HTTPS & TLS in 2016: Security practices from the front lines

Transcript

1. HTTPS & TLS in 2016
   Security prac6ces from the front lines
   Kenneth White, opencryptoaudit.org/people
   Eric Mill, [email protected]
   AppSecUSA, Washington
   October 13, 2016
   

   View Slide

2. Topics
   •  What is HTTPS and TLS?
   •  Making the web HTTPS by default
   •  HTTP Strict Transport Security (HSTS)
   •  Cer6ficate Transparency
   •  Modern deployment (CDNs, HTTP/2, SNI)
   •  Ciphersuites & Protocols: Interop & Tradeoffs (201)
   •  The OpenSSL 1.1 Audit
   •  Closing thoughts and Q&A
   

   View Slide

3. Topics
   •  What is HTTPS and TLS?
   •  Making the web HTTPS by default
   •  HTTP Strict Transport Security (HSTS)
   •  Cer6ficate Transparency
   •  Modern deployment (CDNs, HTTP/2, SNI)
   •  Ciphersuites & Protocols: Interop & Tradeoffs
   •  The OpenSSL 1.1 Audit
   •  Closing thoughts and Q&A
   

   View Slide

4. Confidentiality
   All the network sees are
   the IP address, port, and (with SNI) the domain name.
   

   View Slide

5. Modern encryption is authenticated.
   Authentication protects against impersonation.
   Authentication requires tamper-resistance:
   Hashes
   Message Authentication Codes (MACs)
   Nonces
   Authenticity
   

   View Slide

6. Modern encryption is authenticated.
   Authentication protects against impersonation.
   Authentication requires tamper-resistance:
   Hashes
   Message Authentication Codes (MACs)
   Nonces
   Authenticity
   

   View Slide

7. Modern encryption is authenticated.
   Authentication protects against impersonation.
   Authentication requires tamper-resistance:
   Hashes
   Message Authentication Codes (MACs)
   Nonces
   Authenticity
   

   View Slide

8. If you encrypt app data on your network, but
   don’t authenticate it, it’s not your data.
   Unsigned (or signed-then-encrypted) network
   packets allow me to become you.
   Without auth, Admin=0 becomes: Admin=1
   Authenticity
   

   View Slide

9. If you encrypt app data on your network, but
   don’t authenticate it, it’s not your data.
   Unsigned (or signed-then-encrypted) network
   packets allow me to become you.
   Without auth, Admin=0 becomes: Admin=1
   Authenticity
   

   View Slide

10. If you encrypt app data on your network, but
    don’t authenticate it, it’s not your data.
    Unsigned (or signed-then-encrypted) network
    packets allow me to become you.
    Without auth, Admin=0 becomes: Admin=1
    Authenticity
    

    View Slide

11. An example
    Authenticity
    

    View Slide

12. Authenticity
    

    View Slide

13. View Slide

14. View Slide

15. View Slide

16. View Slide

17. Integrity
    Anyone on the network can freely modify
    a website that isn’t using HTTPS.
    Using plain HTTP voids any strong privacy
    or security guarantees a website claims to offer.
    

    View Slide

18. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A
    

    View Slide

19. Some history
    

    View Slide

20. View Slide

21. View Slide

22. View Slide

23. View Slide

24. View Slide

25. View Slide

26. View Slide

27. View Slide

28. View Slide

29. M-15-13: Require Secure Connections
    

    View Slide

30. https.cio.gov
    

    View Slide

31. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A
    

    View Slide

32. View Slide

33. http://google.com
    hopefully https://google.com
    Without HSTS
    

    View Slide

34. definitely https://google.com
    With HSTS
    

    View Slide

35. HSTS = no clicking through certificate warnings
    

    View Slide

36. View Slide

37. View Slide

38. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A
    

    View Slide

39. View Slide

40. View Slide

41. View Slide

42. View Slide

43. View Slide

44. View Slide

45. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A
    

    View Slide

46. View Slide

47. View Slide

48. View Slide

49. HTTP/2
    From the chair of the HTTP/2 working group:
    

    View Slide

50. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A
    

    View Slide

51. View Slide

52. View Slide

53. View Slide

54. View Slide

55. Ivan Ris6c: SSL Threat Model
    hVps://blog.ivanris6c.com/downloads/SSL_Threat_Model.png
    

    View Slide

56. Real-world Apache/Nginx TLS
    

    View Slide

57. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA
    

    View Slide

58. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA
    

    View Slide

59. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA
    

    View Slide

60. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA
    Also:
    HSTS (strict transport security), HPKP (pinning),
    CT (cert transparency), SNI (virtual hosts)
    

    View Slide

61. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA
    

    View Slide

62. CBC is a problem
    

    View Slide

63. CBC is a problem
    

    View Slide

64. Real-world Apache/Nginx TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    AUTH
    ECDSA
    RSA
    Also:
    HSTS (strict transport security), HPKP (pinning),
    CT (cert transparency), SNI (virtual hosts)
    

