Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The first few milliseconds of HTTPS

1761ecd7fe763583553dde43e62c47bd?s=47 Joshua Thijssen
January 08, 2014
140

The first few milliseconds of HTTPS

What happens when your browser connects to a HTTPS secure site? We all know it has to do something with certificates, blue and green address bars and sometimes your browser will give warnings which we normally click away. But what actually happens under the hood? In this talk I will give a step-by-step explanation on the first few hundred milliseconds during a connection to HTTPS. We will talk about master secrets, shared secrets, cipher suites, x509 certificates and why secure does not (always) mean secure. After this talk you not only can use HTTPS correctly, but also understand their basic foundations as well.

1761ecd7fe763583553dde43e62c47bd?s=128

Joshua Thijssen

January 08, 2014
Tweet

Transcript

  1. The first 200 milliseconds of HTTPS 1 Joshua Thijssen jaytaph

  2. 2 Joshua Thijssen Freelance consultant, developer and trainer @ NoxLogic

    Founder of the Dutch Web Alliance Development in PHP, Python, C, Java. Lead developer of Saffire. Blog: http://adayinthelifeof.nl Email: jthijssen@noxlogic.nl Twitter: @jaytaph
  3. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. ➡ Show you things to you (probably) didn’t knew. 3
  4. This talk is inspired by a blogpost from Jeff Moser

    http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html Unknown fact! 4
  5. TCP/IP 5

  6. TCP IP 6 Network Layer Transport Layer

  7. TCP IP 7 Network Layer Transport Layer HTTP Application Layer

  8. 8 HTTPS is not a protocol Unknown fact!

  9. RFC 2818 (7 page RFC) 9

  10. 2. HTTP Over TLS Conceptually, HTTP/TLS is very simple. Simply

    use HTTP over TLS precisely as you would use HTTP over TCP. 10
  11. HTTPS is the same as HTTP Transport layer differs 11

  12. So this is a talk about TLS 12

  13. Transport Layer Security 13

  14. TCP IP 14 Network Layer Transport Layer HTTP Application Layer

    TLS Session Layer HTTPS
  15. Port 80: http Port 443: https 15

  16. You CAN run HTTP and TLS simultaneously over one port.

    16 Unknown fact!
  17. TLS can be used for transporting other protocols as well

    (IMAP, SMTP etc) 17 Unknown fact!
  18. Secure Socket Layer (SSL) 18 A short and scary history

  19. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 TLS 1.2 aug 2008 SSL 1.0 Vaporware 1994 19
  20. https://www.trustworthyinternet.org/ssl-pulse/ Supported versions - november 2013 25,7% 99,6% 99,3% 18,2%

    20,7% SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 20
  21. RFC 5246 (TLS v1.2) 21

  22. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records ➡ Handshake protocol ➡ Alert protocol ➡ ChangeCipherSpec protocol ➡ Application protocol 22 * We can with openssl
  23. 23 https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

  24. Attention: (live) wiresharking up ahead 24

  25. 25

  26. 26

  27. Generating randomness is HARD 27

  28. entropy (uncertainty) 28

  29. TIME is NOT random thus not a very good entropy

    source 29
  30. PHP is bad when it comes to entropy 30 Unknown

    fact!
  31. srand(microtime()) 31 Unknown fact!

  32. rand() mt_rand() uniqid() 32

  33. openssl_pseudo_random_bytes() read from /dev/random read from /dev/urandom Use a HRNG

    “A million random digits” https://github.com/ircmaxell/RandomLib 33
  34. 34

  35. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 35

  36. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information Used for message authenticating Actual cipher (and length) used for communication Block cipher mode 36
  37. TLS_RSA_WITH_AES_256_CBC_SHA256 37

  38. TLS_NULL_WITH_NULL_NULL 38

  39. Client gives cipher options, Server ultimately decides on cipher! 39

  40. THIS IS WHY YOU SHOULD ALWAYS CONFIGURE YOUR CIPHERS ON

    YOUR WEBSERVER! 40 Unknown fact!
  41. SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384

    \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; Apache Nginx 41 https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
  42. https://www.ssllabs.com/ssltest/ 42

  43. 43

  44. 44

  45. 45

  46. SSL Certificates (X.509) 46

  47. 47

  48. 48 ➡ X.509 Certificate ➡ Owner info (who is this

    owner) ➡ Domain info (for which domain(s) is this certificate valid) ➡ Expiry info (from when to when is this certificate valid)
  49. ➡ But.. what if somebody is lying in their SSL

    certificate? ➡ Changing some data in the certificate? 49
  50. 50

  51. 51 github.com Root CA Intermediate CA

  52. 52 IMPLIED TRU$T

  53. ➡ (Root) Certificate Authorities ➡ They are built into your

    browser / OS and you will automatically trust them. 53
  54. 54 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer |

    sort | uniq | wc -l 174
  55. ➡ We are forced to trust companies that make a

    living on selling as many certificates as possible.. ➡ It’s a flawed system, but the best we have :( 55
  56. 56

  57. 57

  58. Generation of (lots of) secrets 58

  59. PRE MASTER SECRET 59

  60. 60 Pre Master Secret Random Server Number Random Client Number

    + + Master Secret =
  61. 61 MASTER SECRET client write MAC client write KEY client

    write IV server write MAC server write KEY server write IV
  62. https://github.com/jaytaph/TLS-decoder 62 http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/ Try it yourself, php style:

  63. 63

  64. 64

  65. 65

  66. 66

  67. 67 Wireshark CAN decrypt your HTTPS traffic Unknown fact! SSLKEYLOGFILE

    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415
  68. 68 launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret on a mac:

  69. 69

  70. ➡ TLS overhead ➡ Initial handshake (costly) ➡ 5+X bytes

    overhead 1 byte content-type, 2 byte TLS version, 2 byte data length, X bytes HMAC ➡ Encrypting / Decrypting ➡ HMAC integrity check 70
  71. ➡ Some ciphersuites are better, but slower ➡ Speed /

    Security compromise 71
  72. 72 PRE MASTER SECRET

  73. What if somebody* got hold of the site private key?

    73
  74. 74

  75. 75

  76. 76

  77. 77 Playing the waiting game...

  78. 78

  79. 79

  80. (PERFECT) FORWARDING SECRECY 80

  81. Compromising the pre-master secret does not compromise our communication. 81

  82. PFS: Can’t compromise other keys with a compromised key. 82

  83. Unfortunately.. 83

  84. 84 PFS needs server AND browser support

  85. 85 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

  86. 86 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

  87. All bets are of when using MS and Apple. 87

  88. Update your cipher suite list and place PFS ciphers at

    the top 88
  89. But beware: heavy computations 89

  90. 90 SSL Test https://www.ssllabs.com/ssltest/

  91. -ETOOMUCHINFO 91

  92. 92 https://www.ssllabs.com/projects/best-practices/index.html

  93. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 93

  94. 94 Find me on twitter: @jaytaph Find me for development

    and training: www.noxlogic.nl Find me on email: jthijssen@noxlogic.nl Find me for blogs: www.adayinthelifeof.nl http://joind.in/10397
  95. 95