$30 off During Our Annual Pro Sale. View Details »

HTTPS is Not Enough

Tim Perry
November 03, 2016
Programming
0
21k

HTTPS is Not Enough

Tim Perry

November 03, 2016
Tweet

More Decks by Tim Perry

See All by Tim Perry
IoT Hackathon
pimterry
0
280
Build Your Own TTN Gateway with Resin.io and RAK Wireless
pimterry
0
20k
The Cambrian Explosion of IoT
pimterry
0
20k
Modern Easy IoT with Docker & Resin.io
pimterry
1
330
Provision, Manage & Monitor Gateways in Production with Resin.io
pimterry
0
18k
Optimizing Docker for IoT with Multi-Stage Builds
pimterry
0
24k
Hardware Hacking for JS Developers
pimterry
1
21k
Promises Are So Passé
pimterry
0
21k
Opening Open Source With DevOps
pimterry
0
24k

Other Decks in Programming

See All in Programming
Java 8 から 21 へのバージョンアップでどう変わる?:実アプリケーションで学ぶ実装のポイント / 20231111 Key Implementation Points from Java 8 to 21
mackey0225
6
530
ゆめみの Flutter エンジニア育成方法
morikann
0
240
B2B SaaSでSpringSecurityによる Roleを用いたユーザー権限設定の 実装について
rakus_dev
1
180
エンジニア秘書が通訳する異文化コミュニケーションのあれこれ / engineer-communication
assu_ming
0
120
DartによるBFF構築・運用 〜 Dart Frog × Melos 〜
yumnumm
1
1.4k
LINEログインのログインフローを理解して使う
minako__ph
0
160
技術書を読む技術(JJUG CCC 2023 Fall)
yonetty
1
270
Open Source - A Journey of Contribution and Collaboration
ivargrimstad
0
600
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
650
フロントエンドエンジニアも知っておきたい HTTP/3 で変わること
yahiru
17
9.6k
kube-proxy入門
bells17
7
900
MTDDC Meetup TOKYO 2023
chinen
1
200

Featured

See All Featured
Being A Developer After 40
akosma
52
580k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.8k
In The Pink: A Labor of Love
frogandcode
135
21k
Music & Morning Musume
bryan
38
5.2k
Debugging Ruby Performance
tmm1
68
11k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
Thoughts on Productivity
jonyablonski
55
3.5k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
13
5.9k
Agile that works and the tools we love
rasmusluckow
323
20k
Code Reviewing Like a Champion
maltzj
511
38k

Transcript

  1. HTTPS
    is
    Not
    Enough
    @pimterry

    View Slide

  2. @pimterry

    View Slide

  3. Don’t try this at home
    @pimterry

    View Slide

  4. Everything is
    Terrible
    @pimterry

    View Slide

  5. Interception
    is pretty hard
    @pimterry

    View Slide

  6. Interception
    is easy
    @pimterry

    View Slide

  7. Open Wifi
    Interception is easy
    @pimterry

    View Slide

  8. ARP Spoofing
    Interception is easy
    @pimterry

    View Slide

  9. Evil Twin Wifi
    Interception is easy
    @pimterry

    View Slide

  10. Interception is easy
    @pimterry

    View Slide

  11. HTTPS will
    Save The Day
    @pimterry

    View Slide

  12. HTTPS is
    Not Enough
    @pimterry

    View Slide

  13. You
    Your
    Bank
    https://example.com
    Secure!
    HTTPS is
    not enough
    @pimterry

    View Slide

  14. You
    Your
    Bank
    Me
    https://example.com
    http://example.com
    Secure!
    Insecure
    HTTPS is
    not enough
    @pimterry

    View Slide

  15. You
    Your
    Bank
    Me
    https://example.com
    https://exomple.com
    Secure!
    Secure!
    (but useless)
    HTTPS is
    not enough
    @pimterry

    View Slide

  16. Pre-HTTPS MitM

    HTTPS MitM
    @pimterry

    View Slide

  17. How do you get to
    HTTPS?
    Pre-HTTPS
    MitM
    @pimterry

    View Slide

  18. Enter a URL
    Securely do
    things
    Pre-HTTPS
    MitM
    @pimterry

    View Slide

  19. Enter
    example.com
    Pre-HTTPS
    MitM
    Load
    http://example.com
    Redirected to
    https://example.com
    Securely do things!
    @pimterry

