My TLS was broken

Transcript

1. My TLS is broken and probably yours too.

2. My TLS was broken My TLS is broken My TLS

   was broken My TLS is broken My TLS was broken My TLS will be broken

3. Part 1: The GreenLock

4. HTTPS func main() { http.ListenAndServeTLS(":443", "server.crt", "server.key", nil) }

5. Picture or it didn’t happen

6. HTTPS Server

7. Part 2: TCP TLS

8. TCP TLS Server func main() { cer, err := tls.LoadX509KeyPair("server.crt",

   "server.key") config := &tls.Config{Certificates: []tls.Certificate{cer}} ln , err := tls.Listen("tcp", ":443", config) conn, err := ln.Accept() go handleConnection(conn) }

9. TLS Client func main() { conf := &tls.Config{//InsecureSkipVerify: true} conn,

   err := tls.Dial("tcp", "ldap.ha.tsengine.io:847", conf) n, err := conn.Write([]byte("hello\n")) buf := make([]byte, 100) n, err = conn.Read(buf) log.Println(n, err) }

10. Server Client TCP

11. Part 3: Opportunistic TLS

12. func main() { listener, _ := net.Listen("tcp", "127.0.0.1:8000") conn, err

    := listener.Accept() bytesRead, err := conn.Read(...) if string(buffer[0:bytesRead]) == STARTTLS { conn := tls.Server(unenc_conn, &config) var buffer = make([]byte, 1024) conn.Handshake() ... } } TLS Client

13. Part 4

14. TLS Client Auth Handshake

15. TLS Exchange

16. Certificates

17. meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Full Name: URI:http://crl4.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com

18. Sharing is not Caring, Your parents have been lying.

19. Part 5: Client Authentication

20. Client Authentication

21. Why is Client Auth needed?

22. But we use API Keys

23. Client Certificate Certificate: Issuer: C = IN, ST = MH,

    L = Pune, OU = TS Sre Certificate Authority, CN = TS Sre CA Validity Not Before: Jan 18 06:53:00 2019 GMT Not After : Jan 17 06:53:00 2024 GMT Subject: C = IN, ST = MH, L = Pune, OU = TrustingSocial, CN = tls_demo_client Authority Information Access: OCSP - URI:http://ca.ha.tsengine.io:7889 CA Issuers - URI:http://ca.ha.tsengine.io:1500/intermediate/intermediate.crt X509v3 CRL Distribution Points: Full Name: URI:http://ca.ha.tsengine.io:6688/api/v1/cfssl/crl

24. certificate, err := tls.LoadX509KeyPair(cert, key) tlsConfig := &tls.Config{ ServerName: "my-server",

    ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, } ln, err := tls.Listen("tcp", ":443", config) conn, err := ln.Accept() go handleConnection(conn) Accepting Client Certs

25. Deprecation of Internal & Reserved IP Addresses Circa 2012

26. Part 6: PKI

27. PKI Infrastructure

28. certPool := x509.NewCertPool() b, err := ioutil.ReadFile(rootPath) certPool.AppendCertsFromPEM(bs) tlsConfig :=

    &tls.Config{ ServerName: "my-server", ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, ClientCAs: certPool, } Accepting Client Certs

29. certificate, err := tls.LoadX509KeyPair(cert, key) certPool := x509.NewCertPool() b, err

    := ioutil.ReadFile(rootPath) certPool.AppendCertsFromPEM(bs) tlsConfig := &tls.Config{ Certificates: []tls.Certificate{certificate}, RootCAs: certPool, } Accepting Server Certs

30. Part 7: Take it Back

31. How do you take-back a Cert?

32. CRL

33. meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com

34. CRL

35. CRL

36. Problems with CRL

37. OCSP

38. meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com

39. OCSP Flow

40. - Server Down? - DDOS CA - Privacy Compromise OCSP

    Challenges

41. Soft Fail

42. Soft Fail: Firefox

43. Soft Fail: Chrome

44. Hard Fail?

45. What’s the most fragile thing in the Universe? a) Silence

    b) Taylor Swift’s heart. c) Neymar’s Shin d) Internet Security

46. Part 7

47. Why do you revoke keys?

48. https://github.com/indutny/heartbleed

49. cert, err := x509.ParseCertificate(cert) // ok := callOCSPServer(cert) if !ok

    { // Certificate is revoked } tlsConfig := &tls.Config{ ServerName: "my-server", ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, ClientCAs: certPool, VerifyPeerCertificate: certValidator, } Accepting Client Certs

50. Part 8

51. CAtoolkit http:/ /github.com/tsocial/ca toolkit

52. Maybe, Security is just a feeling?

53. xps:~$ whoami Piyush Verma Site Reliability Engineering Trusting Social Twitter:

    meson10