$30 off During Our Annual Pro Sale. View Details »

The first few milliseconds of HTTPS - nluug

Joshua Thijssen
November 20, 2014
150

The first few milliseconds of HTTPS - nluug

Joshua Thijssen

November 20, 2014
Tweet

Transcript

  1. The first 200 milliseconds of HTTPS
    1
    Joshua Thijssen
    jaytaph

    View Slide

  2. 2

    View Slide

  3. ➡ What’s happening in the first 200+
    milliseconds in a initial HTTPS connection.
    2

    View Slide

  4. ➡ What’s happening in the first 200+
    milliseconds in a initial HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    2

    View Slide

  5. ➡ What’s happening in the first 200+
    milliseconds in a initial HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    ➡ Give you insights in new and upcoming
    technologies.
    2

    View Slide

  6. ➡ What’s happening in the first 200+
    milliseconds in a initial HTTPS connection.
    ➡ Give tips and hints on hardening your setup.
    ➡ Give you insights in new and upcoming
    technologies.
    ➡ Show you things to you (probably) didn’t
    knew.
    2

    View Slide

  7. This talk is inspired by
    a blogpost from Jeff Moser
    http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
    Unknown fact!
    3

    View Slide

  8. HTTPS ==
    HTTP on top of TLS
    4

    View Slide

  9. Transport Layer Security
    (TLS)
    5

    View Slide

  10. Secure Socket Layer
    (SSL)
    6
    A short and scary history

    View Slide

  11. then
    now
    7

    View Slide

  12. then
    now
    SSL 1.0
    Vaporware
    1994
    7

    View Slide

  13. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    SSL 1.0
    Vaporware
    1994
    7

    View Slide

  14. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    SSL 1.0
    Vaporware
    1994
    7

    View Slide

  15. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    SSL 1.0
    Vaporware
    1994
    7

    View Slide

  16. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    apr
    2006
    TLS 1.1
    SSL 1.0
    Vaporware
    1994
    7

    View Slide

  17. then
    now
    feb
    1995
    SSL 2.0
    Not-so-secure-socket-layer
    jun
    1996
    SSL 3.0
    Something stable!
    jan
    1999
    TLS 1.0
    SSL 3.1
    apr
    2006
    TLS 1.1
    TLS 1.2
    aug
    2008
    SSL 1.0
    Vaporware
    1994
    7

    View Slide

  18. https://www.trustworthyinternet.org/ssl-pulse/
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    8
    November 2013

    View Slide

  19. https://www.trustworthyinternet.org/ssl-pulse/
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    8
    19,4%
    98,0% 99,3%
    42,0% 44,3%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    November 2013
    Oct 2014

    View Slide

  20. https://www.trustworthyinternet.org/ssl-pulse/
    25,7%
    99,6% 99,3%
    18,2% 20,7%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    8
    19,4%
    98,0% 99,3%
    42,0% 44,3%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    November 2013
    Oct 2014
    16,6%
    60,6%
    99,5%
    45,4% 48,1%
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    Nov 2014

    View Slide

  21. RFC 5246
    (TLS v1.2)
    9

    View Slide

  22. 10
    Record Layer

    View Slide

  23. 10
    Record Layer
    Type Version Length

    View Slide

  24. 10
    Record Layer
    Type Version Length
    Protocol

    View Slide

  25. 10
    Record Layer
    Type Version Length
    Protocol
    Protocol
    Protocol

    View Slide

  26. 10
    Record Layer
    Type Version Length
    Protocol
    Protocol
    Protocol
    Record Layer
    Type Version Length
    Protocol

    View Slide

  27. ➡ Handshake protocol records
    ➡ Setup communication
    ➡ Change Cipher Spec protocol records
    ➡ Change communication
    ➡ Alert protocol records
    ➡ Errors
    ➡ Application Data protocol records
    ➡ Actual data transfers
    11

    View Slide

  28. 12
    https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

    View Slide

  29. Attention:
    (live)
    wiresharking
    up ahead
    13

    View Slide

  30. 14

    View Slide

  31. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    15

    View Slide

  32. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    16

    View Slide

  33. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    16

    View Slide

  34. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    Cipher for
    authenticating key
    information
    16

    View Slide

  35. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    Cipher for
    authenticating key
    information
    Actual cipher (and
    length) used for
    communication
    16

    View Slide

  36. TLS
    ECDHE_ECDSA
    WITH
    AES_128_GCM
    SHA256
    Cipher for exchanging
    key information
    Cipher for
    authenticating key
    information
    Hash algo for message
    authenticating
    Actual cipher (and
    length) used for
    communication
    16

    View Slide

  37. TLS_RSA_WITH_AES_256_CBC_SHA256
    17

    View Slide

  38. TLS_NULL_WITH_NULL_NULL
    18

    View Slide

  39. Client gives cipher options,
    Server ultimately decides on cipher!
    19

    View Slide

  40. THIS IS WHY YOU SHOULD ALWAYS
    CONFIGURE YOUR CIPHERS
    ON YOUR WEB SERVER!
    20
    Unknown fact!

    View Slide

  41. 21
    https://cipherli.st
    SSLCipherSuite AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3
    SSLCompression off # Requires Apache >= 2.4
    SSLHonorCipherOrder On
    SSLUseStapling on # Requires Apache >= 2.4
    SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires >= Apache 2.4
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    Header always set X-Frame-Options DENY
    ssl_ciphers 'AES256+EECDH:AES256+EDH';
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    add_header X-Frame-Options DENY;
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
    resolver_timeout 5s;
    Apache:
    nginx:

    View Slide

  42. https://www.ssllabs.com/ssltest/
    22

    View Slide

  43. 23

    View Slide

  44. 24

    View Slide

  45. 25
    ➡ SNI (Server Name Indication)
    ➡ Extension 0x0000
    ➡ Pretty much every decent browser /
    server.
    ➡ IE6, Win XP, Blackberry, Android 2.x,
    java 1.6.x
    ➡ So no worries!

