Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HTTPS is Not Enough
Search
Tim Perry
November 03, 2016
Programming
0
23k
HTTPS is Not Enough
Tim Perry
November 03, 2016
Tweet
Share
More Decks by Tim Perry
See All by Tim Perry
IoT Hackathon
pimterry
0
300
Build Your Own TTN Gateway with Resin.io and RAK Wireless
pimterry
0
22k
The Cambrian Explosion of IoT
pimterry
0
21k
Modern Easy IoT with Docker & Resin.io
pimterry
1
340
Provision, Manage & Monitor Gateways in Production with Resin.io
pimterry
0
20k
Optimizing Docker for IoT with Multi-Stage Builds
pimterry
0
26k
Hardware Hacking for JS Developers
pimterry
1
22k
Promises Are So Passé
pimterry
0
23k
Opening Open Source With DevOps
pimterry
0
25k
Other Decks in Programming
See All in Programming
TiDB Serverless ~理想のServerless DBを考える~
soso_15315
1
160
日付と正規化
megmogmog1965
0
140
3 Effective Rules for Success with Signals in Angular
manfredsteyer
PRO
0
120
Ruby メモリ管理 プログラミング
megmogmog1965
0
130
継続的な活動で築く地方エンジニアの道
myamashii
2
350
Clean Architecture by TypeScript & NestJS
ryounasso
0
150
ぼっちを避けて楽しむためのアノテコノテ / Various Tips and Tricks to Avoid Loneliness and Have Fun
nrslib
3
1.7k
社内 LT 会を発足し、アウトプット文化を醸成させるために考えたこと・やったこと / Starting internal LT meetings and fostering an output culture
mackey0225
3
120
企業向け生成AIアプリの 開発から得られた知見
takaakikakei
0
310
CSC307 Lecture 10
javiergs
PRO
0
310
Introduction of Happy Eyeballs Version 2 (RFC8305) to the Socket library
coe401_
1
220
AHC035解説
terryu16
0
710
Featured
See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
Rebuilding a faster, lazier Slack
samanthasiow
78
8.5k
Into the Great Unknown - MozCon
thekraken
20
1.3k
The Brand Is Dead. Long Live the Brand.
mthomps
52
36k
Stop Working from a Prison Cell
hatefulcrawdad
266
20k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
20
7.2k
4 Signs Your Business is Dying
shpigford
178
21k
The MySQL Ecosystem @ GitHub 2015
samlambert
248
12k
Building a Modern Day E-commerce SEO Strategy
aleyda
25
6.7k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
19k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
149
45k
Principles of Awesome APIs and How to Build Them.
keavy
124
16k
Transcript
HTTPS is Not Enough @pimterry
@pimterry
Don’t try this at home @pimterry
Everything is Terrible @pimterry
Interception is pretty hard @pimterry
Interception is easy @pimterry
Open Wifi Interception is easy @pimterry
ARP Spoofing Interception is easy @pimterry
Evil Twin Wifi Interception is easy @pimterry
Interception is easy @pimterry
HTTPS will Save The Day @pimterry
HTTPS is Not Enough @pimterry
You Your Bank https://example.com Secure! HTTPS is not enough @pimterry
You Your Bank Me https://example.com http://example.com Secure! Insecure HTTPS is
not enough @pimterry
You Your Bank Me https://example.com https://exomple.com Secure! Secure! (but useless)
HTTPS is not enough @pimterry
Pre-HTTPS MitM ≈ HTTPS MitM @pimterry
How do you get to HTTPS? Pre-HTTPS MitM @pimterry
Enter a URL Securely do things Pre-HTTPS MitM @pimterry
Enter example.com Pre-HTTPS MitM Load http://example.com Redirected to https://example.com Securely
do things! @pimterry
Pre-HTTPS MitM Enter example.com Load http://example.com Hijack request, transparently proxy
it without the redirect, and do what you like. GAME OVER N O PE @pimterry
Pre-HTTPS MitM Load a page Securely do things Click a
link @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to https://example.com Securely do
things! @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to http://example.com Proxy rewrites
all links to HTTP Transparently proxy your request GAME OVER N O PE @pimterry
Any insecure step = Easy hijacking @pimterry
Is this really a thing? github.com/resin-io-playground/raspberry-pineapple @pimterry
Any insecure step = Easy hijacking @pimterry
PANIC @pimterry
Don’t trust HTTP-only sites with anything Check the URL and
certificate, constantly Install HTTPS Everywhere Use a VPN As a user? @pimterry
We need a secure web @pimterry
We need to disable HTTP @pimterry
Disabling HTTP in the browser @pimterry
HTTPS-only Features Disabling HTTP in the browser: @pimterry
Geolocation Service Workers (i.e. offline, notifications, sync) DeviceMotion WebRTC HTTP/2
HTTPS-Only Features @pimterry
Warnings on HTTP Disabling HTTP in the browser: @pimterry
@pimterry
Disabling HTTP for your site @pimterry
Free certificates Disabling HTTP for your site: @pimterry
@pimterry
Content Security Policy (CSP) Disabling HTTP for your site: @pimterry
Automatically switch URLs to HTTPS Content-Security-Policy: upgrade-insecure-requests @pimterry
Report switched URLs Content-Security-Policy: upgrade-insecure-requests; report-uri /report-csp; @pimterry
Report-only, for testing Content-Security-Policy-Report-Only: upgrade-insecure-requests; report-uri /report-csp; @pimterry
Free reporting platform: report-uri.com @pimterry
HTTP Strict Transport Security (HSTS) Disabling HTTP for your site:
@pimterry
HTTP header for your server responses (ineffective basic example) Strict-Transport-Security:
max-age=3600 @pimterry
Strict-Transport-Security: max-age=31556926 Slightly better example @pimterry
Even better example Strict-Transport-Security: max-age=31556926; includeSubDomains @pimterry
What about the first request? @pimterry
Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Great example Then submit to hstspreload.org
@pimterry
Needs to be set on root domain (example.com) Required on
redirect domains too (example.net) Needs easily recognizable domains You’re committing to HTTPS forever Other gotchas @pimterry
We’re saved! @pimterry
Nobody uses it :-( @pimterry
Serve content with HTTPS only Use upgrade-insecure-requests Use HSTS, and
get preloaded Check other sites (securityheaders.io) and complain! Let’s build a secure web @pimterry
HTTPS is Not Enough @pimterry