Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The first few milliseconds of HTTPS

Joshua Thijssen
July 01, 2017
140

The first few milliseconds of HTTPS

Joshua Thijssen

July 01, 2017
Tweet

Transcript

  1. The first few milliseconds of HTTPS
    1
    Joshua Thijssen
    JayTaph

    View Slide

  2. 2

    View Slide

  3. ➡ What’s happening in the first 200+
    milliseconds in a initial HTTPS connection.
    2

    View Slide

  4. ➡ What’s happening in the first 200+
    milliseconds in a initial HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    2

    View Slide

  5. ➡ What’s happening in the first 200+
    milliseconds in a initial HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    ➡ Give you insights in new and upcoming
    technologies.
    2

    View Slide

  6. ➡ What’s happening in the first 200+
    milliseconds in a initial HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    ➡ Give you insights in new and upcoming
    technologies.
    ➡ Show you things to you (probably) didn’t knew.
    2

    View Slide

  7. HTTPS ==
    HTTP on top of TLS
    3

    View Slide

  8. Transport Layer Security
    (TLS)
    4

    View Slide

  9. Secure Socket Layer
    (SSL)
    5
    A short and scary history

    View Slide

  10. then
    now
    6

    View Slide

  11. then
    now
    SSL 1.0
    Vaporware
    1994
    6

    View Slide

  12. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    SSL 1.0
    Vaporware
    1994
    6

    View Slide

  13. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    SSL 1.0
    Vaporware
    1994
    6

    View Slide

  14. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    SSL 1.0
    Vaporware
    1994
    6

    View Slide

  15. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    apr
    2006
    TLS 1.1
    SSL 1.0
    Vaporware
    1994
    6

    View Slide

  16. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    apr
    2006
    TLS 1.1
    TLS 1.2
    aug
    2008
    SSL 1.0
    Vaporware
    1994
    6

    View Slide

  17. https://www.trustworthyinternet.org/ssl-pulse/
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    7
    November 2013

    View Slide

  18. https://www.trustworthyinternet.org/ssl-pulse/
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    7
    November 2013
    4,5%
    15,6%
    93,9%
    83,6% 86,8%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    June 2017

    View Slide

  19. 8

    View Slide

  20. RFC 5246
    (TLS v1.2)
    9

    View Slide

  21. ➡ Authenticate and exchange information.
    ➡ Exchange a key (through a public key
    system).
    ➡ Create "tunnel" with symmetric encryption
    (both sides use the same exchanged key).
    10

    View Slide

  22. 11
    https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

    View Slide

  23. Attention:
    (live)
    wiresharking
    up ahead
    12

    View Slide

  24. 13

    View Slide

  25. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    14

    View Slide

  26. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    15

    View Slide

  27. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    15

    View Slide

  28. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    Cipher for
    authenticating key
    information
    15

    View Slide

  29. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    Cipher for
    authenticating key
    information
    Actual cipher (and
    length) used for
    communication
    15

    View Slide

  30. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    Cipher for
    authenticating key
    information
    Hash algo for message
    authenticating
    Actual cipher (and
    length) used for
    communication
    15

    View Slide

  31. TLS_RSA_WITH_AES_256_CBC_SHA256
    16

    View Slide

  32. TLS_NULL_WITH_NULL_NULL
    17

    View Slide

  33. Client gives cipher options,
    Server ultimately decides on cipher!
    18

    View Slide

  34. THIS IS WHY YOU SHOULD ALWAYS
    CONFIGURE YOUR CIPHERS
    ON YOUR WEB SERVER!
    19
    Unknown fact!

    View Slide

  35. 20
    https://cipherli.st
    Gives you strong cipher configuration
    webservers (apache,nginx etc)
    and other software.

    View Slide

  36. https://www.ssllabs.com/ssltest/
    21

    View Slide

  37. 22

    View Slide

  38. 23
    ➡ SNI (Server Name Indication)
    ➡ Extension 0x0000
    ➡ Pretty much every decent browser / server / os
    ➡ Except:
    IE6, Win XP, Blackberry, Android 2.x, java 1.6.x

    View Slide

  39. 24

    View Slide

  40. What an SSL certificate is NOT:
    25
    ➡ SSL certificate (but a X.509 certificate)
    ➡ Automatically secure
    ➡ Automatically trustworthy
    ➡ In any way better self-signed certificates
    ➡ Cheap

    View Slide

  41. What an SSL certificate is:
    26
    ➡ The best way (but not perfect) to prove authenticity
    ➡ A way to bootstrap encrypted communication
    ➡ Misleading
    ➡ (Too) Expensive

