Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The first few milliseconds of HTTPS - loadays

Joshua Thijssen
April 05, 2014
4
1.3k

The first few milliseconds of HTTPS - loadays

Joshua Thijssen

April 05, 2014
Tweet

More Decks by Joshua Thijssen

See All by Joshua Thijssen
RAFT: A story on how clusters of computers keep your data in sync
jaytaph
0
36
The first few milliseconds of HTTPS
jaytaph
0
200
Paradoxes and theorems every developer should know
jaytaph
0
250
Paradoxes and theorems every developer should know
jaytaph
0
590
The first few milliseconds of HTTPS - PHPNW16
jaytaph
1
200
compiler_-_php010.pdf
jaytaph
0
91
Paradoxes and theorems every developer should know
jaytaph
0
210
Introduction into interpreters, compilers and JIT
jaytaph
1
260
Paradoxes and theorems every developer should know
jaytaph
1
860

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
KATA
mclloyd
29
14k
Designing Experiences People Love
moore
140
23k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
Into the Great Unknown - MozCon
thekraken
35
1.7k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.5k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
660
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.3k
What's in a price? How to price your products and services
michaelherold
244
12k
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.5k
The Cost Of JavaScript in 2023
addyosmani
47
7.5k
Side Projects
sachag
452
42k

Transcript

  1. The first 200 milliseconds of HTTPS 1 Joshua Thijssen jaytaph

  2. 2 Joshua Thijssen Freelance consultant, developer and trainer @ NoxLogic

    Founder of the Dutch Web Alliance Development in PHP, Python, C, Java. Lead developer of Saffire. Blog: http://adayinthelifeof.nl Email: jthijssen@noxlogic.nl Twitter: @jaytaph

  3. 3

  4. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. 3

  5. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. ➡ Give tips and hints on hardening your setup. 3

  6. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. 3

  7. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. ➡ Show you things to you (probably) didn’t knew. 3

  8. This talk is inspired by a blogpost from Jeff Moser

    http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html Unknown fact! 4

  9. Secure Socket Layer (SSL) 5 A short and scary history

  10. then now 6

  11. then now SSL 1.0 Vaporware 1994 6

  12. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer SSL 1.0 Vaporware

    1994 6

  13. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! SSL 1.0 Vaporware 1994 6

  14. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 SSL 1.0 Vaporware 1994 6

  15. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 SSL 1.0 Vaporware 1994 6

  16. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 TLS 1.2 aug 2008 SSL 1.0 Vaporware 1994 6

  17. https://www.trustworthyinternet.org/ssl-pulse/ 25,7% 99,6% 99,3% 18,2% 20,7% SSL 2.0 TLS 1.0

    TLS 1.2 7 November 2013

  18. https://www.trustworthyinternet.org/ssl-pulse/ 25,7% 99,6% 99,3% 18,2% 20,7% SSL 2.0 TLS 1.0

    TLS 1.2 7 November 2013

  19. https://www.trustworthyinternet.org/ssl-pulse/ 25,7% 99,6% 99,3% 18,2% 20,7% SSL 2.0 TLS 1.0

    TLS 1.2 7 23,7% 99,4% 97,7% 27,6% 30,2% SSL 2.0 TLS 1.0 TLS 1.2 November 2013 March 2014

  20. RFC 5246 (TLS v1.2) 8

  21. 9 * We can with openssl

  22. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* 9 *

    We can with openssl

  23. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records 9 * We can with openssl

  24. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records ➡ Handshake protocol 9 * We can with openssl

  25. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records ➡ Handshake protocol ➡ Alert protocol 9 * We can with openssl

  26. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records ➡ Handshake protocol ➡ Alert protocol ➡ ChangeCipherSpec protocol 9 * We can with openssl

  27. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records ➡ Handshake protocol ➡ Alert protocol ➡ ChangeCipherSpec protocol ➡ Application protocol 9 * We can with openssl

  28. 10 https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

  29. Attention: (live) wiresharking up ahead 11

  30. 12

  31. 13

  32. Generating randomness is HARD 14

  33. entropy (uncertainty) 15

  34. TIME is NOT random thus not a very good entropy

    source 16

  35. PHP is bad when it comes to entropy 17 Unknown

    fact!

  36. srand(microtime()) 18 Unknown fact!

  37. rand() mt_rand() uniqid() 19

  38. openssl_pseudo_random_bytes() read from /dev/(u)random Use a HRNG “A million random

    digits” https://github.com/ircmaxell/RandomLib 20

  39. 21

  40. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 22

  41. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 23

  42. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    23

  43. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information 23

  44. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information Actual cipher (and length) used for communication 23

  45. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information Actual cipher (and length) used for communication Block cipher mode 23

  46. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information Used for message authenticating Actual cipher (and length) used for communication Block cipher mode 23

  47. TLS_RSA_WITH_AES_256_CBC_SHA256 24

  48. TLS_NULL_WITH_NULL_NULL 25

  49. Client gives cipher options, Server ultimately decides on cipher! 26

  50. THIS IS WHY YOU SHOULD ALWAYS CONFIGURE YOUR CIPHERS ON

    YOUR WEB SERVER! 27 Unknown fact!

