Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The first few milliseconds of HTTPS - loadays

Joshua Thijssen
April 05, 2014
1.2k

The first few milliseconds of HTTPS - loadays

Joshua Thijssen

April 05, 2014
Tweet

Transcript

  1. The first 200 milliseconds of HTTPS
    1
    Joshua Thijssen
    jaytaph

    View full-size slide

  2. 2
    Joshua Thijssen
    Freelance consultant, developer and
    trainer @ NoxLogic
    Founder of the Dutch Web Alliance
    Development in PHP, Python, C, Java.
    Lead developer of Saffire.
    Blog: http://adayinthelifeof.nl
    Email: [email protected]
    Twitter: @jaytaph

    View full-size slide

  3. ➡ What’s happening in the first 200+
    milliseconds on a HTTPS connection.
    3

    View full-size slide

  4. ➡ What’s happening in the first 200+
    milliseconds on a HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    3

    View full-size slide

  5. ➡ What’s happening in the first 200+
    milliseconds on a HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    ➡ Give you insights in new and upcoming
    technologies.
    3

    View full-size slide

  6. ➡ What’s happening in the first 200+
    milliseconds on a HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    ➡ Give you insights in new and upcoming
    technologies.
    ➡ Show you things to you (probably) didn’t
    knew.
    3

    View full-size slide

  7. This talk is inspired by
    a blogpost from Jeff Moser
    http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
    Unknown fact!
    4

    View full-size slide

  8. Secure Socket Layer
    (SSL)
    5
    A short and scary history

    View full-size slide

  9. then
    now
    SSL 1.0
    Vaporware
    1994
    6

    View full-size slide

  10. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    SSL 1.0
    Vaporware
    1994
    6

    View full-size slide

  11. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    SSL 1.0
    Vaporware
    1994
    6

    View full-size slide

  12. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    SSL 1.0
    Vaporware
    1994
    6

    View full-size slide

  13. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    apr
    2006
    TLS 1.1
    SSL 1.0
    Vaporware
    1994
    6

    View full-size slide

  14. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    apr
    2006
    TLS 1.1
    TLS 1.2
    aug
    2008
    SSL 1.0
    Vaporware
    1994
    6

    View full-size slide

  15. https://www.trustworthyinternet.org/ssl-pulse/
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 TLS 1.0 TLS 1.2
    7
    November 2013

    View full-size slide

  16. https://www.trustworthyinternet.org/ssl-pulse/
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 TLS 1.0 TLS 1.2
    7
    November 2013

    View full-size slide

  17. https://www.trustworthyinternet.org/ssl-pulse/
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 TLS 1.0 TLS 1.2
    7
    23,7%
    99,4% 97,7%
    27,6% 30,2%
    SSL 2.0 TLS 1.0 TLS 1.2
    November 2013 March 2014

    View full-size slide

  18. RFC 5246
    (TLS v1.2)
    8

    View full-size slide

  19. 9
    * We can with openssl

    View full-size slide

  20. ➡ Binary protocol - so no quick
    telnet-to-see-if-it-works*
    9
    * We can with openssl

    View full-size slide

  21. ➡ Binary protocol - so no quick
    telnet-to-see-if-it-works*
    ➡ Different records
    9
    * We can with openssl

    View full-size slide

  22. ➡ Binary protocol - so no quick
    telnet-to-see-if-it-works*
    ➡ Different records
    ➡ Handshake protocol
    9
    * We can with openssl

    View full-size slide

  23. ➡ Binary protocol - so no quick
    telnet-to-see-if-it-works*
    ➡ Different records
    ➡ Handshake protocol
    ➡ Alert protocol
    9
    * We can with openssl

    View full-size slide

  24. ➡ Binary protocol - so no quick
    telnet-to-see-if-it-works*
    ➡ Different records
    ➡ Handshake protocol
    ➡ Alert protocol
    ➡ ChangeCipherSpec protocol
    9
    * We can with openssl

    View full-size slide

  25. ➡ Binary protocol - so no quick
    telnet-to-see-if-it-works*
    ➡ Different records
    ➡ Handshake protocol
    ➡ Alert protocol
    ➡ ChangeCipherSpec protocol
    ➡ Application protocol
    9
    * We can with openssl