    View Slide

  42. Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    0c:00:93:10:d2:06:db:e3:37:55:35:80:11:8d:dc:87
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA
    Validity
    Not Before: Apr 8 00:00:00 2014 GMT
    Not After : Apr 12 12:00:00 2016 GMT
    Subject: ... C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
    00:b1:d4:dc:3c:af:fd:f3:4e:ed:c1:67:ad:e6:cb:
    22:e8:b7:e2:ab:28:f2:f7:dc:62:70:08:d1:0c:af:
    .......
    67:8d
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:github.com, DNS:www.github.com
    X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
    X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Basic Constraints: critical
    CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
    6f:e7:6d:cb:82:f3:ef:90:87:09:d7:0f:15:22:2c:8c:fe:d3:
    ab:1c:8a:96:db:5d:12:5d:d1:78:c0:31:b0:ff:45:c8:89:f7:
    08:98:52:17:1f:4c:4b:20:64:6a:6d:db:50:d7:10:be:7e:ab:
    ......
    ee:b7:33:69
    27

    View Slide

  43. 28
    yourdomain.com

    View Slide

  44. 28
    yourdomain.com
    Intermediate
    CA

    View Slide

  45. 28
    yourdomain.com
    Intermediate
    CA

    View Slide

  46. 28
    yourdomain.com
    Root
    CA
    Intermediate
    CA

    View Slide

  47. 28
    yourdomain.com
    Root
    CA
    Intermediate
    CA

    View Slide

  48. 28
    yourdomain.com
    Root
    CA
    Intermediate
    CA

    View Slide

  49. 29
    IMPLIED TRU$T

    View Slide

  50. ➡ (Root) Certificate Authorities
    ➡ They are built into your browser / OS
    and you will automatically trust them.
    30

    View Slide

  51. 31
    wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l

    View Slide

  52. 31
    wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
    181
    And rising...

    View Slide

  53. 32

    View Slide

  54. 32
    ➡ X.509 certificates are used to authenticate
    the server.

    View Slide

  55. 32
    ➡ X.509 certificates are used to authenticate
    the server.
    ➡ Servers can ask clients to authenticate
    themselves as well.

    View Slide

  56. 32
    ➡ X.509 certificates are used to authenticate
    the server.
    ➡ Servers can ask clients to authenticate
    themselves as well.
    ➡ APIs

    View Slide

  57. Sending over
    our initial secret data
    33

    View Slide

  58. ➡ Client generates random key (pre-shared key).
    ➡ Client encrypts key with public key from
    server SSL certificate.
    ➡ Client sends encrypted key to server.
    ➡ Server decrypts key with private key.
    34
    RSA

    View Slide

  59. ➡ Server generates key pair
    ➡ Server sends public key to client, with
    signature to prove authenticity (pub key
    from SSL certificate)
    ➡ Client generates key pair
    ➡ Client sends public key to server
    ➡ Both server and client calculate "secret".
    35
    (Elliptic curve) Diffie-Hellman (ephemeral)

    View Slide

  60. 36

    View Slide

  61. 37
    Generating secrets:

    View Slide

  62. 37
    pre master secret
    Generating secrets:

    View Slide

  63. 37
    pre master secret server rand
    client rand
    Generating secrets:
    + +

    View Slide

  64. 37
    pre master secret server rand
    client rand
    master secret
    Generating secrets:
    + +

    View Slide

  65. 37
    pre master secret server rand
    client rand
    master secret
    master secret server rand client rand
    Generating secrets:
    + +
    +
    +

    View Slide

  66. 37
    pre master secret server rand
    client rand
    master secret
    master secret server rand client rand
    key buffer
    Generating secrets:
    + +
    +
    +

    View Slide

  67. 37
    pre master secret server rand
    client rand
    master secret
    client MAC client KEY client IV server MAC server KEY server IV
    master secret server rand client rand
    key buffer
    Generating secrets:
    + +
    +
    +

    View Slide

  68. https://github.com/jaytaph/TLS-decoder
    38
    http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/
    Try it yourself, php style:

    View Slide

  69. 39

    View Slide

  70. 40

    View Slide

  71. 41

    View Slide

  72. 42
    Wireshark CAN decrypt your HTTPS traffic
    Unknown fact!
    SSLKEYLOGFILE
    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

    View Slide

  73. 43
    launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
    on a mac:

    View Slide

  74. -ETOOMUCHINFO
    44

    View Slide

  75. ➡ TLS has overhead in computation and
    transfers. But definitely worth it.
    ➡ Google likes it.
    ➡ Some cipher suites are better, but slower.
    ➡ Speed / Security compromise
    ➡ (try: “openssl speed”)
    45

    View Slide

  76. https://tools.ietf.org/html/rfc7457
    46
    Summarizing Known Attacks on Transport Layer Security (TLS)
    and Datagram TLS (DTLS)

    View Slide

  77. TLS 1.3
    47

    View Slide

  78. 48
    ➡ Still in draft
    ➡ 1-RTT (initial 0-RTT) for handshakes
    ➡ Dropped insecure features

    View Slide

  79. 49
    https://www.ssllabs.com/projects/best-practices/index.html

    View Slide

  80. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 50

    View Slide

  81. 51
    Find me on twitter: @jaytaph
    Find me for development and training: www.noxlogic.nl
    Find me on email: [email protected]
    Find me for blogs: www.adayinthelifeof.nl

    View Slide