  51. SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384

    \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; Apache Nginx 28 https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

  52. https://www.ssllabs.com/ssltest/ 29

  53. 30

  54. 31 ➡ SNI (Server Name Indication) ➡ Extension 0x0000 ➡

    Pretty much every decent browser / server. ➡ IE6, Win XP, Blackberry, Android 2.x ➡ So no worries!

  55. 32

  56. 33

  57. What an SSL certificate is NOT: 34 ➡ SSL certificate

    (but a X.509 certificate) ➡ Automatically secure ➡ Automatically trustworthy ➡ In any way better self-signed certificates ➡ Cheap

  58. What an SSL certificate is: 35 ➡ The best way

    (but not perfect) to prove authenticity ➡ A way to bootstrap encrypted communication ➡ Misleading ➡ (Too) Expensive

  59. 36

  60. 37

  61. 37 ➡ X.509 Certificate

  62. 37 ➡ X.509 Certificate ➡ Owner info (who is this

    owner)

  63. 37 ➡ X.509 Certificate ➡ Owner info (who is this

    owner) ➡ Domain info (for which domain(s) is this certificate valid)

  64. 37 ➡ X.509 Certificate ➡ Owner info (who is this

    owner) ➡ Domain info (for which domain(s) is this certificate valid) ➡ Expiry info (from when to when is this certificate valid)

  65. 38

  66. 39 yourdomain.com

  67. 39 yourdomain.com Intermediate CA

  68. 39 yourdomain.com Intermediate CA

  69. 39 yourdomain.com Root CA Intermediate CA

  70. 39 yourdomain.com Root CA Intermediate CA

  71. 39 yourdomain.com Root CA Intermediate CA

  72. 40 IMPLIED TRU$T

  73. ➡ (Root) Certificate Authorities ➡ They are built into your

    browser / OS and you will automatically trust them. 41

  74. 42 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer |

    sort | uniq | wc -l

  75. 42 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer |

    sort | uniq | wc -l 174

  76. 43

  77. 43 ➡ X.509 certificates are used to authenticate the server.

  78. 43 ➡ X.509 certificates are used to authenticate the server.

    ➡ Servers can ask clients to authenticate themselves as well.

  79. 43 ➡ X.509 certificates are used to authenticate the server.

    ➡ Servers can ask clients to authenticate themselves as well. ➡ APIs

  80. 44

  81. 45

  82. 46 Generating secrets:

  83. 46 pre master secret server rand client rand Generating secrets:

    + +

  84. 46 pre master secret server rand client rand master secret

    Generating secrets: + +

  85. 46 pre master secret server rand client rand master secret

    master secret server rand client rand Generating secrets: + + + +

  86. 46 pre master secret server rand client rand master secret

    master secret server rand client rand key buffer Generating secrets: + + + +

  87. 46 pre master secret server rand client rand master secret

    client MAC client KEY client IV server MAC server KEY server IV master secret server rand client rand key buffer Generating secrets: + + + +

  88. https://github.com/jaytaph/TLS-decoder 47 http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/ Try it yourself, php style:

  89. 48

  90. 49

  91. 50

  92. 51

  93. 52 Wireshark CAN decrypt your HTTPS traffic Unknown fact! SSLKEYLOGFILE

    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

  94. 53 launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret on a mac:

  95. 54

  96. ➡ TLS has overhead in computation and transfers. But definitely

    worth it. ➡ Some ciphersuites are better, but slower ➡ Speed / Security compromise ➡ (try: “openssl speed”) 55

  97. Are we safe yet? 56

  98. euh,.. no :/ 57

  99. 58 PRE MASTER SECRET

  100. What if somebody* got hold of the site private key?

    59

  101. 60

  102. 61

  103. 62

  104. 63 Playing the waiting game...

  105. 63 Playing the waiting game...

  106. 64

  107. 65

  108. (PERFECT) FORWARDING SECRECY 66

  109. Compromising the pre-master secret does not compromise our communication. 67

  110. PFS: Can’t compromise other keys with a compromised key. 68

  111. Unfortunately.. 69

  112. 70 PFS needs server AND browser support

  113. 71 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

  114. 72 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

  115. Update your cipher suite list and place PFS ciphers at

    the top 73

  116. But beware: heavy computations 74

  117. 75 SSL Test https://www.ssllabs.com/ssltest/

  118. -ETOOMUCHINFO 76

  119. 77 https://www.ssllabs.com/projects/best-practices/index.html

  120. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 78

  121. 79 Find me on twitter: @jaytaph Find me for development

    and training: www.noxlogic.nl Find me on email: jthijssen@noxlogic.nl Find me for blogs: www.adayinthelifeof.nl

  122. 80