Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The first few milliseconds of HTTPS - loadays

1761ecd7fe763583553dde43e62c47bd?s=47 Joshua Thijssen
April 05, 2014
1k

The first few milliseconds of HTTPS - loadays

1761ecd7fe763583553dde43e62c47bd?s=128

Joshua Thijssen

April 05, 2014
Tweet

Transcript

  1. The first 200 milliseconds of HTTPS 1 Joshua Thijssen jaytaph

  2. 2 Joshua Thijssen Freelance consultant, developer and trainer @ NoxLogic

    Founder of the Dutch Web Alliance Development in PHP, Python, C, Java. Lead developer of Saffire. Blog: http://adayinthelifeof.nl Email: jthijssen@noxlogic.nl Twitter: @jaytaph
  3. 3

  4. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. 3
  5. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. ➡ Give tips and hints on hardening your setup. 3
  6. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. 3
  7. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. ➡ Show you things to you (probably) didn’t knew. 3
  8. This talk is inspired by a blogpost from Jeff Moser

    http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html Unknown fact! 4
  9. Secure Socket Layer (SSL) 5 A short and scary history

  10. then now 6

  11. then now SSL 1.0 Vaporware 1994 6

  12. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer SSL 1.0 Vaporware

    1994 6
  13. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! SSL 1.0 Vaporware 1994 6
  14. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 SSL 1.0 Vaporware 1994 6
  15. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 SSL 1.0 Vaporware 1994 6
  16. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 TLS 1.2 aug 2008 SSL 1.0 Vaporware 1994 6
  17. https://www.trustworthyinternet.org/ssl-pulse/ 25,7% 99,6% 99,3% 18,2% 20,7% SSL 2.0 TLS 1.0

    TLS 1.2 7 November 2013
  18. https://www.trustworthyinternet.org/ssl-pulse/ 25,7% 99,6% 99,3% 18,2% 20,7% SSL 2.0 TLS 1.0

    TLS 1.2 7 November 2013
  19. https://www.trustworthyinternet.org/ssl-pulse/ 25,7% 99,6% 99,3% 18,2% 20,7% SSL 2.0 TLS 1.0

    TLS 1.2 7 23,7% 99,4% 97,7% 27,6% 30,2% SSL 2.0 TLS 1.0 TLS 1.2 November 2013 March 2014
  20. RFC 5246 (TLS v1.2) 8

  21. 9 * We can with openssl

  22. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* 9 *

    We can with openssl
  23. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records 9 * We can with openssl
  24. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records ➡ Handshake protocol 9 * We can with openssl
  25. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records ➡ Handshake protocol ➡ Alert protocol 9 * We can with openssl
  26. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records ➡ Handshake protocol ➡ Alert protocol ➡ ChangeCipherSpec protocol 9 * We can with openssl
  27. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Different

    records ➡ Handshake protocol ➡ Alert protocol ➡ ChangeCipherSpec protocol ➡ Application protocol 9 * We can with openssl
  28. 10 https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

  29. Attention: (live) wiresharking up ahead 11

  30. 12

  31. 13

  32. Generating randomness is HARD 14

  33. entropy (uncertainty) 15

  34. TIME is NOT random thus not a very good entropy

    source 16
  35. PHP is bad when it comes to entropy 17 Unknown

    fact!
  36. srand(microtime()) 18 Unknown fact!

  37. rand() mt_rand() uniqid() 19

  38. openssl_pseudo_random_bytes() read from /dev/(u)random Use a HRNG “A million random

    digits” https://github.com/ircmaxell/RandomLib 20
  39. 21

  40. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 22

  41. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 23

  42. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    23
  43. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information 23
  44. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information Actual cipher (and length) used for communication 23
  45. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information Actual cipher (and length) used for communication Block cipher mode 23
  46. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information Used for message authenticating Actual cipher (and length) used for communication Block cipher mode 23
  47. TLS_RSA_WITH_AES_256_CBC_SHA256 24

  48. TLS_NULL_WITH_NULL_NULL 25

  49. Client gives cipher options, Server ultimately decides on cipher! 26

  50. THIS IS WHY YOU SHOULD ALWAYS CONFIGURE YOUR CIPHERS ON

    YOUR WEB SERVER! 27 Unknown fact!
  51. SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384

    \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; Apache Nginx 28 https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
  52. https://www.ssllabs.com/ssltest/ 29

