$30 off During Our Annual Pro Sale. View Details »

HTTPS is Not Enough

Tim Perry
November 03, 2016

HTTPS is Not Enough

Tim Perry

November 03, 2016
Tweet

More Decks by Tim Perry

Other Decks in Programming

Transcript

  1. HTTPS
    is
    Not
    Enough
    @pimterry

    View Slide

  2. @pimterry

    View Slide

  3. Don’t try this at home
    @pimterry

    View Slide

  4. Everything is
    Terrible
    @pimterry

    View Slide

  5. Interception
    is pretty hard
    @pimterry

    View Slide

  6. Interception
    is easy
    @pimterry

    View Slide

  7. Open Wifi
    Interception is easy
    @pimterry

    View Slide

  8. ARP Spoofing
    Interception is easy
    @pimterry

    View Slide

  9. Evil Twin Wifi
    Interception is easy
    @pimterry

    View Slide

  10. Interception is easy
    @pimterry

    View Slide

  11. HTTPS will
    Save The Day
    @pimterry

    View Slide

  12. HTTPS is
    Not Enough
    @pimterry

    View Slide

  13. You
    Your
    Bank
    https://example.com
    Secure!
    HTTPS is
    not enough
    @pimterry

    View Slide

  14. You
    Your
    Bank
    Me
    https://example.com
    http://example.com
    Secure!
    Insecure
    HTTPS is
    not enough
    @pimterry

    View Slide

  15. You
    Your
    Bank
    Me
    https://example.com
    https://exomple.com
    Secure!
    Secure!
    (but useless)
    HTTPS is
    not enough
    @pimterry

    View Slide

  16. Pre-HTTPS MitM

    HTTPS MitM
    @pimterry

    View Slide

  17. How do you get to
    HTTPS?
    Pre-HTTPS
    MitM
    @pimterry

    View Slide

  18. Enter a URL
    Securely do
    things
    Pre-HTTPS
    MitM
    @pimterry

    View Slide

  19. Enter
    example.com
    Pre-HTTPS
    MitM
    Load
    http://example.com
    Redirected to
    https://example.com
    Securely do things!
    @pimterry

    View Slide

  20. Pre-HTTPS
    MitM
    Enter
    example.com
    Load
    http://example.com
    Hijack request, transparently proxy it
    without the redirect, and do what you like.
    GAME OVER
    N
    O
    PE
    @pimterry

    View Slide

  21. Pre-HTTPS
    MitM
    Load a page
    Securely do
    things
    Click a link
    @pimterry

    View Slide

  22. Pre-HTTPS
    MitM
    Load
    http://linking-site.com
    Click link to
    https://example.com
    Securely do things!
    @pimterry

    View Slide

  23. Pre-HTTPS
    MitM
    Load
    http://linking-site.com
    Click link to
    http://example.com
    Proxy rewrites all links to HTTP
    Transparently proxy your request
    GAME OVER
    N
    O
    PE
    @pimterry

    View Slide

  24. Any insecure step
    =
    Easy hijacking
    @pimterry

    View Slide

  25. Is this really
    a thing?
    github.com/resin-io-playground/raspberry-pineapple
    @pimterry

    View Slide

  26. Any insecure step
    =
    Easy hijacking
    @pimterry

    View Slide

  27. PANIC
    @pimterry

    View Slide

  28. Don’t trust HTTP-only sites with anything
    Check the URL and certificate, constantly
    Install HTTPS Everywhere
    Use a VPN
    As a user?
    @pimterry

    View Slide

  29. We need
    a secure web
    @pimterry

    View Slide

  30. We need to
    disable HTTP
    @pimterry

    View Slide

  31. Disabling HTTP
    in the browser
    @pimterry

    View Slide

  32. HTTPS-only Features
    Disabling HTTP in the browser:
    @pimterry

    View Slide

  33. Geolocation
    Service Workers
    (i.e. offline, notifications, sync)
    DeviceMotion
    WebRTC
    HTTP/2
    HTTPS-Only Features
    @pimterry

    View Slide

  34. Warnings on HTTP
    Disabling HTTP in the browser:
    @pimterry

    View Slide

  35. @pimterry

    View Slide

  36. Disabling HTTP
    for your site
    @pimterry

    View Slide

  37. Free certificates
    Disabling HTTP for your site:
    @pimterry

    View Slide

  38. @pimterry

    View Slide

  39. Content Security Policy
    (CSP)
    Disabling HTTP for your site:
    @pimterry

    View Slide

  40. Automatically switch URLs to HTTPS
    Content-Security-Policy:
    upgrade-insecure-requests
    @pimterry

    View Slide

  41. Report switched URLs
    Content-Security-Policy:
    upgrade-insecure-requests;
    report-uri /report-csp;
    @pimterry

    View Slide

  42. Report-only, for testing
    Content-Security-Policy-Report-Only:
    upgrade-insecure-requests;
    report-uri /report-csp;
    @pimterry

    View Slide

  43. Free reporting platform:
    report-uri.com
    @pimterry

    View Slide

  44. HTTP Strict
    Transport Security
    (HSTS)
    Disabling HTTP for your site:
    @pimterry

    View Slide

  45. HTTP header for your server responses
    (ineffective basic example)
    Strict-Transport-Security:
    max-age=3600
    @pimterry

    View Slide

  46. Strict-Transport-Security:
    max-age=31556926
    Slightly better example
    @pimterry

    View Slide

  47. Even better example
    Strict-Transport-Security:
    max-age=31556926;
    includeSubDomains
    @pimterry

    View Slide

  48. What about the
    first request?
    @pimterry

    View Slide

  49. Strict-Transport-Security:
    max-age=31556926;
    includeSubDomains;
    preload
    Great example
    Then submit to hstspreload.org
    @pimterry

    View Slide

  50. Needs to be set on root domain (example.com)
    Required on redirect domains too (example.net)
    Needs easily recognizable domains
    You’re committing to HTTPS forever
    Other gotchas
    @pimterry

    View Slide

  51. We’re
    saved!
    @pimterry

    View Slide

  52. Nobody uses it
    :-(
    @pimterry

    View Slide

  53. Serve content with HTTPS only
    Use upgrade-insecure-requests
    Use HSTS, and get preloaded
    Check other sites (securityheaders.io) and complain!
    Let’s build a secure web
    @pimterry

    View Slide

  54. HTTPS
    is
    Not
    Enough
    @pimterry

    View Slide