The first few milliseconds of HTTPS

Transcript

1. The first few milliseconds of HTTPS
   1
   Joshua Thijssen
   JayTaph
   

   View Slide

2. 2
   

   View Slide

3. ➡ What’s happening in the first 200+
   milliseconds in a initial HTTPS connection.
   2
   

   View Slide

4. ➡ What’s happening in the first 200+
   milliseconds in a initial HTTPS connection.
   ➡ Give tips and hints on hardening your setup.
   2
   

   View Slide

5. ➡ What’s happening in the first 200+
   milliseconds in a initial HTTPS connection.
   ➡ Give tips and hints on hardening your setup.
   ➡ Give you insights in new and upcoming
   technologies.
   2
   

   View Slide

6. ➡ What’s happening in the first 200+
   milliseconds in a initial HTTPS connection.
   ➡ Give tips and hints on hardening your setup.
   ➡ Give you insights in new and upcoming
   technologies.
   ➡ Show you things to you (probably) didn’t knew.
   2
   

   View Slide

7. HTTPS ==
   HTTP on top of TLS
   3
   

   View Slide

8. Transport Layer Security
   (TLS)
   4
   

   View Slide

9. Secure Socket Layer
   (SSL)
   5
   A short and scary history
   

   View Slide

10. then
    now
    6
    

    View Slide

11. then
    now
    SSL 1.0
    Vaporware
    1994
    6
    

    View Slide

12. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    SSL 1.0
    Vaporware
    1994
    6
    

    View Slide

13. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    SSL 1.0
    Vaporware
    1994
    6
    

    View Slide

14. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    SSL 1.0
    Vaporware
    1994
    6
    

    View Slide

15. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    apr
    2006
    TLS 1.1
    SSL 1.0
    Vaporware
    1994
    6
    

    View Slide

16. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    apr
    2006
    TLS 1.1
    TLS 1.2
    aug
    2008
    SSL 1.0
    Vaporware
    1994
    6
    

    View Slide

17. https://www.trustworthyinternet.org/ssl-pulse/
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    7
    November 2013
    

    View Slide

18. https://www.trustworthyinternet.org/ssl-pulse/
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    7
    November 2013
    4,5%
    15,6%
    93,9%
    83,6% 86,8%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    June 2017
    

    View Slide

19. 8
    

    View Slide

20. RFC 5246
    (TLS v1.2)
    9
    

    View Slide

21. ➡ Authenticate and exchange information.
    ➡ Exchange a key (through a public key
    system).
    ➡ Create "tunnel" with symmetric encryption
    (both sides use the same exchanged key).
    10
    

    View Slide

22. 11
    https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg
    

    View Slide

23. Attention:
    (live)
    wiresharking
    up ahead
    12
    

    View Slide

24. 13
    

    View Slide

25. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    14
    

    View Slide

26. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    15
    

    View Slide

27. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    15
    

    View Slide

28. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    Cipher for
    authenticating key
    information
    15
    

    View Slide

29. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    Cipher for
    authenticating key
    information
    Actual cipher (and
    length) used for
    communication
    15
    

    View Slide

30. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    Cipher for
    authenticating key
    information
    Hash algo for message
    authenticating
    Actual cipher (and
    length) used for
    communication
    15
    

    View Slide

31. TLS_RSA_WITH_AES_256_CBC_SHA256
    16
    

    View Slide

32. TLS_NULL_WITH_NULL_NULL
    17
    

    View Slide

33. Client gives cipher options,
    Server ultimately decides on cipher!
    18
    

    View Slide

34. THIS IS WHY YOU SHOULD ALWAYS
    CONFIGURE YOUR CIPHERS
    ON YOUR WEB SERVER!
    19
    Unknown fact!
    

    View Slide

35. 20
    https://cipherli.st
    Gives you strong cipher configuration
    webservers (apache,nginx etc)
    and other software.
    

    View Slide

36. https://www.ssllabs.com/ssltest/
    21
    

    View Slide

37. 22
    

    View Slide

38. 23
    ➡ SNI (Server Name Indication)
    ➡ Extension 0x0000
    ➡ Pretty much every decent browser / server / os
    ➡ Except:
    IE6, Win XP, Blackberry, Android 2.x, java 1.6.x
    

    View Slide

39. 24
    

    View Slide

40. What an SSL certificate is NOT:
    25
    ➡ SSL certificate (but a X.509 certificate)
    ➡ Automatically secure
    ➡ Automatically trustworthy
    ➡ In any way better self-signed certificates
    ➡ Cheap
    

    View Slide

41. What an SSL certificate is:
    26
    ➡ The best way (but not perfect) to prove authenticity
    ➡ A way to bootstrap encrypted communication
    ➡ Misleading
    ➡ (Too) Expensive
    

