Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The first few milliseconds of HTTPS

Joshua Thijssen
January 24, 2014
0
270

The first few milliseconds of HTTPS

Joshua Thijssen

January 24, 2014
Tweet

More Decks by Joshua Thijssen

See All by Joshua Thijssen
RAFT: A story on how clusters of computers keep your data in sync
jaytaph
0
19
The first few milliseconds of HTTPS
jaytaph
0
140
Paradoxes and theorems every developer should know
jaytaph
0
180
Paradoxes and theorems every developer should know
jaytaph
0
360
The first few milliseconds of HTTPS - PHPNW16
jaytaph
1
150
compiler_-_php010.pdf
jaytaph
0
57
Paradoxes and theorems every developer should know
jaytaph
0
160
Introduction into interpreters, compilers and JIT
jaytaph
1
120
Paradoxes and theorems every developer should know
jaytaph
1
650

Featured

See All Featured
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
5
6.4k
The Invisible Side of Design
smashingmag
292
49k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
658
120k
We Have a Design System, Now What?
morganepeng
38
6.1k
Mobile First: as difficult as doing things right
swwweet
213
8k
What's new in Ruby 2.0
geeforr
336
30k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
7
990
A Tale of Four Properties
chriscoyier
149
21k
Producing Creativity
orderedlist
PRO
335
38k
Imperfection Machines: The Place of Print at Facebook
scottboms
255
12k

Transcript

  1. The first 200 milliseconds of HTTPS
    1
    Joshua Thijssen
    jaytaph

    View Slide

  2. ➡ What’s happening in the first 200+
    milliseconds on a HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    ➡ Give you insights in new and upcoming
    technologies.
    ➡ Show you things to you (probably) didn’t
    knew.
    2

    View Slide

  3. This talk is inspired by
    a blogpost from Jeff Moser
    http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
    Unknown fact!
    3

    View Slide

  4. HTTPwut?
    4

    View Slide

  5. HTTP over TLS
    5
    Transport Layer Security

    View Slide

  6. Secure Socket Layer
    (SSL)
    6
    A short and scary history

    View Slide

  7. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    apr
    2006
    TLS 1.1
    TLS 1.2
    aug
    2008
    SSL 1.0
    Vaporware
    1994
    7

    View Slide

  8. https://www.trustworthyinternet.org/ssl-pulse/
    Supported versions - november 2013
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    8
    borked
    meh
    ok

    View Slide

  9. RFC 5246
    (TLS v1.2)
    9

    View Slide

  10. ➡ Binary protocol - so no quick
    telnet-to-see-if-it-works*
    ➡ Difficult algorithms and handshakes
    ➡ (Easy) extendible
    10
    * We can with openssl

    View Slide

  11. 11
    https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

    View Slide

  12. Attention:
    (live)
    wiresharking
    up ahead
    12

    View Slide

  13. 13

    View Slide

  14. 14

    View Slide

  15. Generating
    randomness is HARD
    15

    View Slide

  16. entropy
    (uncertainty)
    16

    View Slide

  17. TIME is NOT random
    thus not a very good
    entropy source
    17

    View Slide

  18. PHP is bad
    when it comes to
    entropy
    18
    Unknown fact!

    View Slide

  19. srand(microtime())
    19
    Unknown fact!

    View Slide

  20. openssl_pseudo_random_bytes()
    read from /dev/(u)random
    Use a HRNG
    “A million random digits”
    https://github.com/ircmaxell/RandomLib
    20

    View Slide

  21. 21

    View Slide

  22. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    22

    View Slide

  23. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Used for exchanging
    key information
    Used for authenticating
    key information
    Used for message
    authenticating
    Actual cipher (and
    length) used for
    communication
    Block cipher mode
    23

    View Slide

  24. TLS_RSA_WITH_AES_256_CBC_SHA256
    24

    View Slide

  25. TLS_NULL_WITH_NULL_NULL
    25

    View Slide

  26. Client gives cipher options,
    Server ultimately decides on cipher!
    26

    View Slide

  27. THIS IS WHY YOU SHOULD ALWAYS
    CONFIGURE YOUR CIPHERS
    ON YOUR WEBSERVER!
    27
    Unknown fact!

    View Slide

  28. SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
    EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
    EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    Apache
    Nginx
    28
    https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

    View Slide

  29. https://www.ssllabs.com/ssltest/
    29

    View Slide

  30. 30

    View Slide

  31. 31

    View Slide

  32. 32
    ➡ SNI (Server Name Indication)
    ➡ Extension 0x0000
    ➡ Pretty much every decent browser /
    server.
    ➡ Isn’t supported by: IE6, Win XP,
    Blackberry, Android 2.x
    ➡ So no worries!

