Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPS & TLS in 2016: Security practices from the front lines

Kenn White
October 13, 2016

HTTPS & TLS in 2016: Security practices from the front lines

AppSecUSA Washington, DC
October 13, 2016

Kenn White

October 13, 2016
Tweet

More Decks by Kenn White

Other Decks in Technology

Transcript

  1. HTTPS & TLS in 2016
    Security prac6ces from the front lines
    Kenneth White, opencryptoaudit.org/people
    Eric Mill, [email protected]
    AppSecUSA, Washington
    October 13, 2016

    View full-size slide

  2. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs (201)
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A

    View full-size slide

  3. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A

    View full-size slide

  4. Confidentiality
    All the network sees are
    the IP address, port, and (with SNI) the domain name.

    View full-size slide

  5. Modern encryption is authenticated.
    Authentication protects against impersonation.
    Authentication requires tamper-resistance:
    Hashes
    Message Authentication Codes (MACs)
    Nonces
    Authenticity

    View full-size slide

  6. Modern encryption is authenticated.
    Authentication protects against impersonation.
    Authentication requires tamper-resistance:
    Hashes
    Message Authentication Codes (MACs)
    Nonces
    Authenticity

    View full-size slide

  7. Modern encryption is authenticated.
    Authentication protects against impersonation.
    Authentication requires tamper-resistance:
    Hashes
    Message Authentication Codes (MACs)
    Nonces
    Authenticity

    View full-size slide

  8. If you encrypt app data on your network, but
    don’t authenticate it, it’s not your data.
    Unsigned (or signed-then-encrypted) network
    packets allow me to become you.
    Without auth, Admin=0 becomes: Admin=1
    Authenticity

    View full-size slide

  9. If you encrypt app data on your network, but
    don’t authenticate it, it’s not your data.
    Unsigned (or signed-then-encrypted) network
    packets allow me to become you.
    Without auth, Admin=0 becomes: Admin=1
    Authenticity

    View full-size slide

  10. If you encrypt app data on your network, but
    don’t authenticate it, it’s not your data.
    Unsigned (or signed-then-encrypted) network
    packets allow me to become you.
    Without auth, Admin=0 becomes: Admin=1
    Authenticity

    View full-size slide

  11. An example
    Authenticity

    View full-size slide

  12. Authenticity

    View full-size slide

  13. Integrity
    Anyone on the network can freely modify
    a website that isn’t using HTTPS.
    Using plain HTTP voids any strong privacy
    or security guarantees a website claims to offer.

    View full-size slide

  14. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A

    View full-size slide

  15. Some history

    View full-size slide

  16. M-15-13: Require Secure Connections

    View full-size slide

  17. https.cio.gov

    View full-size slide

  18. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A

    View full-size slide

  19. http://google.com
    hopefully https://google.com
    Without HSTS

    View full-size slide

  20. definitely https://google.com
    With HSTS

    View full-size slide

  21. HSTS = no clicking through certificate warnings

    View full-size slide

  22. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A

    View full-size slide

  23. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A

    View full-size slide

  24. HTTP/2
    From the chair of the HTTP/2 working group:

    View full-size slide

  25. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A

    View full-size slide

  26. Ivan Ris6c: SSL Threat Model
    hVps://blog.ivanris6c.com/downloads/SSL_Threat_Model.png

    View full-size slide

  27. Real-world Apache/Nginx TLS

    View full-size slide

  28. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA

    View full-size slide

  29. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA

    View full-size slide

  30. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA

    View full-size slide

  31. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA
    Also:
    HSTS (strict transport security), HPKP (pinning),
    CT (cert transparency), SNI (virtual hosts)

    View full-size slide

  32. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA

    View full-size slide

  33. CBC is a problem

    View full-size slide

  34. CBC is a problem

    View full-size slide

  35. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA
    Also:
    HSTS (strict transport security), HPKP (pinning),
    CT (cert transparency), SNI (virtual hosts)

    View full-size slide

  36. Highly Recommended
    Qualys SSL Labs
    hVps://www.ssllabs.com/ssltest/
    Bulletproof SSL & TLS
    hVps://www.feistyduck.com/books/bulletproof-ssl-and-tls/
    Mirage TLS handshake interac6ve server
    hVps://tls.openmirage.org/
    Adam Langley: Matching primi6ve strengths
    hVps://www.imperialviolet.org/2014/05/25/strengthmatching.html

