Upgrade to Pro — share decks privately, control downloads, hide ads and more …

My TLS was broken

Piyush Verma
January 19, 2019
Technology
0
35

My TLS was broken

Piyush Verma

January 19, 2019
Tweet

More Decks by Piyush Verma

See All by Piyush Verma
SLOs that Lie
meson10
0
65
Doing SRE the right way - 2
meson10
0
100
Doing SRE the right way
meson10
0
810
Observability and Control Theory
meson10
1
700
Reliability
meson10
0
67
Reliability of Distributed Systems
meson10
0
110
Technology that builds Organizations
meson10
0
46
Namespace.go
meson10
0
62
Cgroups and Namespaces in Linux
meson10
0
220

Other Decks in Technology

See All in Technology
Predictive back transition Animation on Android 14
line_developers
PRO
1
330
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.7k
Head toward Java 20 and Java 21
line_developers
PRO
0
340
機械学習モデル性能向上への学習データからのアプローチ
okada_fuutass
0
130
MagicPod開発における テスト自動化とCI
nozomiito
0
140
少しずつでも出来るようになりたいもの、なに? / What do you want to be able to do step by step?
banjun
PRO
1
200
プロデュ―サーさん、今日も安全運転でよろしくね☆~OBD2を用いた速度・回転数検知ツールの開発~
hato3isfriend
0
140
WOFFの紹介
mmclsntr
0
120
1人目QA奮闘記-2023年ver-/QA Engineer's Struggle 2023
mii3king
1
650
RedMica 2.3 (2023-05) 新機能ハイライト およびRedmineの2023年5月までの半年間の主要な開発成果
vividtone
0
110
ハンズオンで学ぶ! Instana基礎
daihiraoka
1
140
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
3.3k

Featured

See All Featured
Happy Clients
brianwarren
90
6k
Support Driven Design
roundedbygravity
88
9k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6k
What's in a price? How to price your products and services
michaelherold
234
10k
How GitHub Uses GitHub to Build GitHub
holman
466
280k
The World Runs on Bad Software
bkeepers
PRO
59
5.9k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
35
9.7k
Designing Experiences People Love
moore
130
22k
Building Your Own Lightsaber
phodgson
96
5k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.1k
Facilitating Awesome Meetings
lara
35
4.8k

Transcript

  1. My TLS is broken
    and probably yours too.

    View Slide

  2. My TLS was broken
    My TLS is broken
    My TLS was broken
    My TLS is broken
    My TLS was broken
    My TLS will be broken

    View Slide

  3. Part 1: The GreenLock

    View Slide

  4. HTTPS
    func main() {
    http.ListenAndServeTLS(":443",
    "server.crt", "server.key", nil)
    }

    View Slide

  5. Picture or it didn’t happen

    View Slide

  6. HTTPS Server

    View Slide

  7. Part 2: TCP TLS

    View Slide

  8. TCP TLS Server
    func main() {
    cer, err := tls.LoadX509KeyPair("server.crt", "server.key")
    config := &tls.Config{Certificates: []tls.Certificate{cer}}
    ln , err := tls.Listen("tcp", ":443", config)
    conn, err := ln.Accept()
    go handleConnection(conn)
    }

    View Slide

  9. TLS Client
    func main() {
    conf := &tls.Config{//InsecureSkipVerify: true}
    conn, err := tls.Dial("tcp", "ldap.ha.tsengine.io:847", conf)
    n, err := conn.Write([]byte("hello\n"))
    buf := make([]byte, 100)
    n, err = conn.Read(buf)
    log.Println(n, err)
    }

    View Slide

  10. Server Client TCP

    View Slide

  11. Part 3: Opportunistic TLS

    View Slide

  12. func main() {
    listener, _ := net.Listen("tcp", "127.0.0.1:8000")
    conn, err := listener.Accept()
    bytesRead, err := conn.Read(...)
    if string(buffer[0:bytesRead]) == STARTTLS {
    conn := tls.Server(unenc_conn, &config)
    var buffer = make([]byte, 1024)
    conn.Handshake()
    ...
    }
    }
    TLS Client

    View Slide

  13. Part 4

    View Slide

  14. TLS Client Auth Handshake

    View Slide

  15. TLS Exchange

    View Slide

  16. Certificates

    View Slide

  17. [email protected]:~$ openssl x509 -in <(openssl s_client -connect
    wikipedia.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45
    Validity
    Not Before: Dec 21 00:00:00 2017 GMT
    Not After : Jan 24 12:00:00 2019 GMT
    X509v3 CRL Distribution Points:
    Full Name:
    URI:http://crl3.digicert.com/sha2-ha-server-g6.crl
    Full Name:
    URI:http://crl4.digicert.com/sha2-ha-server-g6.crl
    Authority Information Access:
    OCSP - URI:http://ocsp.digicert.com

