Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPS is Not Enough

Tim Perry
November 03, 2016
Programming
0
19k

HTTPS is Not Enough

Tim Perry

November 03, 2016
Tweet

More Decks by Tim Perry

See All by Tim Perry
IoT Hackathon
pimterry
0
270
Build Your Own TTN Gateway with Resin.io and RAK Wireless
pimterry
0
17k
The Cambrian Explosion of IoT
pimterry
0
17k
Modern Easy IoT with Docker & Resin.io
pimterry
1
330
Provision, Manage & Monitor Gateways in Production with Resin.io
pimterry
0
16k
Optimizing Docker for IoT with Multi-Stage Builds
pimterry
0
22k
Hardware Hacking for JS Developers
pimterry
1
18k
Promises Are So Passé
pimterry
0
19k
Opening Open Source With DevOps
pimterry
0
21k

Other Decks in Programming

See All in Programming
トランクベース開発の実現に向けた開発プロセスとCIパイプラインの継続的改善
aanrii
4
810
コルーチンのエラーをテストするためのTips / Tips for testing Kotlin Coroutine errors
tkmnzm
0
150
macのunicode正規化.pdf
mski_iksm
0
2.1k
名付けできない画面を作ってはならない - 名前を付けるとは何か
chatii
0
120
gomicollector ガベコレ自作で辿る自作の森
speed1313
1
470
LayerXにおける機械学習を活用した請求書OCR機能に関する取り組み / deim2023-layerx-ai-ocr
yuya4
7
1.3k
Neovimで好きなプラグイン5選 / my_5_favorite_neovim_plugins
uhooi
0
430
GitHub ActionsとDeployGateで始めるAndroidアプリのCICD
yuhei_fujita
2
160
DevRel/Japan 2023 - 1つの事業部だけで行う DevRel とは
hcrane
0
290
PDF_TDX_2023_Apex__What_s_New_and_What_s_Coming.pdf
fishofprey
3
830
改めて整理するWebアプリのビルド・デプロイの基本【コンテナ編】
os1ma
1
120
社内のメンバーに「関数型プログラミングの学習・教育」についていろいろ聞いてみた
j5ik2o
1
130

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
51
3k
The World Runs on Bad Software
bkeepers
PRO
59
5.8k
What’s in a name? Adding method to the madness
productmarketing
PRO
13
2k
The Language of Interfaces
destraynor
149
21k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Making the Leap to Tech Lead
cromwellryan
117
7.7k
Clear Off the Table
cherdarchuk
79
290k
Building Applications with DynamoDB
mza
86
5k
Git: the NoSQL Database
bkeepers
PRO
419
60k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
The Mythical Team-Month
searls
210
40k
Bootstrapping a Software Product
garrettdimon
299
110k

Transcript

  1. HTTPS
    is
    Not
    Enough
    @pimterry

    View Slide

  2. @pimterry

    View Slide

  3. Don’t try this at home
    @pimterry

    View Slide

  4. Everything is
    Terrible
    @pimterry

    View Slide

  5. Interception
    is pretty hard
    @pimterry

    View Slide

  6. Interception
    is easy
    @pimterry

    View Slide

  7. Open Wifi
    Interception is easy
    @pimterry

    View Slide

  8. ARP Spoofing
    Interception is easy
    @pimterry

    View Slide

  9. Evil Twin Wifi
    Interception is easy
    @pimterry

    View Slide

  10. Interception is easy
    @pimterry

    View Slide

  11. HTTPS will
    Save The Day
    @pimterry

    View Slide

  12. HTTPS is
    Not Enough
    @pimterry

    View Slide

  13. You
    Your
    Bank
    https://example.com
    Secure!
    HTTPS is
    not enough
    @pimterry

    View Slide

  14. You
    Your
    Bank
    Me
    https://example.com
    http://example.com
    Secure!
    Insecure
    HTTPS is
    not enough
    @pimterry

    View Slide

  15. You
    Your
    Bank
    Me
    https://example.com
    https://exomple.com
    Secure!
    Secure!
    (but useless)
    HTTPS is
    not enough
    @pimterry