    View full-size slide

  37. Highly Recommended
    Mozilla Server-Side TLS/SSL Config Generator
    hVps://mozilla.github.io/server-side-tls/ssl-config-generator/
    Mozilla Security/Server-Side TLS Wiki
    hVps://wiki.mozilla.org/Security/Server_Side_TLS
    ScoV Helme: Windows TLS config
    hVps://scoVhelme.co.uk/gecng-an-a-on-the-qualys-ssl-test-windows-edi6on/
    ScoV Helme: Let’s Encrypt ECDSA cer6ficates
    hVps://scoVhelme.co.uk/ecdsa-cer6ficates/

    View full-size slide

  38. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A

    View full-size slide

  39. OpenSSL 1.1 Audit

    View full-size slide

  40. OpenSSL 1.1 Audit
    Directed by the Open Crypto Audit Project (opencryptoaudit.org)
    Commissioned by Linux Founda6on’s Core Infrastructure IniVaVve (CII)
    Ambi6ous Scope
    Independent review
    Coordina6ng closely with OpenSSL core team
    Delayed for v. 1.1 maturity (significant refactor)
    Diverse, complex codebase:
    Linux, BSDs, Windows, OSX, SRV5 (AIX, HP-UX, Solaris)
    Intel x86 (incl. AES-NI), ARM6/7, MIPS, PowerPC, Alpha…
    FIPS module

    View full-size slide

  41. OpenSSL 1.1 Audit
    Major Goals
    –  Thorough public security analysis of the core code in the next
    major release of OpenSSL
    –  Demonstrate viability of a reusable open source test harness
    framework
    –  Foster web-scale peer-reviewed public tools & data sets for
    protocol & nego6a6on analysis

    View full-size slide

  42. OpenSSL 1.1 Audit
    Phase 1 Goals
    •  BigNum: multiprecision ints, constant time, blinding
    •  BIO (focus on composition & file functions)
    •  ASN.1 & x509 (cert & key parsing, DER/PEM
    decoding, structs, subordinate chains)
    •  93M cert corpus, “Frankencert” fuzzing

    View full-size slide

  43. OpenSSL 1.1 Audit
    Phase 2 Goals
    •  TLS state machine
    •  EVP (PKI constructions, H/MACs, envelopes)
    •  Protocol flows, core engine implementation
    •  Memory management
    •  Crypto core (RSA, SHA-2, DH/ECDH, CBC,
    GGM…)

    View full-size slide

  44. OpenSSL 1.1 Audit
    Rough metrics: 412-494K total SLOC
    OpenSSL v. 1.1 Master (2015-03-14)

    View full-size slide

  45. Landed in 1.1.0 final release
    OpenSSL 1.1 Audit

    View full-size slide

  46. OpenSSL 1.1 Audit
    Refactored:
    BIO networking library (full support for IPv6)
    EVP
    Bignum
    Core data structures
    Record Layer rewrite
    SSL/TLS state machine
    Version nego6a6on

    View full-size slide

  47. OpenSSL 1.1 Audit
    Removed:
    SSLv2
    40- and 56-bit cipher support
    FIPS 140-2 module (but coming soon:
    hVps://www.openssl.org/blog/blog/2016/07/20/fips/)
    Kerberos ciphersuite support
    Removed from DEFAULT ciphersuites:
    RC4

    View full-size slide

  48. OpenSSL 1.1 Audit
    Added:
    AFALG engine (Linux userspace hardware crypto via netlink:
    hVps://lwn.net/Ar6cles/410763/)
    Asynchronous crypto opera6ons (libcrypto and libssl)
    CCM (authen6cated) block cipher mode
    ChaCha/Poly (see: hVps://news.ycombinator.com/item?id=10710140)
    HKDF (HMAC-based Extract-and-Expand Key Deriva6on Func6on)
    OCB (authen6cated) block cipher mode
    Pipelining, Threading API
    Scrypt
    Curve25519: (see: hVps://www.ieo.org/mail-archive/web/cfrg/current/msg04996.html)

    View full-size slide

  49. OpenSSL 1.1 Audit
    OCAP final report by the end of this month

    View full-size slide

  50. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A

    View full-size slide

  51. Closing thoughts and Q&A

    View full-size slide

  52. HTTPS & TLS in 2016
    Security prac6ces from the front lines
    Kenn White, [email protected]
    Eric Mill, [email protected]

    View full-size slide