    View Slide

  18. Sharing is not Caring,
    Your parents have been lying.

    View Slide

  19. Part 5: Client Authentication

    View Slide

  20. Client Authentication

    View Slide

  21. Why is Client Auth needed?

    View Slide

  22. But we use API Keys

    View Slide

  23. Client Certificate
    Certificate:
    Issuer: C = IN, ST = MH, L = Pune, OU = TS Sre Certificate
    Authority, CN = TS Sre CA
    Validity
    Not Before: Jan 18 06:53:00 2019 GMT
    Not After : Jan 17 06:53:00 2024 GMT
    Subject: C = IN, ST = MH, L = Pune, OU = TrustingSocial, CN =
    tls_demo_client
    Authority Information Access:
    OCSP - URI:http://ca.ha.tsengine.io:7889
    CA Issuers -
    URI:http://ca.ha.tsengine.io:1500/intermediate/intermediate.crt
    X509v3 CRL Distribution Points:
    Full Name:
    URI:http://ca.ha.tsengine.io:6688/api/v1/cfssl/crl

    View Slide

  24. certificate, err := tls.LoadX509KeyPair(cert, key)
    tlsConfig := &tls.Config{
    ServerName: "my-server",
    ClientAuth: tls.RequireAndVerifyClientCert,
    Certificates: []tls.Certificate{certificate},
    }
    ln, err := tls.Listen("tcp", ":443", config)
    conn, err := ln.Accept()
    go handleConnection(conn)
    Accepting Client Certs

    View Slide

  25. Deprecation of Internal &
    Reserved IP Addresses
    Circa 2012

    View Slide

  26. Part 6: PKI

    View Slide

  27. PKI Infrastructure

    View Slide

  28. certPool := x509.NewCertPool()
    b, err := ioutil.ReadFile(rootPath)
    certPool.AppendCertsFromPEM(bs)
    tlsConfig := &tls.Config{
    ServerName: "my-server",
    ClientAuth: tls.RequireAndVerifyClientCert,
    Certificates: []tls.Certificate{certificate},
    ClientCAs: certPool,
    }
    Accepting Client Certs

    View Slide

  29. certificate, err := tls.LoadX509KeyPair(cert, key)
    certPool := x509.NewCertPool()
    b, err := ioutil.ReadFile(rootPath)
    certPool.AppendCertsFromPEM(bs)
    tlsConfig := &tls.Config{
    Certificates: []tls.Certificate{certificate},
    RootCAs: certPool,
    }
    Accepting Server Certs

    View Slide

  30. Part 7: Take it Back

    View Slide

  31. How do you take-back a Cert?

    View Slide

  32. CRL

    View Slide

  33. [email protected]:~$ openssl x509 -in <(openssl s_client -connect
    wikipedia.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45
    Validity
    Not Before: Dec 21 00:00:00 2017 GMT
    Not After : Jan 24 12:00:00 2019 GMT
    X509v3 CRL Distribution Points:
    Full Name:
    URI:http://crl3.digicert.com/sha2-ha-server-g6.crl
    Authority Information Access:
    OCSP - URI:http://ocsp.digicert.com

    View Slide

  34. CRL

    View Slide

  35. CRL

    View Slide

  36. Problems with CRL

    View Slide

  37. OCSP

    View Slide

  38. [email protected]:~$ openssl x509 -in <(openssl s_client -connect
    wikipedia.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45
    Validity
    Not Before: Dec 21 00:00:00 2017 GMT
    Not After : Jan 24 12:00:00 2019 GMT
    X509v3 CRL Distribution Points:
    Full Name:
    URI:http://crl3.digicert.com/sha2-ha-server-g6.crl
    Authority Information Access:
    OCSP - URI:http://ocsp.digicert.com

    View Slide

  39. OCSP Flow

    View Slide

  40. - Server Down?
    - DDOS CA
    - Privacy Compromise
    OCSP Challenges

    View Slide

  41. Soft Fail

    View Slide

  42. Soft Fail: Firefox

    View Slide

  43. Soft Fail: Chrome

    View Slide

  44. Hard Fail?

    View Slide

  45. What’s the most
    fragile thing in
    the Universe?
    a) Silence
    b) Taylor Swift’s heart.
    c) Neymar’s Shin
    d) Internet Security

    View Slide

  46. Part 7

    View Slide

  47. Why do you revoke keys?

    View Slide

  48. https://github.com/indutny/heartbleed

    View Slide

  49. cert, err := x509.ParseCertificate(cert)
    // ok := callOCSPServer(cert)
    if !ok {
    // Certificate is revoked
    }
    tlsConfig := &tls.Config{
    ServerName: "my-server",
    ClientAuth: tls.RequireAndVerifyClientCert,
    Certificates: []tls.Certificate{certificate},
    ClientCAs: certPool,
    VerifyPeerCertificate: certValidator,
    }
    Accepting Client Certs

    View Slide

  50. Part 8

    View Slide

  51. CAtoolkit
    http:/
    /github.com/tsocial/ca
    toolkit

    View Slide

  52. Maybe, Security is just a
    feeling?

    View Slide

  53. xps:~$ whoami
    Piyush Verma
    Site Reliability Engineering
    Trusting Social
    Twitter: meson10

    View Slide