The first few milliseconds of HTTPS

The first 200 milliseconds of HTTPS
1
Joshua Thijssen
jaytaph

View Slide

2
Joshua Thijssen
Freelance consultant, developer and
trainer @ NoxLogic
Founder of the Dutch Web Alliance
Development in PHP, Python, C, Java.
Lead developer of Saffire.
Blog: http://adayinthelifeof.nl
Email: [email protected]
Twitter: @jaytaph

View Slide

3

View Slide

➡ What’s happening in the first 200+
milliseconds on a HTTPS connection.
3

View Slide

➡ Give tips and hints on hardening your setup.
3

View Slide

➡ Give you insights in new and upcoming
technologies.
3

View Slide

➡ Give you insights in new and upcoming
technologies.
➡ Show you things to you (probably) didn’t
knew.
3

View Slide

This talk is inspired by
a blogpost from Jeff Moser
http://www.moserware.com/2009/06/ﬁrst-few-milliseconds-of-https.html
Unknown fact!
4

View Slide

HTTPwut?
5

View Slide

HTTP over TLS
6

View Slide

Secure Socket Layer
(SSL)
7
A short and scary history

View Slide

then
now
8

View Slide

then
now
SSL 1.0
Vaporware
1994
8

View Slide

then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
SSL 1.0
Vaporware
1994
8

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
SSL 1.0
Vaporware
1994
8

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
SSL 1.0
Vaporware
1994
8

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
apr
2006
TLS 1.1
SSL 1.0
Vaporware
1994
8

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
apr
2006
TLS 1.1
TLS 1.2
aug
2008
SSL 1.0
Vaporware
1994
8

View Slide

https://www.trustworthyinternet.org/ssl-pulse/
Supported versions - november 2013
25,7%
99,6% 99,3%
18,2% 20,7%
SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
9

View Slide

25,7%
99,6% 99,3%
18,2% 20,7%
9
borked

View Slide

25,7%
99,6% 99,3%
18,2% 20,7%
9
borked
meh

View Slide

25,7%
99,6% 99,3%
18,2% 20,7%
9
borked
meh
ok

View Slide

RFC 5246
(TLS v1.2)
10

View Slide

11
* We can with openssl

View Slide

➡ Binary protocol - so no quick
telnet-to-see-if-it-works*
11

View Slide

➡ Difficult algorithms and handshakes
11

View Slide

➡ Difficult algorithms and handshakes
➡ (Easy) extendible
11

View Slide

12
https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

View Slide

Attention:
(live)
wiresharking
up ahead
13

View Slide

14

View Slide

15

View Slide

Generating
randomness is HARD
16

View Slide

entropy
(uncertainty)
17

View Slide

TIME is NOT random
thus not a very good
entropy source
18

View Slide

PHP is bad
when it comes to
entropy
19
Unknown fact!

View Slide

srand(microtime())
20
Unknown fact!

View Slide

rand()
mt_rand()
uniqid()
21

View Slide

openssl_pseudo_random_bytes()
read from /dev/(u)random
Use a HRNG
“A million random digits”
https://github.com/ircmaxell/RandomLib
22

View Slide

23

View Slide

24

View Slide

24
➡ SNI (Server Name Indication)

View Slide

24
➡ Extension 0x0000

View Slide

24
➡ Pretty much every decent browser /
server.

View Slide

24
server.
➡ Isn’t supported by: IE6, Win XP,
Blackberry, Android 2.x

View Slide

24
server.
➡ Isn’t supported by: IE6, Win XP,
Blackberry, Android 2.x
➡ So no worries!

View Slide

25

View Slide

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
26

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
27

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Used for exchanging
key information
27

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Used for exchanging
key information
Used for authenticating
key information
27

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Used for exchanging
key information
key information
Actual cipher (and
length) used for
communication
27

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Used for exchanging
key information
key information
Actual cipher (and
length) used for
communication
Block cipher mode
27

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Used for exchanging
key information
key information
Used for message
authenticating
Actual cipher (and
length) used for
communication
Block cipher mode
27

View Slide

TLS_RSA_WITH_AES_256_CBC_SHA256
28

View Slide

TLS_NULL_WITH_NULL_NULL
29

View Slide

Client gives cipher options,
Server ultimately decides on cipher!
30

View Slide

THIS IS WHY YOU SHOULD ALWAYS
CONFIGURE YOUR CIPHERS
ON YOUR WEBSERVER!
31
Unknown fact!

