The first few milliseconds of HTTPS - nluug

The first 200 milliseconds of HTTPS
1
Joshua Thijssen
jaytaph

View Slide

2

View Slide

➡ What’s happening in the first 200+
milliseconds in a initial HTTPS connection.
2

View Slide

➡ Give tips and hints on hardening your setup.
2

View Slide

➡ Give you insights in new and upcoming
technologies.
2

View Slide

➡ Give you insights in new and upcoming
technologies.
➡ Show you things to you (probably) didn’t
knew.
2

View Slide

This talk is inspired by
a blogpost from Jeff Moser
http://www.moserware.com/2009/06/ﬁrst-few-milliseconds-of-https.html
Unknown fact!
3

View Slide

HTTPS ==
HTTP on top of TLS
4

View Slide

Transport Layer Security
(TLS)
5

View Slide

Secure Socket Layer
(SSL)
6
A short and scary history

View Slide

then
now
7

View Slide

then
now
SSL 1.0
Vaporware
1994
7

View Slide

then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
SSL 1.0
Vaporware
1994
7

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
SSL 1.0
Vaporware
1994
7

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
SSL 1.0
Vaporware
1994
7

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
apr
2006
TLS 1.1
SSL 1.0
Vaporware
1994
7

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
apr
2006
TLS 1.1
TLS 1.2
aug
2008
SSL 1.0
Vaporware
1994
7

View Slide

https://www.trustworthyinternet.org/ssl-pulse/
25,7%
99,6% 99,3%
18,2% 20,7%
SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
8
November 2013

View Slide

25,7%
99,6% 99,3%
18,2% 20,7%
8
19,4%
98,0% 99,3%
42,0% 44,3%
November 2013
Oct 2014

View Slide

25,7%
99,6% 99,3%
18,2% 20,7%
8
19,4%
98,0% 99,3%
42,0% 44,3%
November 2013
Oct 2014
16,6%
60,6%
99,5%
45,4% 48,1%
Nov 2014

View Slide

RFC 5246
(TLS v1.2)
9

View Slide

10
Record Layer

View Slide

10
Record Layer
Type Version Length

View Slide

10
Record Layer
Type Version Length
Protocol

View Slide

10
Record Layer
Type Version Length
Protocol
Protocol
Protocol

View Slide

10
Record Layer
Type Version Length
Protocol
Protocol
Protocol
Record Layer
Type Version Length
Protocol

View Slide

➡ Handshake protocol records
➡ Setup communication
➡ Change Cipher Spec protocol records
➡ Change communication
➡ Alert protocol records
➡ Errors
➡ Application Data protocol records
➡ Actual data transfers
11

View Slide

12
https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

View Slide

Attention:
(live)
wiresharking
up ahead
13

View Slide

14

View Slide

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
15

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
16

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Cipher for exchanging
key information
16

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
key information
Cipher for
authenticating key
information
16

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
key information
Cipher for
authenticating key
information
Actual cipher (and
length) used for
communication
16

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
key information
Cipher for
authenticating key
information
Hash algo for message
authenticating
Actual cipher (and
length) used for
communication
16

View Slide

TLS_RSA_WITH_AES_256_CBC_SHA256
17

View Slide

TLS_NULL_WITH_NULL_NULL
18

View Slide

Client gives cipher options,
Server ultimately decides on cipher!
19

View Slide

THIS IS WHY YOU SHOULD ALWAYS
CONFIGURE YOUR CIPHERS
ON YOUR WEB SERVER!
20
Unknown fact!

View Slide

21
https://cipherli.st
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLCompression off # Requires Apache >= 2.4
SSLHonorCipherOrder On
SSLUseStapling on # Requires Apache >= 2.4
SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires >= Apache 2.4
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-Frame-Options DENY
ssl_ciphers 'AES256+EECDH:AES256+EDH';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Frame-Options DENY;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
Apache:
nginx:

View Slide

https://www.ssllabs.com/ssltest/
22

View Slide

23

View Slide

24

View Slide

25
➡ SNI (Server Name Indication)
➡ Extension 0x0000
➡ Pretty much every decent browser /
server.
➡ IE6, Win XP, Blackberry, Android 2.x,
java 1.6.x
➡ So no worries!

