HTTPS & TLS in 2016: Security practices from the front lines

HTTPS & TLS in 2016: Security practices from the front lines

AppSecUSA Washington, DC
October 13, 2016

671d41cff530fadcbc82a5d6e7070c4a?s=128

Kenneth White

October 13, 2016
Tweet

Transcript

  1. HTTPS & TLS in 2016 Security prac6ces from the front

    lines Kenneth White, opencryptoaudit.org/people Eric Mill, eric@konklone.com AppSecUSA, Washington October 13, 2016
  2. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs (201) •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  3. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  4. Confidentiality All the network sees are the IP address, port,

    and (with SNI) the domain name.
  5. Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

    tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity
  6. Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

    tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity
  7. Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

    tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity
  8. If you encrypt app data on your network, but don’t

    authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity
  9. If you encrypt app data on your network, but don’t

    authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity
  10. If you encrypt app data on your network, but don’t

    authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity
  11. An example Authenticity

  12. Authenticity

  13. None
  14. None
  15. None
  16. None
  17. Integrity Anyone on the network can freely modify a website

    that isn’t using HTTPS. Using plain HTTP voids any strong privacy or security guarantees a website claims to offer.
  18. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  19. Some history

  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. M-15-13: Require Secure Connections

  30. https.cio.gov

  31. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  32. None
  33. http://google.com hopefully https://google.com Without HSTS

  34. definitely https://google.com With HSTS

  35. HSTS = no clicking through certificate warnings

  36. None
  37. None
  38. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  46. None
  47. None
  48. None
  49. HTTP/2 From the chair of the HTTP/2 working group:

  50. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  51. None
  52. None
  53. None
  54. None
  55. Ivan Ris6c: SSL Threat Model hVps://blog.ivanris6c.com/downloads/SSL_Threat_Model.png

  56. Real-world Apache/Nginx TLS

  57. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  58. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  59. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  60. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  61. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  62. CBC is a problem

  63. CBC is a problem

  64. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  65. TL;DR

  66. Highly Recommended Qualys SSL Labs hVps://www.ssllabs.com/ssltest/ Bulletproof SSL & TLS

    hVps://www.feistyduck.com/books/bulletproof-ssl-and-tls/ Mirage TLS handshake interac6ve server hVps://tls.openmirage.org/ Adam Langley: Matching primi6ve strengths hVps://www.imperialviolet.org/2014/05/25/strengthmatching.html
  67. Highly Recommended Mozilla Server-Side TLS/SSL Config Generator hVps://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Security/Server-Side

    TLS Wiki hVps://wiki.mozilla.org/Security/Server_Side_TLS ScoV Helme: Windows TLS config hVps://scoVhelme.co.uk/gecng-an-a-on-the-qualys-ssl-test-windows-edi6on/ ScoV Helme: Let’s Encrypt ECDSA cer6ficates hVps://scoVhelme.co.uk/ecdsa-cer6ficates/
  68. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  69. OpenSSL 1.1 Audit

  70. OpenSSL 1.1 Audit Directed by the Open Crypto Audit Project

    (opencryptoaudit.org) Commissioned by Linux Founda6on’s Core Infrastructure IniVaVve (CII) Ambi6ous Scope Independent review Coordina6ng closely with OpenSSL core team Delayed for v. 1.1 maturity (significant refactor) Diverse, complex codebase: Linux, BSDs, Windows, OSX, SRV5 (AIX, HP-UX, Solaris) Intel x86 (incl. AES-NI), ARM6/7, MIPS, PowerPC, Alpha… FIPS module
  71. OpenSSL 1.1 Audit Major Goals –  Thorough public security analysis

    of the core code in the next major release of OpenSSL –  Demonstrate viability of a reusable open source test harness framework –  Foster web-scale peer-reviewed public tools & data sets for protocol & nego6a6on analysis
  72. OpenSSL 1.1 Audit Phase 1 Goals •  BigNum: multiprecision ints,

    constant time, blinding •  BIO (focus on composition & file functions) •  ASN.1 & x509 (cert & key parsing, DER/PEM decoding, structs, subordinate chains) •  93M cert corpus, “Frankencert” fuzzing
  73. OpenSSL 1.1 Audit Phase 2 Goals •  TLS state machine

    •  EVP (PKI constructions, H/MACs, envelopes) •  Protocol flows, core engine implementation •  Memory management •  Crypto core (RSA, SHA-2, DH/ECDH, CBC, GGM…)
  74. OpenSSL 1.1 Audit Rough metrics: 412-494K total SLOC OpenSSL v.

    1.1 Master (2015-03-14)
  75. Landed in 1.1.0 final release OpenSSL 1.1 Audit

  76. OpenSSL 1.1 Audit Refactored: BIO networking library (full support for

    IPv6) EVP Bignum Core data structures Record Layer rewrite SSL/TLS state machine Version nego6a6on
  77. OpenSSL 1.1 Audit Removed: SSLv2 40- and 56-bit cipher support

    FIPS 140-2 module (but coming soon: hVps://www.openssl.org/blog/blog/2016/07/20/fips/) Kerberos ciphersuite support Removed from DEFAULT ciphersuites: RC4
  78. OpenSSL 1.1 Audit Added: AFALG engine (Linux userspace hardware crypto

    via netlink: hVps://lwn.net/Ar6cles/410763/) Asynchronous crypto opera6ons (libcrypto and libssl) CCM (authen6cated) block cipher mode ChaCha/Poly (see: hVps://news.ycombinator.com/item?id=10710140) HKDF (HMAC-based Extract-and-Expand Key Deriva6on Func6on) OCB (authen6cated) block cipher mode Pipelining, Threading API Scrypt Curve25519: (see: hVps://www.ieo.org/mail-archive/web/cfrg/current/msg04996.html)
  79. OpenSSL 1.1 Audit OCAP final report by the end of

    this month
  80. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  81. Closing thoughts and Q&A

  82. HTTPS & TLS in 2016 Security prac6ces from the front

    lines Kenn White, admin@opencryptoaudit.org Eric Mill, eric@konklone.com