Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The first few milliseconds of HTTPS

Joshua Thijssen
October 03, 2014
0
70

The first few milliseconds of HTTPS

Joshua Thijssen

October 03, 2014
Tweet

More Decks by Joshua Thijssen

See All by Joshua Thijssen
RAFT: A story on how clusters of computers keep your data in sync
jaytaph
0
30
The first few milliseconds of HTTPS
jaytaph
0
170
Paradoxes and theorems every developer should know
jaytaph
0
220
Paradoxes and theorems every developer should know
jaytaph
0
530
The first few milliseconds of HTTPS - PHPNW16
jaytaph
1
170
compiler_-_php010.pdf
jaytaph
0
80
Paradoxes and theorems every developer should know
jaytaph
0
190
Introduction into interpreters, compilers and JIT
jaytaph
1
220
Paradoxes and theorems every developer should know
jaytaph
1
830

Featured

See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Rails Girls Zürich Keynote
gr2m
94
13k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Facilitating Awesome Meetings
lara
50
6.1k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Music & Morning Musume
bryan
46
6.2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
860
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
89
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
What's new in Ruby 2.0
geeforr
343
31k
Ruby is Unlike a Banana
tanoku
97
11k

Transcript

  1. The first 200 milliseconds of HTTPS 1 Joshua Thijssen jaytaph

  2. 2

  3. ➡ What’s happening in the first 200+ milliseconds in a

    initial HTTPS connection. 2

  4. ➡ What’s happening in the first 200+ milliseconds in a

    initial HTTPS connection. ➡ Give tips and hints on hardening your setup. 2

  5. ➡ What’s happening in the first 200+ milliseconds in a

    initial HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. 2

  6. ➡ What’s happening in the first 200+ milliseconds in a

    initial HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. ➡ Show you things to you (probably) didn’t knew. 2

  7. This talk is inspired by a blogpost from Jeff Moser

    http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html Unknown fact! 3

  8. HTTPS == HTTP on top of TLS 4

  9. Transport Layer Security (TLS) 5

  10. Secure Socket Layer (SSL) 6 A short and scary history

  11. then now 7

  12. then now SSL 1.0 Vaporware 1994 7

  13. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer SSL 1.0 Vaporware

    1994 7

  14. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! SSL 1.0 Vaporware 1994 7

  15. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 SSL 1.0 Vaporware 1994 7

  16. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 SSL 1.0 Vaporware 1994 7

  17. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 TLS 1.2 aug 2008 SSL 1.0 Vaporware 1994 7

  18. https://www.trustworthyinternet.org/ssl-pulse/ 25,7% 99,6% 99,3% 18,2% 20,7% SSL 2.0 SSL 3.0

    TLS 1.0 TLS 1.1 TLS 1.2 8 November 2013

  19. https://www.trustworthyinternet.org/ssl-pulse/ 25,7% 99,6% 99,3% 18,2% 20,7% SSL 2.0 SSL 3.0

    TLS 1.0 TLS 1.1 TLS 1.2 8 20,5% 98,5% 99,3% 38,4% 40,8% SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 November 2013 Aug 2014

  20. RFC 5246 (TLS v1.2) 9

  21. 10 Record Layer

  22. 10 Record Layer Type Version Length

  23. 10 Record Layer Type Version Length Protocol

  24. 10 Record Layer Type Version Length Protocol Protocol Protocol

  25. 10 Record Layer Type Version Length Protocol Protocol Protocol Record

    Layer Type Version Length Protocol

  26. ➡ Handshake protocol records ➡ Setup communication ➡ Change Cipher

    Spec protocol records ➡ Change communication ➡ Alert protocol records ➡ Errors ➡ Application Data protocol records ➡ Actual data transfers 11

  27. 12 https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

  28. Attention: (live) wiresharking up ahead 13

  29. 14

  30. 15

  31. Generating randomness is HARD 16

  32. entropy (uncertainty) 17

  33. TIME is NOT random thus not a very good entropy

    source 18

  34. PHP is bad when it comes to entropy 19 Unknown

    fact!

  35. 20

  36. openssl_pseudo_random_bytes() 20

  37. openssl_pseudo_random_bytes() read from /dev/(u)random 20

  38. openssl_pseudo_random_bytes() read from /dev/(u)random Use a HRNG 20

  39. openssl_pseudo_random_bytes() read from /dev/(u)random Use a HRNG “A million random

    digits” 20

  40. openssl_pseudo_random_bytes() read from /dev/(u)random Use a HRNG “A million random

    digits” https://github.com/ircmaxell/RandomLib 20

  41. 21

  42. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 22

  43. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 23

  44. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Cipher for exchanging key information

    23

  45. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Cipher for exchanging key information

    Cipher for authenticating key information 23

  46. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Cipher for exchanging key information

    Cipher for authenticating key information Actual cipher (and length) used for communication 23

  47. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Cipher for exchanging key information

    Cipher for authenticating key information Hash algo for message authenticating Actual cipher (and length) used for communication 23

  48. TLS_RSA_WITH_AES_256_CBC_SHA256 24

  49. TLS_NULL_WITH_NULL_NULL 25

  50. Client gives cipher options, Server ultimately decides on cipher! 26

  51. THIS IS WHY YOU SHOULD ALWAYS CONFIGURE YOUR CIPHERS ON

    YOUR WEB SERVER! 27 Unknown fact!

