Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HTTPS is Not Enough
Search
Tim Perry
November 03, 2016
Programming
0
26k
HTTPS is Not Enough
Tim Perry
November 03, 2016
Tweet
Share
More Decks by Tim Perry
See All by Tim Perry
IoT Hackathon
pimterry
0
340
Build Your Own TTN Gateway with Resin.io and RAK Wireless
pimterry
0
25k
The Cambrian Explosion of IoT
pimterry
0
24k
Modern Easy IoT with Docker & Resin.io
pimterry
1
380
Provision, Manage & Monitor Gateways in Production with Resin.io
pimterry
0
23k
Optimizing Docker for IoT with Multi-Stage Builds
pimterry
0
29k
Hardware Hacking for JS Developers
pimterry
1
25k
Promises Are So Passé
pimterry
0
26k
Opening Open Source With DevOps
pimterry
0
28k
Other Decks in Programming
See All in Programming
Android 16 × Jetpack Composeで縦書きテキストエディタを作ろう / Vertical Text Editor with Compose on Android 16
cc4966
0
170
時間軸から考えるTerraformを使う理由と留意点
fufuhu
15
4.6k
Rancher と Terraform
fufuhu
2
240
実用的なGOCACHEPROG実装をするために / golang.tokyo #40
mazrean
1
250
How Android Uses Data Structures Behind The Scenes
l2hyunwoo
0
390
さようなら Date。 ようこそTemporal! 3年間先行利用して得られた知見の共有
8beeeaaat
3
1.4k
Swift Updates - Learn Languages 2025
koher
2
470
AI Coding Agentのセキュリティリスク:PRの自己承認とメルカリの対策
s3h
0
200
Design Foundational Data Engineering Observability
sucitw
3
190
testingを眺める
matumoto
1
140
🔨 小さなビルドシステムを作る
momeemt
3
670
「手軽で便利」に潜む罠。 Popover API を WCAG 2.2の視点で安全に使うには
taitotnk
0
830
Featured
See All Featured
Balancing Empowerment & Direction
lara
3
620
Docker and Python
trallard
45
3.6k
Visualization
eitanlees
148
16k
What's in a price? How to price your products and services
michaelherold
246
12k
The Power of CSS Pseudo Elements
geoffreycrofte
77
6k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Scaling GitHub
holman
463
140k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
Speed Design
sergeychernyshev
32
1.1k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
810
Thoughts on Productivity
jonyablonski
70
4.8k
Rails Girls Zürich Keynote
gr2m
95
14k
Transcript
HTTPS is Not Enough @pimterry
@pimterry
Don’t try this at home @pimterry
Everything is Terrible @pimterry
Interception is pretty hard @pimterry
Interception is easy @pimterry
Open Wifi Interception is easy @pimterry
ARP Spoofing Interception is easy @pimterry
Evil Twin Wifi Interception is easy @pimterry
Interception is easy @pimterry
HTTPS will Save The Day @pimterry
HTTPS is Not Enough @pimterry
You Your Bank https://example.com Secure! HTTPS is not enough @pimterry
You Your Bank Me https://example.com http://example.com Secure! Insecure HTTPS is
not enough @pimterry
You Your Bank Me https://example.com https://exomple.com Secure! Secure! (but useless)
HTTPS is not enough @pimterry
Pre-HTTPS MitM ≈ HTTPS MitM @pimterry
How do you get to HTTPS? Pre-HTTPS MitM @pimterry
Enter a URL Securely do things Pre-HTTPS MitM @pimterry
Enter example.com Pre-HTTPS MitM Load http://example.com Redirected to https://example.com Securely
do things! @pimterry
Pre-HTTPS MitM Enter example.com Load http://example.com Hijack request, transparently proxy
it without the redirect, and do what you like. GAME OVER N O PE @pimterry
Pre-HTTPS MitM Load a page Securely do things Click a
link @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to https://example.com Securely do
things! @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to http://example.com Proxy rewrites
all links to HTTP Transparently proxy your request GAME OVER N O PE @pimterry
Any insecure step = Easy hijacking @pimterry
Is this really a thing? github.com/resin-io-playground/raspberry-pineapple @pimterry
Any insecure step = Easy hijacking @pimterry
PANIC @pimterry
Don’t trust HTTP-only sites with anything Check the URL and
certificate, constantly Install HTTPS Everywhere Use a VPN As a user? @pimterry
We need a secure web @pimterry
We need to disable HTTP @pimterry
Disabling HTTP in the browser @pimterry
HTTPS-only Features Disabling HTTP in the browser: @pimterry
Geolocation Service Workers (i.e. offline, notifications, sync) DeviceMotion WebRTC HTTP/2
HTTPS-Only Features @pimterry
Warnings on HTTP Disabling HTTP in the browser: @pimterry
@pimterry
Disabling HTTP for your site @pimterry
Free certificates Disabling HTTP for your site: @pimterry
@pimterry
Content Security Policy (CSP) Disabling HTTP for your site: @pimterry
Automatically switch URLs to HTTPS Content-Security-Policy: upgrade-insecure-requests @pimterry
Report switched URLs Content-Security-Policy: upgrade-insecure-requests; report-uri /report-csp; @pimterry
Report-only, for testing Content-Security-Policy-Report-Only: upgrade-insecure-requests; report-uri /report-csp; @pimterry
Free reporting platform: report-uri.com @pimterry
HTTP Strict Transport Security (HSTS) Disabling HTTP for your site:
@pimterry
HTTP header for your server responses (ineffective basic example) Strict-Transport-Security:
max-age=3600 @pimterry
Strict-Transport-Security: max-age=31556926 Slightly better example @pimterry
Even better example Strict-Transport-Security: max-age=31556926; includeSubDomains @pimterry
What about the first request? @pimterry
Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Great example Then submit to hstspreload.org
@pimterry
Needs to be set on root domain (example.com) Required on
redirect domains too (example.net) Needs easily recognizable domains You’re committing to HTTPS forever Other gotchas @pimterry
We’re saved! @pimterry
Nobody uses it :-( @pimterry
Serve content with HTTPS only Use upgrade-insecure-requests Use HSTS, and
get preloaded Check other sites (securityheaders.io) and complain! Let’s build a secure web @pimterry
HTTPS is Not Enough @pimterry