    View full-size slide

  26. 10
    https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

    View full-size slide

  27. Attention:
    (live)
    wiresharking
    up ahead
    11

    View full-size slide

  28. Generating
    randomness is HARD
    14

    View full-size slide

  29. entropy
    (uncertainty)
    15

    View full-size slide

  30. TIME is NOT random
    thus not a very good
    entropy source
    16

    View full-size slide

  31. PHP is bad
    when it comes to
    entropy
    17
    Unknown fact!

    View full-size slide

  32. srand(microtime())
    18
    Unknown fact!

    View full-size slide

  33. rand()
    mt_rand()
    uniqid()
    19

    View full-size slide

  34. openssl_pseudo_random_bytes()
    read from /dev/(u)random
    Use a HRNG
    “A million random digits”
    https://github.com/ircmaxell/RandomLib
    20

    View full-size slide

  35. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    22

    View full-size slide

  36. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    23

    View full-size slide

  37. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Used for exchanging
    key information
    23

    View full-size slide

  38. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Used for exchanging
    key information
    Used for authenticating
    key information
    23

    View full-size slide

  39. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Used for exchanging
    key information
    Used for authenticating
    key information
    Actual cipher (and
    length) used for
    communication
    23

    View full-size slide

  40. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Used for exchanging
    key information
    Used for authenticating
    key information
    Actual cipher (and
    length) used for
    communication
    Block cipher mode
    23

    View full-size slide

  41. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Used for exchanging
    key information
    Used for authenticating
    key information
    Used for message
    authenticating
    Actual cipher (and
    length) used for
    communication
    Block cipher mode
    23

    View full-size slide

  42. TLS_RSA_WITH_AES_256_CBC_SHA256
    24

    View full-size slide

  43. TLS_NULL_WITH_NULL_NULL
    25

    View full-size slide

  44. Client gives cipher options,
    Server ultimately decides on cipher!
    26

    View full-size slide

  45. THIS IS WHY YOU SHOULD ALWAYS
    CONFIGURE YOUR CIPHERS
    ON YOUR WEB SERVER!
    27
    Unknown fact!

    View full-size slide

  46. SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
    EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
    EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    Apache
    Nginx
    28
    https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

    View full-size slide

  47. https://www.ssllabs.com/ssltest/
    29

    View full-size slide

  48. 31
    ➡ SNI (Server Name Indication)
    ➡ Extension 0x0000
    ➡ Pretty much every decent browser /
    server.
    ➡ IE6, Win XP, Blackberry, Android 2.x
    ➡ So no worries!

    View full-size slide

  49. What an SSL certificate is NOT:
    34
    ➡ SSL certificate (but a X.509 certificate)
    ➡ Automatically secure
    ➡ Automatically trustworthy
    ➡ In any way better self-signed certificates
    ➡ Cheap

    View full-size slide

  50. What an SSL certificate is:
    35
    ➡ The best way (but not perfect) to prove authenticity
    ➡ A way to bootstrap encrypted communication
    ➡ Misleading
    ➡ (Too) Expensive

    View full-size slide

  51. 37
    ➡ X.509 Certificate

    View full-size slide

  52. 37
    ➡ X.509 Certificate
    ➡ Owner info (who is this owner)

    View full-size slide

  53. 37
    ➡ X.509 Certificate
    ➡ Owner info (who is this owner)
    ➡ Domain info (for which domain(s) is
    this certificate valid)

    View full-size slide

  54. 37
    ➡ X.509 Certificate
    ➡ Owner info (who is this owner)
    ➡ Domain info (for which domain(s) is
    this certificate valid)
    ➡ Expiry info (from when to when is this
    certificate valid)

