Save 37% off PRO during our Black Friday Sale! »

HTTPS is Not Enough

8a1aabc40d859fcb786eb4d28b95d299?s=47 Tim Perry
November 03, 2016

HTTPS is Not Enough

8a1aabc40d859fcb786eb4d28b95d299?s=128

Tim Perry

November 03, 2016
Tweet

Transcript

  1. HTTPS is Not Enough @pimterry

  2. @pimterry

  3. Don’t try this at home @pimterry

  4. Everything is Terrible @pimterry

  5. Interception is pretty hard @pimterry

  6. Interception is easy @pimterry

  7. Open Wifi Interception is easy @pimterry

  8. ARP Spoofing Interception is easy @pimterry

  9. Evil Twin Wifi Interception is easy @pimterry

  10. Interception is easy @pimterry

  11. HTTPS will Save The Day @pimterry

  12. HTTPS is Not Enough @pimterry

  13. You Your Bank https://example.com Secure! HTTPS is not enough @pimterry

  14. You Your Bank Me https://example.com http://example.com Secure! Insecure HTTPS is

    not enough @pimterry
  15. You Your Bank Me https://example.com https://exomple.com Secure! Secure! (but useless)

    HTTPS is not enough @pimterry
  16. Pre-HTTPS MitM ≈ HTTPS MitM @pimterry

  17. How do you get to HTTPS? Pre-HTTPS MitM @pimterry

  18. Enter a URL Securely do things Pre-HTTPS MitM @pimterry

  19. Enter example.com Pre-HTTPS MitM Load http://example.com Redirected to https://example.com Securely

    do things! @pimterry
  20. Pre-HTTPS MitM Enter example.com Load http://example.com Hijack request, transparently proxy

    it without the redirect, and do what you like. GAME OVER N O PE @pimterry
  21. Pre-HTTPS MitM Load a page Securely do things Click a

    link @pimterry
  22. Pre-HTTPS MitM Load http://linking-site.com Click link to https://example.com Securely do

    things! @pimterry
  23. Pre-HTTPS MitM Load http://linking-site.com Click link to http://example.com Proxy rewrites

    all links to HTTP Transparently proxy your request GAME OVER N O PE @pimterry
  24. Any insecure step = Easy hijacking @pimterry

  25. Is this really a thing? github.com/resin-io-playground/raspberry-pineapple @pimterry

  26. Any insecure step = Easy hijacking @pimterry

  27. PANIC @pimterry

  28. Don’t trust HTTP-only sites with anything Check the URL and

    certificate, constantly Install HTTPS Everywhere Use a VPN As a user? @pimterry
  29. We need a secure web @pimterry

  30. We need to disable HTTP @pimterry

  31. Disabling HTTP in the browser @pimterry

  32. HTTPS-only Features Disabling HTTP in the browser: @pimterry

  33. Geolocation Service Workers (i.e. offline, notifications, sync) DeviceMotion WebRTC HTTP/2

    HTTPS-Only Features @pimterry
  34. Warnings on HTTP Disabling HTTP in the browser: @pimterry

  35. @pimterry

  36. Disabling HTTP for your site @pimterry

  37. Free certificates Disabling HTTP for your site: @pimterry

  38. @pimterry

  39. Content Security Policy (CSP) Disabling HTTP for your site: @pimterry

  40. Automatically switch URLs to HTTPS Content-Security-Policy: upgrade-insecure-requests @pimterry

  41. Report switched URLs Content-Security-Policy: upgrade-insecure-requests; report-uri /report-csp; @pimterry

  42. Report-only, for testing Content-Security-Policy-Report-Only: upgrade-insecure-requests; report-uri /report-csp; @pimterry

  43. Free reporting platform: report-uri.com @pimterry

  44. HTTP Strict Transport Security (HSTS) Disabling HTTP for your site:

    @pimterry
  45. HTTP header for your server responses (ineffective basic example) Strict-Transport-Security:

    max-age=3600 @pimterry
  46. Strict-Transport-Security: max-age=31556926 Slightly better example @pimterry

  47. Even better example Strict-Transport-Security: max-age=31556926; includeSubDomains @pimterry

  48. What about the first request? @pimterry

  49. Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Great example Then submit to hstspreload.org

    @pimterry
  50. Needs to be set on root domain (example.com) Required on

    redirect domains too (example.net) Needs easily recognizable domains You’re committing to HTTPS forever Other gotchas @pimterry
  51. We’re saved! @pimterry

  52. Nobody uses it :-( @pimterry

  53. Serve content with HTTPS only Use upgrade-insecure-requests Use HSTS, and

    get preloaded Check other sites (securityheaders.io) and complain! Let’s build a secure web @pimterry
  54. HTTPS is Not Enough @pimterry