    View Slide

42. Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    0c:00:93:10:d2:06:db:e3:37:55:35:80:11:8d:dc:87
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA
    Validity
    Not Before: Apr 8 00:00:00 2014 GMT
    Not After : Apr 12 12:00:00 2016 GMT
    Subject: ... C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
    00:b1:d4:dc:3c:af:fd:f3:4e:ed:c1:67:ad:e6:cb:
    22:e8:b7:e2:ab:28:f2:f7:dc:62:70:08:d1:0c:af:
    .......
    67:8d
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:github.com, DNS:www.github.com
    X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
    X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Basic Constraints: critical
    CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
    6f:e7:6d:cb:82:f3:ef:90:87:09:d7:0f:15:22:2c:8c:fe:d3:
    ab:1c:8a:96:db:5d:12:5d:d1:78:c0:31:b0:ff:45:c8:89:f7:
    08:98:52:17:1f:4c:4b:20:64:6a:6d:db:50:d7:10:be:7e:ab:
    ......
    ee:b7:33:69
    27
    

    View Slide

43. 28
    yourdomain.com
    

    View Slide

44. 28
    yourdomain.com
    Intermediate
    CA
    

    View Slide

45. 28
    yourdomain.com
    Intermediate
    CA
    

    View Slide

46. 28
    yourdomain.com
    Root
    CA
    Intermediate
    CA
    

    View Slide

47. 28
    yourdomain.com
    Root
    CA
    Intermediate
    CA
    

    View Slide

48. 28
    yourdomain.com
    Root
    CA
    Intermediate
    CA
    

    View Slide

49. 29
    IMPLIED TRU$T
    

    View Slide

50. ➡ (Root) Certificate Authorities
    ➡ They are built into your browser / OS
    and you will automatically trust them.
    30
    

    View Slide

51. 31
    wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
    

    View Slide

52. 31
    wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
    181
    And rising...
    

    View Slide

53. 32
    

    View Slide

54. 32
    ➡ X.509 certificates are used to authenticate
    the server.
    

    View Slide

55. 32
    ➡ X.509 certificates are used to authenticate
    the server.
    ➡ Servers can ask clients to authenticate
    themselves as well.
    

    View Slide

56. 32
    ➡ X.509 certificates are used to authenticate
    the server.
    ➡ Servers can ask clients to authenticate
    themselves as well.
    ➡ APIs
    

    View Slide

57. Sending over
    our initial secret data
    33
    

    View Slide

58. ➡ Client generates random key (pre-shared key).
    ➡ Client encrypts key with public key from
    server SSL certificate.
    ➡ Client sends encrypted key to server.
    ➡ Server decrypts key with private key.
    34
    RSA
    

    View Slide

59. ➡ Server generates key pair
    ➡ Server sends public key to client, with
    signature to prove authenticity (pub key
    from SSL certificate)
    ➡ Client generates key pair
    ➡ Client sends public key to server
    ➡ Both server and client calculate "secret".
    35
    (Elliptic curve) Diffie-Hellman (ephemeral)
    

    View Slide

60. 36
    

    View Slide

61. 37
    Generating secrets:
    

    View Slide

62. 37
    pre master secret
    Generating secrets:
    

    View Slide

63. 37
    pre master secret server rand
    client rand
    Generating secrets:
    + +
    

    View Slide

64. 37
    pre master secret server rand
    client rand
    master secret
    Generating secrets:
    + +
    

    View Slide

65. 37
    pre master secret server rand
    client rand
    master secret
    master secret server rand client rand
    Generating secrets:
    + +
    +
    +
    

    View Slide

66. 37
    pre master secret server rand
    client rand
    master secret
    master secret server rand client rand
    key buffer
    Generating secrets:
    + +
    +
    +
    

    View Slide

67. 37
    pre master secret server rand
    client rand
    master secret
    client MAC client KEY client IV server MAC server KEY server IV
    master secret server rand client rand
    key buffer
    Generating secrets:
    + +
    +
    +
    

    View Slide

68. https://github.com/jaytaph/TLS-decoder
    38
    http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/
    Try it yourself, php style:
    

    View Slide

69. 39
    

    View Slide

70. 40
    

    View Slide

71. 41
    

    View Slide

72. 42
    Wireshark CAN decrypt your HTTPS traffic
    Unknown fact!
    SSLKEYLOGFILE
    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415
    

    View Slide

73. 43
    launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
    on a mac:
    

    View Slide

74. -ETOOMUCHINFO
    44
    

    View Slide

75. ➡ TLS has overhead in computation and
    transfers. But definitely worth it.
    ➡ Google likes it.
    ➡ Some cipher suites are better, but slower.
    ➡ Speed / Security compromise
    ➡ (try: “openssl speed”)
    45
    

    View Slide

76. https://tools.ietf.org/html/rfc7457
    46
    Summarizing Known Attacks on Transport Layer Security (TLS)
    and Datagram TLS (DTLS)
    

    View Slide

77. TLS 1.3
    47
    

    View Slide

78. 48
    ➡ Still in draft
    ➡ 1-RTT (initial 0-RTT) for handshakes
    ➡ Dropped insecure features
    

    View Slide

79. 49
    https://www.ssllabs.com/projects/best-practices/index.html
    

    View Slide

80. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 50
    

    View Slide

81. 51
    Find me on twitter: @jaytaph
    Find me for development and training: www.noxlogic.nl
    Find me on email: [email protected]
    Find me for blogs: www.adayinthelifeof.nl
    

    View Slide