    View full-size slide

  55. 39
    yourdomain.com

    View full-size slide

  56. 39
    yourdomain.com
    Intermediate
    CA

    View full-size slide

  57. 39
    yourdomain.com
    Intermediate
    CA

    View full-size slide

  58. 39
    yourdomain.com
    Root
    CA
    Intermediate
    CA

    View full-size slide

  59. 39
    yourdomain.com
    Root
    CA
    Intermediate
    CA

    View full-size slide

  60. 39
    yourdomain.com
    Root
    CA
    Intermediate
    CA

    View full-size slide

  61. 40
    IMPLIED TRU$T

    View full-size slide

  62. ➡ (Root) Certificate Authorities
    ➡ They are built into your browser / OS
    and you will automatically trust them.
    41

    View full-size slide

  63. 42
    wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l

    View full-size slide

  64. 42
    wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
    174

    View full-size slide

  65. 43
    ➡ X.509 certificates are used to authenticate
    the server.

    View full-size slide

  66. 43
    ➡ X.509 certificates are used to authenticate
    the server.
    ➡ Servers can ask clients to authenticate
    themselves as well.

    View full-size slide

  67. 43
    ➡ X.509 certificates are used to authenticate
    the server.
    ➡ Servers can ask clients to authenticate
    themselves as well.
    ➡ APIs

    View full-size slide

  68. 46
    Generating secrets:

    View full-size slide

  69. 46
    pre master secret server rand
    client rand
    Generating secrets:
    + +

    View full-size slide

  70. 46
    pre master secret server rand
    client rand
    master secret
    Generating secrets:
    + +

    View full-size slide

  71. 46
    pre master secret server rand
    client rand
    master secret
    master secret server rand client rand
    Generating secrets:
    + +
    +
    +

    View full-size slide

  72. 46
    pre master secret server rand
    client rand
    master secret
    master secret server rand client rand
    key buffer
    Generating secrets:
    + +
    +
    +

    View full-size slide

  73. 46
    pre master secret server rand
    client rand
    master secret
    client MAC client KEY client IV server MAC server KEY server IV
    master secret server rand client rand
    key buffer
    Generating secrets:
    + +
    +
    +

    View full-size slide

  74. https://github.com/jaytaph/TLS-decoder
    47
    http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/
    Try it yourself, php style:

    View full-size slide

  75. 52
    Wireshark CAN decrypt your HTTPS traffic
    Unknown fact!
    SSLKEYLOGFILE
    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

    View full-size slide

  76. 53
    launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
    on a mac:

    View full-size slide

  77. ➡ TLS has overhead in computation and
    transfers. But definitely worth it.
    ➡ Some ciphersuites are better, but slower
    ➡ Speed / Security compromise
    ➡ (try: “openssl speed”)
    55

    View full-size slide

  78. Are we safe yet?
    56

    View full-size slide

  79. euh,.. no :/
    57

    View full-size slide

  80. 58
    PRE MASTER
    SECRET

    View full-size slide

  81. What if somebody*
    got hold of the site
    private key?
    59

    View full-size slide

  82. 63
    Playing the waiting game...

    View full-size slide

  83. 63
    Playing the waiting game...

    View full-size slide

  84. (PERFECT)
    FORWARDING
    SECRECY
    66

    View full-size slide

  85. Compromising the
    pre-master secret does
    not compromise our
    communication.
    67

    View full-size slide

  86. PFS:
    Can’t compromise
    other keys with a
    compromised key.
    68

    View full-size slide

  87. Unfortunately..
    69

    View full-size slide

  88. 70
    PFS needs server
    AND browser support

    View full-size slide

  89. 71
    http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

    View full-size slide

  90. 72
    http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

    View full-size slide

  91. Update your cipher
    suite list and place
    PFS ciphers at the top
    73

    View full-size slide

  92. But beware:
    heavy computations
    74

    View full-size slide

  93. 75
    SSL Test
    https://www.ssllabs.com/ssltest/

    View full-size slide

  94. -ETOOMUCHINFO
    76

    View full-size slide

  95. 77
    https://www.ssllabs.com/projects/best-practices/index.html

    View full-size slide

  96. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 78

    View full-size slide

  97. 79
    Find me on twitter: @jaytaph
    Find me for development and training: www.noxlogic.nl
    Find me on email: [email protected]
    Find me for blogs: www.adayinthelifeof.nl

    View full-size slide