View Slide

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
Apache
Nginx
32
https://community.qualys.com/blogs/securitylabs/2013/08/05/conﬁguring-apache-nginx-and-openssl-for-forward-secrecy

View Slide

https://www.ssllabs.com/ssltest/
33

View Slide

34

View Slide

35

View Slide

36

View Slide

37

View Slide

38

View Slide

What an SSL certificate is NOT:
39

View Slide

39
➡ SSL certificate (but a X.509 certificate)

View Slide

39
➡ Automatically secure

View Slide

39
➡ Automatically trustworthy

View Slide

39
➡ In any way better self-signed certificates

View Slide

39
➡ In any way better self-signed certificates
➡ Cheap

View Slide

What an SSL certificate is:
40

View Slide

40
➡ The best way (but not perfect) to prove authenticity

View Slide

40
➡ A way to bootstrap encrypted communication

View Slide

40
➡ Misleading

View Slide

40
➡ Misleading
➡ (Too) Expensive

View Slide

41

View Slide

41
➡ X.509 Certificate

View Slide

41
➡ Owner info (who is this owner)

View Slide

41
➡ Domain info (for which domain(s) is
this certificate valid)

View Slide

41
➡ Domain info (for which domain(s) is
this certificate valid)
➡ Expiry info (from when to when is this
certificate valid)

View Slide

42

View Slide

43
yourdomain.com

View Slide

43
yourdomain.com
Intermediate
CA

View Slide

43
yourdomain.com
Root
CA
Intermediate
CA

View Slide

44
IMPLIED TRU$T

View Slide

➡ (Root) Certificate Authorities
➡ They are built into your browser / OS
and you will automatically trust them.
45

View Slide

46
wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l

View Slide

46
wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
174

View Slide

47

View Slide

48

View Slide

49
Generating secrets:

View Slide

49
pre master secret server rand
client rand
Generating secrets:
+ +

View Slide

49
client rand
master secret
Generating secrets:
+ +

View Slide

49
client rand
master secret
master secret server rand client rand
Generating secrets:
+ +
+
+

View Slide

49
client rand
master secret
key buffer
Generating secrets:
+ +
+
+

View Slide

49
client rand
master secret
client MAC client KEY client IV server MAC server KEY server IV
key buffer
Generating secrets:
+ +
+
+

View Slide

50

View Slide

51

View Slide

52

View Slide

53

View Slide

54

View Slide

55
Wireshark CAN decrypt your HTTPS trafﬁc
Unknown fact!
SSLKEYLOGFILE
https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

View Slide

56
launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
on a mac:

View Slide

57

View Slide

➡ TLS has overhead in computation and
transfers. But definitely worth it.
➡ Some ciphersuites are better, but slower
➡ Speed / Security compromise
58

View Slide

Are we safe yet?
59

View Slide

euh,.. no :/
60

View Slide

61
PRE MASTER
SECRET

View Slide

What if somebody*
got hold of the site
private key?
62

View Slide

63

View Slide

64

View Slide

65

View Slide

66
Playing the waiting game...

View Slide

67

View Slide

68

View Slide

(PERFECT)
FORWARDING
SECRECY
69

View Slide

Compromising the
pre-master secret does
not compromise our
communication.
70

View Slide

PFS:
Can’t compromise
other keys with a
compromised key.
71

View Slide

Unfortunately..
72

View Slide

73
PFS needs server
AND browser support

View Slide

74
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

View Slide

75
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

View Slide

All bets are of when
using MS and Apple.
76

View Slide

Update your cipher
suite list and place
PFS ciphers at the top
77

View Slide

But beware:
heavy computations
78

View Slide

79
SSL Test
https://www.ssllabs.com/ssltest/

View Slide

-ETOOMUCHINFO
80

View Slide

81
➡ Unless you got good reasons not to, get
the cheapest certificate possible.
➡ Add the HTTP Strict Transport Security
header.
➡ Don’t support SSLv3 or older
➡ Support PFS
➡ Check through https://ssllabs.com/ssltest

View Slide

82
https://www.ssllabs.com/projects/best-practices/index.html

View Slide

http://farm1.static.ﬂickr.com/73/163450213_18478d3aa6_d.jpg 83

View Slide

84
Find me on twitter: @jaytaph
Find me for development and training: www.noxlogic.nl
Find me on email: [email protected]
Find me for blogs: www.adayinthelifeof.nl
http://joind.in/10397

View Slide

85

View Slide

The first few milliseconds of HTTPS

The first few milliseconds of HTTPS

Joshua Thijssen

More Decks by Joshua Thijssen

Other Decks in Technology

Featured

Transcript