    View Slide

  46. 26

    View Slide

  47. What an SSL certificate is NOT:
    27
    ➡ SSL certificate (but a X.509 certificate)
    ➡ Automatically secure
    ➡ Automatically trustworthy
    ➡ In any way better self-signed certificates
    ➡ Cheap

    View Slide

  48. What an SSL certificate is:
    28
    ➡ The best way (but not perfect) to prove authenticity
    ➡ A way to bootstrap encrypted communication
    ➡ Misleading
    ➡ (Too) Expensive

    View Slide

  49. 29

    View Slide

  50. 29
    ➡ X.509 Certificate

    View Slide

  51. 29
    ➡ X.509 Certificate
    ➡ Owner info (who is this owner)

    View Slide

  52. 29
    ➡ X.509 Certificate
    ➡ Owner info (who is this owner)
    ➡ Domain info (for which domain(s) is
    this certificate valid)

    View Slide

  53. 29
    ➡ X.509 Certificate
    ➡ Owner info (who is this owner)
    ➡ Domain info (for which domain(s) is
    this certificate valid)
    ➡ Expiry info (from when to when is this
    certificate valid)

    View Slide

  54. 30
    yourdomain.com

    View Slide

  55. 30
    yourdomain.com
    Intermediate
    CA

    View Slide

  56. 30
    yourdomain.com
    Intermediate
    CA

    View Slide

  57. 30
    yourdomain.com
    Root
    CA
    Intermediate
    CA

    View Slide

  58. 30
    yourdomain.com
    Root
    CA
    Intermediate
    CA

    View Slide

  59. 30
    yourdomain.com
    Root
    CA
    Intermediate
    CA

    View Slide

  60. 31
    IMPLIED TRU$T

    View Slide

  61. ➡ (Root) Certificate Authorities
    ➡ They are built into your browser / OS
    and you will automatically trust them.
    32

    View Slide

  62. 33
    wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l

    View Slide

  63. 33
    wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
    182
    And rising...

    View Slide

  64. 34

    View Slide

  65. 34
    ➡ X.509 certificates are used to authenticate
    the server.

    View Slide

  66. 34
    ➡ X.509 certificates are used to authenticate
    the server.
    ➡ Servers can ask clients to authenticate
    themselves as well.

    View Slide

  67. 34
    ➡ X.509 certificates are used to authenticate
    the server.
    ➡ Servers can ask clients to authenticate
    themselves as well.
    ➡ APIs

    View Slide

  68. 35

    View Slide

  69. 36
    Generating secrets:

    View Slide

  70. 36
    pre master secret server rand
    client rand
    Generating secrets:
    + +

    View Slide

  71. 36
    pre master secret server rand
    client rand
    master secret
    Generating secrets:
    + +

    View Slide

  72. 36
    pre master secret server rand
    client rand
    master secret
    master secret server rand client rand
    Generating secrets:
    + +
    +
    +

    View Slide

  73. 36
    pre master secret server rand
    client rand
    master secret
    master secret server rand client rand
    key buffer
    Generating secrets:
    + +
    +
    +

    View Slide

  74. 36
    pre master secret server rand
    client rand
    master secret
    client MAC client KEY client IV server MAC server KEY server IV
    master secret server rand client rand
    key buffer
    Generating secrets:
    + +
    +
    +

    View Slide

  75. https://github.com/jaytaph/TLS-decoder
    37
    http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/
    Try it yourself, php style:

    View Slide

  76. 38

    View Slide

  77. 39

    View Slide

  78. 40

    View Slide

  79. 41
    Wireshark CAN decrypt your HTTPS traffic
    Unknown fact!
    SSLKEYLOGFILE
    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

    View Slide

  80. 42
    launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
    on a mac:

    View Slide

  81. ➡ TLS has overhead in computation and
    transfers. But definitely worth it.
    ➡ Google likes it.
    ➡ Some ciphersuites are better, but slower.
    ➡ Speed / Security compromise
    ➡ (try: “openssl speed”)
    43

    View Slide

  82. Are we safe yet?
    44

    View Slide

  83. euh,.. no :/
    45

    View Slide

  84. 46
    PRE MASTER
    SECRET

    View Slide

  85. What if somebody*
    got hold of the site
    private key?
    47

    View Slide

  86. 48

    View Slide

  87. 49

    View Slide

  88. 50

    View Slide

  89. 51

    View Slide

  90. (PERFECT)
    FORWARDING
    SECRECY
    52

    View Slide

  91. Compromising the
    pre-master secret does
    not compromise our
    communication.
    53

    View Slide

  92. PFS:
    Can’t compromise
    other keys with a
    compromised key.
    54

    View Slide

  93. Unfortunately..
    55

    View Slide

  94. 56
    PFS needs server
    AND browser support

    View Slide

  95. 57
    http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

    View Slide

  96. 58
    http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

    View Slide

  97. Update your cipher
    suite list and place
    PFS ciphers at the top
    59

    View Slide

  98. But beware:
    heavy computations
    60

    View Slide

  99. 61
    SSL Test
    https://www.ssllabs.com/ssltest/

    View Slide

  100. -ETOOMUCHINFO
    62

    View Slide

  101. 63
    https://www.ssllabs.com/projects/best-practices/index.html

    View Slide

  102. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 64

    View Slide

  103. 65
    Find me on twitter: @jaytaph
    Find me for development and training: www.noxlogic.nl
    Find me on email: [email protected]
    Find me for blogs: www.adayinthelifeof.nl

    View Slide