    View Slide

  20. Pre-HTTPS
    MitM
    Enter
    example.com
    Load
    http://example.com
    Hijack request, transparently proxy it
    without the redirect, and do what you like.
    GAME OVER
    N
    O
    PE
    @pimterry

    View Slide

  21. Pre-HTTPS
    MitM
    Load a page
    Securely do
    things
    Click a link
    @pimterry

    View Slide

  22. Pre-HTTPS
    MitM
    Load
    http://linking-site.com
    Click link to
    https://example.com
    Securely do things!
    @pimterry

    View Slide

  23. Pre-HTTPS
    MitM
    Load
    http://linking-site.com
    Click link to
    http://example.com
    Proxy rewrites all links to HTTP
    Transparently proxy your request
    GAME OVER
    N
    O
    PE
    @pimterry

    View Slide

  24. Any insecure step
    =
    Easy hijacking
    @pimterry

    View Slide

  25. Is this really
    a thing?
    github.com/resin-io-playground/raspberry-pineapple
    @pimterry

    View Slide

  26. Any insecure step
    =
    Easy hijacking
    @pimterry

    View Slide

  27. PANIC
    @pimterry

    View Slide

  28. Don’t trust HTTP-only sites with anything
    Check the URL and certificate, constantly
    Install HTTPS Everywhere
    Use a VPN
    As a user?
    @pimterry

    View Slide

  29. We need
    a secure web
    @pimterry

    View Slide

  30. We need to
    disable HTTP
    @pimterry

    View Slide

  31. Disabling HTTP
    in the browser
    @pimterry

    View Slide

  32. HTTPS-only Features
    Disabling HTTP in the browser:
    @pimterry

    View Slide

  33. Geolocation
    Service Workers
    (i.e. offline, notifications, sync)
    DeviceMotion
    WebRTC
    HTTP/2
    HTTPS-Only Features
    @pimterry

    View Slide

  34. Warnings on HTTP
    Disabling HTTP in the browser:
    @pimterry

    View Slide

  35. @pimterry

    View Slide

  36. Disabling HTTP
    for your site
    @pimterry

    View Slide

  37. Free certificates
    Disabling HTTP for your site:
    @pimterry

    View Slide

  38. @pimterry

    View Slide

  39. Content Security Policy
    (CSP)
    Disabling HTTP for your site:
    @pimterry

    View Slide

  40. Automatically switch URLs to HTTPS
    Content-Security-Policy:
    upgrade-insecure-requests
    @pimterry

    View Slide

  41. Report switched URLs
    Content-Security-Policy:
    upgrade-insecure-requests;
    report-uri /report-csp;
    @pimterry

    View Slide

  42. Report-only, for testing
    Content-Security-Policy-Report-Only:
    upgrade-insecure-requests;
    report-uri /report-csp;
    @pimterry

    View Slide

  43. Free reporting platform:
    report-uri.com
    @pimterry

    View Slide

  44. HTTP Strict
    Transport Security
    (HSTS)
    Disabling HTTP for your site:
    @pimterry

    View Slide

  45. HTTP header for your server responses
    (ineffective basic example)
    Strict-Transport-Security:
    max-age=3600
    @pimterry

    View Slide

  46. Strict-Transport-Security:
    max-age=31556926
    Slightly better example
    @pimterry

    View Slide

  47. Even better example
    Strict-Transport-Security:
    max-age=31556926;
    includeSubDomains
    @pimterry

    View Slide

  48. What about the
    first request?
    @pimterry

    View Slide

  49. Strict-Transport-Security:
    max-age=31556926;
    includeSubDomains;
    preload
    Great example
    Then submit to hstspreload.org
    @pimterry

    View Slide

  50. Needs to be set on root domain (example.com)
    Required on redirect domains too (example.net)
    Needs easily recognizable domains
    You’re committing to HTTPS forever
    Other gotchas
    @pimterry

    View Slide

  51. We’re
    saved!
    @pimterry

    View Slide

  52. Nobody uses it
    :-(
    @pimterry

    View Slide

  53. Serve content with HTTPS only
    Use upgrade-insecure-requests
    Use HSTS, and get preloaded
    Check other sites (securityheaders.io) and complain!
    Let’s build a secure web
    @pimterry

    View Slide

  54. HTTPS
    is
    Not
    Enough
    @pimterry

    View Slide