View Slide

26

View Slide

What an SSL certificate is NOT:
27
➡ SSL certificate (but a X.509 certificate)
➡ Automatically secure
➡ Automatically trustworthy
➡ In any way better self-signed certificates
➡ Cheap

View Slide

What an SSL certificate is:
28
➡ The best way (but not perfect) to prove authenticity
➡ A way to bootstrap encrypted communication
➡ Misleading
➡ (Too) Expensive

View Slide

29

View Slide

29
➡ X.509 Certificate

View Slide

29
➡ Owner info (who is this owner)

View Slide

29
➡ Domain info (for which domain(s) is
this certificate valid)

View Slide

29
➡ Domain info (for which domain(s) is
this certificate valid)
➡ Expiry info (from when to when is this
certificate valid)

View Slide

30
yourdomain.com

View Slide

30
yourdomain.com
Intermediate
CA

View Slide

30
yourdomain.com
Root
CA
Intermediate
CA

View Slide

31
IMPLIED TRU$T

View Slide

➡ (Root) Certificate Authorities
➡ They are built into your browser / OS
and you will automatically trust them.
32

View Slide

33
wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l

View Slide

33
wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
182
And rising...

View Slide

34

View Slide

34
➡ X.509 certificates are used to authenticate
the server.

View Slide

34
the server.
➡ Servers can ask clients to authenticate
themselves as well.

View Slide

34
the server.
➡ Servers can ask clients to authenticate
themselves as well.
➡ APIs

View Slide

35

View Slide

36
Generating secrets:

View Slide

36
pre master secret server rand
client rand
Generating secrets:
+ +

View Slide

36
client rand
master secret
Generating secrets:
+ +

View Slide

36
client rand
master secret
master secret server rand client rand
Generating secrets:
+ +
+
+

View Slide

36
client rand
master secret
key buffer
Generating secrets:
+ +
+
+

View Slide

36
client rand
master secret
client MAC client KEY client IV server MAC server KEY server IV
key buffer
Generating secrets:
+ +
+
+

View Slide

https://github.com/jaytaph/TLS-decoder
37
http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/
Try it yourself, php style:

View Slide

38

View Slide

39

View Slide

40

View Slide

41
Wireshark CAN decrypt your HTTPS trafﬁc
Unknown fact!
SSLKEYLOGFILE
https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

View Slide

42
launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
on a mac:

View Slide

➡ TLS has overhead in computation and
transfers. But definitely worth it.
➡ Google likes it.
➡ Some ciphersuites are better, but slower.
➡ Speed / Security compromise
➡ (try: “openssl speed”)
43

View Slide

Are we safe yet?
44

View Slide

euh,.. no :/
45

View Slide

46
PRE MASTER
SECRET

View Slide

What if somebody*
got hold of the site
private key?
47

View Slide

48

View Slide

49

View Slide

50

View Slide

51

View Slide

(PERFECT)
FORWARDING
SECRECY
52

View Slide

Compromising the
pre-master secret does
not compromise our
communication.
53

View Slide

PFS:
Can’t compromise
other keys with a
compromised key.
54

View Slide

Unfortunately..
55

View Slide

56
PFS needs server
AND browser support

View Slide

57
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

View Slide

58
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

View Slide

Update your cipher
suite list and place
PFS ciphers at the top
59

View Slide

But beware:
heavy computations
60

View Slide

61
SSL Test
https://www.ssllabs.com/ssltest/

View Slide

-ETOOMUCHINFO
62

View Slide

63
https://www.ssllabs.com/projects/best-practices/index.html

View Slide

http://farm1.static.ﬂickr.com/73/163450213_18478d3aa6_d.jpg 64

View Slide

65
Find me on twitter: @jaytaph
Find me for development and training: www.noxlogic.nl
Find me on email: [email protected]
Find me for blogs: www.adayinthelifeof.nl

View Slide

The first few milliseconds of HTTPS - nluug

The first few milliseconds of HTTPS - nluug

Joshua Thijssen

More Decks by Joshua Thijssen

Featured

Transcript