    View Slide

  33. 33

    View Slide

  34. 34

    View Slide

  35. 35

    View Slide

  36. 36

    View Slide

  37. What an SSL certificate is NOT:
    37
    ➡ SSL certificate (but a X.509 certificate)
    ➡ Automatically secure
    ➡ Automatically trustworthy
    ➡ In any way better self-signed certificates
    ➡ Cheap

    View Slide

  38. What an SSL certificate is:
    38
    ➡ The best way (but not perfect) to prove authenticity
    ➡ A way to bootstrap encrypted communication
    ➡ Misleading
    ➡ (Too) Expensive

    View Slide

  39. 39
    ➡ X.509 Certificate
    ➡ Owner info (who is this owner)
    ➡ Domain info (for which domain(s) is
    this certificate valid)
    ➡ Expiry info (from when to when is this
    certificate valid)

    View Slide

  40. 40

    View Slide

  41. 41
    yourdomain.com
    Root
    CA
    Intermediate
    CA

    View Slide

  42. 42
    IMPLIED TRU$T

    View Slide

  43. ➡ (Root) Certificate Authorities
    ➡ They are built into your browser / OS
    and you will automatically trust them.
    43

    View Slide

  44. 44
    wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
    174

    View Slide

  45. 45

    View Slide

  46. 46

    View Slide

  47. 47
    pre master secret server rand
    client rand
    master secret
    client MAC client KEY client IV server MAC server KEY server IV
    master secret server rand client rand
    key buffer
    Generating secrets:
    + +
    +
    +

    View Slide

  48. 48

    View Slide

  49. 49

    View Slide

  50. 50

    View Slide

  51. 51

    View Slide

  52. 52

    View Slide

  53. 53
    Wireshark CAN decrypt your HTTPS traffic
    Unknown fact!
    SSLKEYLOGFILE
    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

    View Slide

  54. 54
    launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
    on a mac:

    View Slide

  55. 55

    View Slide

  56. ➡ TLS has overhead in computation and
    transfers. But definitely worth it.
    ➡ Some ciphersuites are better, but slower
    ➡ Speed / Security compromise
    ➡ (try: “openssl speed”)
    56

    View Slide

  57. Are we safe yet?
    57

    View Slide

  58. euh,.. no :/
    58

    View Slide

  59. 59
    PRE MASTER
    SECRET

    View Slide

  60. What if somebody*
    got hold of the site
    private key?
    60

    View Slide

  61. 61

    View Slide

  62. 62

    View Slide

  63. 63

    View Slide

  64. 64
    Playing the waiting game...

    View Slide

  65. 65

    View Slide

  66. 66

    View Slide

  67. (PERFECT)
    FORWARDING
    SECRECY
    67

    View Slide

  68. Compromising the
    pre-master secret does
    not compromise our
    communication.
    68

    View Slide

  69. PFS:
    Can’t compromise
    other keys with a
    compromised key.
    69

    View Slide

  70. Unfortunately..
    70

    View Slide

  71. 71
    PFS needs server
    AND browser support

    View Slide

  72. 72
    http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

    View Slide

  73. 73
    http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

    View Slide

  74. All bets are of when
    using MS and Apple.
    74

    View Slide

  75. Update your cipher
    suite list and place
    PFS ciphers at the top
    75

    View Slide

  76. But beware:
    heavy computations
    76

    View Slide

  77. 77
    SSL Test
    https://www.ssllabs.com/ssltest/

    View Slide

  78. -ETOOMUCHINFO
    78

    View Slide

  79. 79
    ➡ Unless you got good reasons not to, get
    the cheapest certificate possible.
    ➡ Add the HTTP Strict Transport Security
    header.
    ➡ Don’t support SSLv3 or older
    ➡ Support PFS
    ➡ Check through https://ssllabs.com/ssltest

    View Slide

  80. 80
    https://www.ssllabs.com/projects/best-practices/index.html

    View Slide

  81. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 81

    View Slide

  82. 82
    Find me on twitter: @jaytaph
    Find me for development and training: www.noxlogic.nl
    Find me on email: [email protected]
    Find me for blogs: www.adayinthelifeof.nl
    http://joind.in/10292

    View Slide

  83. 83

    View Slide