    View Slide

65. TL;DR
    

    View Slide

66. Highly Recommended
    Qualys SSL Labs
    hVps://www.ssllabs.com/ssltest/
    Bulletproof SSL & TLS
    hVps://www.feistyduck.com/books/bulletproof-ssl-and-tls/
    Mirage TLS handshake interac6ve server
    hVps://tls.openmirage.org/
    Adam Langley: Matching primi6ve strengths
    hVps://www.imperialviolet.org/2014/05/25/strengthmatching.html
    

    View Slide

67. Highly Recommended
    Mozilla Server-Side TLS/SSL Config Generator
    hVps://mozilla.github.io/server-side-tls/ssl-config-generator/
    Mozilla Security/Server-Side TLS Wiki
    hVps://wiki.mozilla.org/Security/Server_Side_TLS
    ScoV Helme: Windows TLS config
    hVps://scoVhelme.co.uk/gecng-an-a-on-the-qualys-ssl-test-windows-edi6on/
    ScoV Helme: Let’s Encrypt ECDSA cer6ficates
    hVps://scoVhelme.co.uk/ecdsa-cer6ficates/
    

    View Slide

68. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A
    

    View Slide

69. OpenSSL 1.1 Audit
    

    View Slide

70. OpenSSL 1.1 Audit
    Directed by the Open Crypto Audit Project (opencryptoaudit.org)
    Commissioned by Linux Founda6on’s Core Infrastructure IniVaVve (CII)
    Ambi6ous Scope
    Independent review
    Coordina6ng closely with OpenSSL core team
    Delayed for v. 1.1 maturity (significant refactor)
    Diverse, complex codebase:
    Linux, BSDs, Windows, OSX, SRV5 (AIX, HP-UX, Solaris)
    Intel x86 (incl. AES-NI), ARM6/7, MIPS, PowerPC, Alpha…
    FIPS module
    

    View Slide

71. OpenSSL 1.1 Audit
    Major Goals
    –  Thorough public security analysis of the core code in the next
    major release of OpenSSL
    –  Demonstrate viability of a reusable open source test harness
    framework
    –  Foster web-scale peer-reviewed public tools & data sets for
    protocol & nego6a6on analysis
    

    View Slide

72. OpenSSL 1.1 Audit
    Phase 1 Goals
    •  BigNum: multiprecision ints, constant time, blinding
    •  BIO (focus on composition & file functions)
    •  ASN.1 & x509 (cert & key parsing, DER/PEM
    decoding, structs, subordinate chains)
    •  93M cert corpus, “Frankencert” fuzzing
    

    View Slide

73. OpenSSL 1.1 Audit
    Phase 2 Goals
    •  TLS state machine
    •  EVP (PKI constructions, H/MACs, envelopes)
    •  Protocol flows, core engine implementation
    •  Memory management
    •  Crypto core (RSA, SHA-2, DH/ECDH, CBC,
    GGM…)
    

    View Slide

74. OpenSSL 1.1 Audit
    Rough metrics: 412-494K total SLOC
    OpenSSL v. 1.1 Master (2015-03-14)
    

    View Slide

75. Landed in 1.1.0 final release
    OpenSSL 1.1 Audit
    

    View Slide

76. OpenSSL 1.1 Audit
    Refactored:
    BIO networking library (full support for IPv6)
    EVP
    Bignum
    Core data structures
    Record Layer rewrite
    SSL/TLS state machine
    Version nego6a6on
    

    View Slide

77. OpenSSL 1.1 Audit
    Removed:
    SSLv2
    40- and 56-bit cipher support
    FIPS 140-2 module (but coming soon:
    hVps://www.openssl.org/blog/blog/2016/07/20/fips/)
    Kerberos ciphersuite support
    Removed from DEFAULT ciphersuites:
    RC4
    

    View Slide

78. OpenSSL 1.1 Audit
    Added:
    AFALG engine (Linux userspace hardware crypto via netlink:
    hVps://lwn.net/Ar6cles/410763/)
    Asynchronous crypto opera6ons (libcrypto and libssl)
    CCM (authen6cated) block cipher mode
    ChaCha/Poly (see: hVps://news.ycombinator.com/item?id=10710140)
    HKDF (HMAC-based Extract-and-Expand Key Deriva6on Func6on)
    OCB (authen6cated) block cipher mode
    Pipelining, Threading API
    Scrypt
    Curve25519: (see: hVps://www.ieo.org/mail-archive/web/cfrg/current/msg04996.html)
    

    View Slide

79. OpenSSL 1.1 Audit
    OCAP final report by the end of this month
    

    View Slide

80. Topics
    •  What is HTTPS and TLS?
    •  Making the web HTTPS by default
    •  HTTP Strict Transport Security (HSTS)
    •  Cer6ficate Transparency
    •  Modern deployment (CDNs, HTTP/2, SNI)
    •  Ciphersuites & Protocols: Interop & Tradeoffs
    •  The OpenSSL 1.1 Audit
    •  Closing thoughts and Q&A
    

    View Slide

81. Closing thoughts and Q&A
    

    View Slide

82. HTTPS & TLS in 2016
    Security prac6ces from the front lines
    Kenn White, [email protected]
    Eric Mill, [email protected]
    

    View Slide