HTTPS is Not Enough

Transcript

1. HTTPS is Not Enough @pimterry

2. @pimterry

3. Don’t try this at home @pimterry

4. Everything is Terrible @pimterry

5. Interception is pretty hard @pimterry

6. Interception is easy @pimterry

7. Open Wifi Interception is easy @pimterry

8. ARP Spoofing Interception is easy @pimterry

9. Evil Twin Wifi Interception is easy @pimterry

10. Interception is easy @pimterry

11. HTTPS will Save The Day @pimterry

12. HTTPS is Not Enough @pimterry

13. You Your Bank https://example.com Secure! HTTPS is not enough @pimterry

14. You Your Bank Me https://example.com http://example.com Secure! Insecure HTTPS is

    not enough @pimterry

15. You Your Bank Me https://example.com https://exomple.com Secure! Secure! (but useless)

    HTTPS is not enough @pimterry

16. Pre-HTTPS MitM ≈ HTTPS MitM @pimterry

17. How do you get to HTTPS? Pre-HTTPS MitM @pimterry

18. Enter a URL Securely do things Pre-HTTPS MitM @pimterry

19. Enter example.com Pre-HTTPS MitM Load http://example.com Redirected to https://example.com Securely

    do things! @pimterry

20. Pre-HTTPS MitM Enter example.com Load http://example.com Hijack request, transparently proxy

    it without the redirect, and do what you like. GAME OVER N O PE @pimterry

21. Pre-HTTPS MitM Load a page Securely do things Click a

    link @pimterry

22. Pre-HTTPS MitM Load http://linking-site.com Click link to https://example.com Securely do

    things! @pimterry

23. Pre-HTTPS MitM Load http://linking-site.com Click link to http://example.com Proxy rewrites

    all links to HTTP Transparently proxy your request GAME OVER N O PE @pimterry

24. Any insecure step = Easy hijacking @pimterry

25. Is this really a thing? github.com/resin-io-playground/raspberry-pineapple @pimterry

26. Any insecure step = Easy hijacking @pimterry

27. PANIC @pimterry

28. Don’t trust HTTP-only sites with anything Check the URL and

    certificate, constantly Install HTTPS Everywhere Use a VPN As a user? @pimterry

29. We need a secure web @pimterry

30. We need to disable HTTP @pimterry

31. Disabling HTTP in the browser @pimterry

32. HTTPS-only Features Disabling HTTP in the browser: @pimterry

33. Geolocation Service Workers (i.e. offline, notifications, sync) DeviceMotion WebRTC HTTP/2

    HTTPS-Only Features @pimterry

34. Warnings on HTTP Disabling HTTP in the browser: @pimterry

35. @pimterry

36. Disabling HTTP for your site @pimterry

37. Free certificates Disabling HTTP for your site: @pimterry

38. @pimterry

39. Content Security Policy (CSP) Disabling HTTP for your site: @pimterry

40. Automatically switch URLs to HTTPS Content-Security-Policy: upgrade-insecure-requests @pimterry

41. Report switched URLs Content-Security-Policy: upgrade-insecure-requests; report-uri /report-csp; @pimterry

42. Report-only, for testing Content-Security-Policy-Report-Only: upgrade-insecure-requests; report-uri /report-csp; @pimterry

43. Free reporting platform: report-uri.com @pimterry

44. HTTP Strict Transport Security (HSTS) Disabling HTTP for your site:

    @pimterry

45. HTTP header for your server responses (ineffective basic example) Strict-Transport-Security:

    max-age=3600 @pimterry

46. Strict-Transport-Security: max-age=31556926 Slightly better example @pimterry

47. Even better example Strict-Transport-Security: max-age=31556926; includeSubDomains @pimterry

48. What about the first request? @pimterry

49. Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Great example Then submit to hstspreload.org

    @pimterry

50. Needs to be set on root domain (example.com) Required on

    redirect domains too (example.net) Needs easily recognizable domains You’re committing to HTTPS forever Other gotchas @pimterry

51. We’re saved! @pimterry

52. Nobody uses it :-( @pimterry

53. Serve content with HTTPS only Use upgrade-insecure-requests Use HSTS, and

    get preloaded Check other sites (securityheaders.io) and complain! Let’s build a secure web @pimterry

54. HTTPS is Not Enough @pimterry