  53. 30

  54. 31 ➡ SNI (Server Name Indication) ➡ Extension 0x0000 ➡

    Pretty much every decent browser / server. ➡ IE6, Win XP, Blackberry, Android 2.x ➡ So no worries!
  55. 32

  56. 33

  57. What an SSL certificate is NOT: 34 ➡ SSL certificate

    (but a X.509 certificate) ➡ Automatically secure ➡ Automatically trustworthy ➡ In any way better self-signed certificates ➡ Cheap
  58. What an SSL certificate is: 35 ➡ The best way

    (but not perfect) to prove authenticity ➡ A way to bootstrap encrypted communication ➡ Misleading ➡ (Too) Expensive
  59. 36

  60. 37

  61. 37 ➡ X.509 Certificate

  62. 37 ➡ X.509 Certificate ➡ Owner info (who is this

    owner)
  63. 37 ➡ X.509 Certificate ➡ Owner info (who is this

    owner) ➡ Domain info (for which domain(s) is this certificate valid)
  64. 37 ➡ X.509 Certificate ➡ Owner info (who is this

    owner) ➡ Domain info (for which domain(s) is this certificate valid) ➡ Expiry info (from when to when is this certificate valid)
  65. 38

  66. 39 yourdomain.com

  67. 39 yourdomain.com Intermediate CA

  68. 39 yourdomain.com Intermediate CA

  69. 39 yourdomain.com Root CA Intermediate CA

  70. 39 yourdomain.com Root CA Intermediate CA

  71. 39 yourdomain.com Root CA Intermediate CA

  72. 40 IMPLIED TRU$T

  73. ➡ (Root) Certificate Authorities ➡ They are built into your

    browser / OS and you will automatically trust them. 41
  74. 42 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer |

    sort | uniq | wc -l
  75. 42 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer |

    sort | uniq | wc -l 174
  76. 43

  77. 43 ➡ X.509 certificates are used to authenticate the server.

  78. 43 ➡ X.509 certificates are used to authenticate the server.

    ➡ Servers can ask clients to authenticate themselves as well.
  79. 43 ➡ X.509 certificates are used to authenticate the server.

    ➡ Servers can ask clients to authenticate themselves as well. ➡ APIs
  80. 44

  81. 45

  82. 46 Generating secrets:

  83. 46 pre master secret server rand client rand Generating secrets:

    + +
  84. 46 pre master secret server rand client rand master secret

    Generating secrets: + +
  85. 46 pre master secret server rand client rand master secret

    master secret server rand client rand Generating secrets: + + + +
  86. 46 pre master secret server rand client rand master secret

    master secret server rand client rand key buffer Generating secrets: + + + +
  87. 46 pre master secret server rand client rand master secret

    client MAC client KEY client IV server MAC server KEY server IV master secret server rand client rand key buffer Generating secrets: + + + +
  88. https://github.com/jaytaph/TLS-decoder 47 http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/ Try it yourself, php style:

  89. 48

  90. 49

  91. 50

  92. 51

  93. 52 Wireshark CAN decrypt your HTTPS traffic Unknown fact! SSLKEYLOGFILE

    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415
  94. 53 launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret on a mac:

  95. 54

  96. ➡ TLS has overhead in computation and transfers. But definitely

    worth it. ➡ Some ciphersuites are better, but slower ➡ Speed / Security compromise ➡ (try: “openssl speed”) 55
  97. Are we safe yet? 56

  98. euh,.. no :/ 57

  99. 58 PRE MASTER SECRET

  100. What if somebody* got hold of the site private key?

    59
  101. 60

  102. 61

  103. 62

  104. 63 Playing the waiting game...

  105. 63 Playing the waiting game...

  106. 64

  107. 65

  108. (PERFECT) FORWARDING SECRECY 66

  109. Compromising the pre-master secret does not compromise our communication. 67

  110. PFS: Can’t compromise other keys with a compromised key. 68

  111. Unfortunately.. 69

  112. 70 PFS needs server AND browser support

  113. 71 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

  114. 72 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

  115. Update your cipher suite list and place PFS ciphers at

    the top 73
  116. But beware: heavy computations 74

  117. 75 SSL Test https://www.ssllabs.com/ssltest/

  118. -ETOOMUCHINFO 76

  119. 77 https://www.ssllabs.com/projects/best-practices/index.html

  120. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 78

  121. 79 Find me on twitter: @jaytaph Find me for development

    and training: www.noxlogic.nl Find me on email: jthijssen@noxlogic.nl Find me for blogs: www.adayinthelifeof.nl
  122. 80