test
    https://www.ssllabs.com/ssltest/

    View Slide

  91. -ETOOMUCHINFO
    91

    View Slide

  92. 92
    https://www.ssllabs.com/projects/best-practices/index.html

    View Slide

  93. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 93

    View Slide

  94. 94
    Find me on twitter: @jaytaph
    Find me for development and training: www.noxlogic.nl
    Find me on email: [email protected]
    Find me for blogs: www.adayinthelifeof.nl
    http://joind.in/10397

    View Slide

  95. 95

    View Slide