  52. 28 https://cipherli.st SSLCipherSuite AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLCompression off

    # Requires Apache >= 2.4 SSLHonorCipherOrder On SSLUseStapling on # Requires Apache >= 2.4 SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires >= Apache 2.4 Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" Header always set X-Frame-Options DENY ssl_ciphers 'AES256+EECDH:AES256+EDH'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header X-Frame-Options DENY; ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver $DNS-IP-1 $DNS-IP-2 valid=300s; resolver_timeout 5s; Apache: nginx:

  53. https://www.ssllabs.com/ssltest/ 29

  54. 30

  55. 31

  56. 32 https://www.overheid.nl/

  57. 33

  58. 34

  59. 35

  60. 36

  61. 37 ➡ SNI (Server Name Indication) ➡ Extension 0x0000 ➡

    Pretty much every decent browser / server. ➡ IE6, Win XP, Blackberry, Android 2.x, java 1.6.x ➡ So no worries!

  62. 38

  63. 39

  64. What an SSL certificate is NOT: 40 ➡ SSL certificate

    (but a X.509 certificate) ➡ Automatically secure ➡ Automatically trustworthy ➡ In any way better self-signed certificates ➡ Cheap

  65. What an SSL certificate is: 41 ➡ The best way

    (but not perfect) to prove authenticity ➡ A way to bootstrap encrypted communication ➡ Misleading ➡ (Too) Expensive

  66. 42

  67. 42 ➡ X.509 Certificate

  68. 42 ➡ X.509 Certificate ➡ Owner info (who is this

    owner)

  69. 42 ➡ X.509 Certificate ➡ Owner info (who is this

    owner) ➡ Domain info (for which domain(s) is this certificate valid)

  70. 42 ➡ X.509 Certificate ➡ Owner info (who is this

    owner) ➡ Domain info (for which domain(s) is this certificate valid) ➡ Expiry info (from when to when is this certificate valid)

  71. 43 yourdomain.com

  72. 43 yourdomain.com Intermediate CA

  73. 43 yourdomain.com Intermediate CA

  74. 43 yourdomain.com Root CA Intermediate CA

  75. 43 yourdomain.com Root CA Intermediate CA

  76. 43 yourdomain.com Root CA Intermediate CA

  77. 44 IMPLIED TRU$T

  78. ➡ (Root) Certificate Authorities ➡ They are built into your

    browser / OS and you will automatically trust them. 45

  79. 46 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer |

    sort | uniq | wc -l

  80. 46 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer |

    sort | uniq | wc -l 181 And rising...

  81. 47

  82. 47 ➡ X.509 certificates are used to authenticate the server.

  83. 47 ➡ X.509 certificates are used to authenticate the server.

    ➡ Servers can ask clients to authenticate themselves as well.

  84. 47 ➡ X.509 certificates are used to authenticate the server.

    ➡ Servers can ask clients to authenticate themselves as well. ➡ APIs

  85. 48

  86. 49

  87. 50 Generating secrets:

  88. 50 pre master secret server rand client rand Generating secrets:

    + +

  89. 50 pre master secret server rand client rand master secret

    Generating secrets: + +

  90. 50 pre master secret server rand client rand master secret

    master secret server rand client rand Generating secrets: + + + +

  91. 50 pre master secret server rand client rand master secret

    master secret server rand client rand key buffer Generating secrets: + + + +

  92. 50 pre master secret server rand client rand master secret

    client MAC client KEY client IV server MAC server KEY server IV master secret server rand client rand key buffer Generating secrets: + + + +

  93. https://github.com/jaytaph/TLS-decoder 51 http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/ Try it yourself, php style:

  94. 52

  95. 53

  96. 54

  97. 55

  98. 56 Wireshark CAN decrypt your HTTPS traffic Unknown fact! SSLKEYLOGFILE

    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

  99. 57 launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret on a mac:

  100. 58

  101. ➡ TLS has overhead in computation and transfers. But definitely

    worth it. ➡ Google likes it. ➡ Some ciphersuites are better, but slower. ➡ Speed / Security compromise ➡ (try: “openssl speed”) 59

  102. Are we safe yet? 60

  103. euh,.. no :/ 61

  104. 62 PRE MASTER SECRET

  105. What if somebody* got hold of the site private key?

    63

  106. 64

  107. 65

  108. 66

  109. 67

  110. (PERFECT) FORWARDING SECRECY 68

  111. Compromising the pre-master secret does not compromise our communication. 69

  112. PFS: Can’t compromise other keys with a compromised key. 70

  113. Unfortunately.. 71

  114. 72 PFS needs server AND browser support

  115. 73 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

  116. 74 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

  117. Update your cipher suite list and place PFS ciphers at

    the top 75

  118. But beware: heavy computations 76

  119. 77 SSL Test https://www.ssllabs.com/ssltest/

  120. -ETOOMUCHINFO 78

  121. 79 https://www.ssllabs.com/projects/best-practices/index.html

  122. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 80

  123. 81 Find me on twitter: @jaytaph Find me for development

    and training: www.noxlogic.nl Find me on email: [email protected] Find me for blogs: www.adayinthelifeof.nl