Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HTTPS is Not Enough
Search
Tim Perry
November 03, 2016
Programming
0
25k
HTTPS is Not Enough
Tim Perry
November 03, 2016
Tweet
Share
More Decks by Tim Perry
See All by Tim Perry
IoT Hackathon
pimterry
0
330
Build Your Own TTN Gateway with Resin.io and RAK Wireless
pimterry
0
24k
The Cambrian Explosion of IoT
pimterry
0
24k
Modern Easy IoT with Docker & Resin.io
pimterry
1
370
Provision, Manage & Monitor Gateways in Production with Resin.io
pimterry
0
23k
Optimizing Docker for IoT with Multi-Stage Builds
pimterry
0
29k
Hardware Hacking for JS Developers
pimterry
1
25k
Promises Are So Passé
pimterry
0
26k
Opening Open Source With DevOps
pimterry
0
28k
Other Decks in Programming
See All in Programming
FormFlow - Build Stunning Multistep Forms
yceruto
1
190
Java on Azure で LangGraph!
kohei3110
0
170
プロダクト志向なエンジニアがもう一歩先の価値を目指すために意識したこと
nealle
0
110
『自分のデータだけ見せたい!』を叶える──Laravel × Casbin で複雑権限をスッキリ解きほぐす 25 分
akitotsukahara
1
550
Deep Dive into ~/.claude/projects
hiragram
8
1.5k
関数型まつりレポート for JuliaTokai #22
antimon2
0
150
型付きアクターモデルがもたらす分散シミュレーションの未来
piyo7
0
810
プロダクト志向ってなんなんだろうね
righttouch
PRO
0
160
生成AIコーディングとの向き合い方、AIと共創するという考え方 / How to deal with generative AI coding and the concept of co-creating with AI
seike460
PRO
1
330
すべてのコンテキストを、 ユーザー価値に変える
applism118
2
800
XP, Testing and ninja testing
m_seki
3
190
なぜ「共通化」を考え、失敗を繰り返すのか
rinchoku
1
510
Featured
See All Featured
Bash Introduction
62gerente
614
210k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
48
5.4k
Done Done
chrislema
184
16k
Optimizing for Happiness
mojombo
379
70k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.3k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
For a Future-Friendly Web
brad_frost
179
9.8k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
790
A Modern Web Designer's Workflow
chriscoyier
694
190k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
8
670
Navigating Team Friction
lara
187
15k
Transcript
HTTPS is Not Enough @pimterry
@pimterry
Don’t try this at home @pimterry
Everything is Terrible @pimterry
Interception is pretty hard @pimterry
Interception is easy @pimterry
Open Wifi Interception is easy @pimterry
ARP Spoofing Interception is easy @pimterry
Evil Twin Wifi Interception is easy @pimterry
Interception is easy @pimterry
HTTPS will Save The Day @pimterry
HTTPS is Not Enough @pimterry
You Your Bank https://example.com Secure! HTTPS is not enough @pimterry
You Your Bank Me https://example.com http://example.com Secure! Insecure HTTPS is
not enough @pimterry
You Your Bank Me https://example.com https://exomple.com Secure! Secure! (but useless)
HTTPS is not enough @pimterry
Pre-HTTPS MitM ≈ HTTPS MitM @pimterry
How do you get to HTTPS? Pre-HTTPS MitM @pimterry
Enter a URL Securely do things Pre-HTTPS MitM @pimterry
Enter example.com Pre-HTTPS MitM Load http://example.com Redirected to https://example.com Securely
do things! @pimterry
Pre-HTTPS MitM Enter example.com Load http://example.com Hijack request, transparently proxy
it without the redirect, and do what you like. GAME OVER N O PE @pimterry
Pre-HTTPS MitM Load a page Securely do things Click a
link @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to https://example.com Securely do
things! @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to http://example.com Proxy rewrites
all links to HTTP Transparently proxy your request GAME OVER N O PE @pimterry
Any insecure step = Easy hijacking @pimterry
Is this really a thing? github.com/resin-io-playground/raspberry-pineapple @pimterry
Any insecure step = Easy hijacking @pimterry
PANIC @pimterry
Don’t trust HTTP-only sites with anything Check the URL and
certificate, constantly Install HTTPS Everywhere Use a VPN As a user? @pimterry
We need a secure web @pimterry
We need to disable HTTP @pimterry
Disabling HTTP in the browser @pimterry
HTTPS-only Features Disabling HTTP in the browser: @pimterry
Geolocation Service Workers (i.e. offline, notifications, sync) DeviceMotion WebRTC HTTP/2
HTTPS-Only Features @pimterry
Warnings on HTTP Disabling HTTP in the browser: @pimterry
@pimterry
Disabling HTTP for your site @pimterry
Free certificates Disabling HTTP for your site: @pimterry
@pimterry
Content Security Policy (CSP) Disabling HTTP for your site: @pimterry
Automatically switch URLs to HTTPS Content-Security-Policy: upgrade-insecure-requests @pimterry
Report switched URLs Content-Security-Policy: upgrade-insecure-requests; report-uri /report-csp; @pimterry
Report-only, for testing Content-Security-Policy-Report-Only: upgrade-insecure-requests; report-uri /report-csp; @pimterry
Free reporting platform: report-uri.com @pimterry
HTTP Strict Transport Security (HSTS) Disabling HTTP for your site:
@pimterry
HTTP header for your server responses (ineffective basic example) Strict-Transport-Security:
max-age=3600 @pimterry
Strict-Transport-Security: max-age=31556926 Slightly better example @pimterry
Even better example Strict-Transport-Security: max-age=31556926; includeSubDomains @pimterry
What about the first request? @pimterry
Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Great example Then submit to hstspreload.org
@pimterry
Needs to be set on root domain (example.com) Required on
redirect domains too (example.net) Needs easily recognizable domains You’re committing to HTTPS forever Other gotchas @pimterry
We’re saved! @pimterry
Nobody uses it :-( @pimterry
Serve content with HTTPS only Use upgrade-insecure-requests Use HSTS, and
get preloaded Check other sites (securityheaders.io) and complain! Let’s build a secure web @pimterry
HTTPS is Not Enough @pimterry