    View Slide

  16. Pre-HTTPS MitM

    HTTPS MitM
    @pimterry

    View Slide

  17. How do you get to
    HTTPS?
    Pre-HTTPS
    MitM
    @pimterry

    View Slide

  18. Enter a URL
    Securely do
    things
    Pre-HTTPS
    MitM
    @pimterry

    View Slide

  19. Enter
    example.com
    Pre-HTTPS
    MitM
    Load
    http://example.com
    Redirected to
    https://example.com
    Securely do things!
    @pimterry

    View Slide

  20. Pre-HTTPS
    MitM
    Enter
    example.com
    Load
    http://example.com
    Hijack request, transparently proxy it
    without the redirect, and do what you like.
    GAME OVER
    N
    O
    PE
    @pimterry

    View Slide

  21. Pre-HTTPS
    MitM
    Load a page
    Securely do
    things
    Click a link
    @pimterry

    View Slide

  22. Pre-HTTPS
    MitM
    Load
    http://linking-site.com
    Click link to
    https://example.com
    Securely do things!
    @pimterry

    View Slide

  23. Pre-HTTPS
    MitM
    Load
    http://linking-site.com
    Click link to
    http://example.com
    Proxy rewrites all links to HTTP
    Transparently proxy your request
    GAME OVER
    N
    O
    PE
    @pimterry

    View Slide

  24. Any insecure step
    =
    Easy hijacking
    @pimterry

    View Slide

  25. Is this really
    a thing?
    github.com/resin-io-playground/raspberry-pineapple
    @pimterry

    View Slide

  26. Any insecure step
    =
    Easy hijacking
    @pimterry

    View Slide

  27. PANIC
    @pimterry

    View Slide

  28. Don’t trust HTTP-only sites with anything
    Check the URL and certificate, constantly
    Install HTTPS Everywhere
    Use a VPN
    As a user?
    @pimterry

    View Slide

  29. We need
    a secure web
    @pimterry

    View Slide

  30. We need to
    disable HTTP
    @pimterry

    View Slide

  31. Disabling HTTP
    in the browser
    @pimterry

    View Slide

  32. HTTPS-only Features
    Disabling HTTP in the browser:
    @pimterry

    View Slide

  33. Geolocation
    Service Workers
    (i.e. offline, notifications, sync)
    DeviceMotion
    WebRTC
    HTTP/2
    HTTPS-Only Features
    @pimterry

    View Slide

  34. Warnings on HTTP
    Disabling HTTP in the browser:
    @pimterry

    View Slide

  35. @pimterry

    View Slide

  36. Disabling HTTP
    for your site
    @pimterry

    View Slide

  37. Free certificates
    Disabling HTTP for your site:
    @pimterry

    View Slide

  38. @pimterry

    View Slide

  39. Content Security Policy
    (CSP)
    Disabling HTTP for your site:
    @pimterry

    View Slide

  40. Automatically switch URLs to HTTPS
    Content-Security-Policy:
    upgrade-insecure-requests
    @pimterry

    View Slide

  41. Report switched URLs
    Content-Security-Policy:
    upgrade-insecure-requests;
    report-uri /report-csp;
    @pimterry

    View Slide

  42. Report-only, for testing
    Content-Security-Policy-Report-Only:
    upgrade-insecure-requests;
    report-uri /report-csp;
    @pimterry

    View Slide

  43. Free reporting platform:
    report-uri.com
    @pimterry

    View Slide

  44. HTTP Strict
    Transport Security
    (HSTS)
    Disabling HTTP for your site:
    @pimterry

    View Slide

  45. HTTP header for your server responses
    (ineffective basic example)
    Strict-Transport-Security:
    max-age=3600
    @pimterry

    View Slide

  46. Strict-Transport-Security:
    max-age=31556926
    Slightly better example
    @pimterry

    View Slide

  47. Even better example
    Strict-Transport-Security:
    max-age=31556926;
    includeSubDomains
    @pimterry

    View Slide

  48. What about the
    first request?
    @pimterry

    View Slide

  49. Strict-Transport-Security:
    max-age=31556926;
    includeSubDomains;
    preload
    Great example
    Then submit to hstspreload.org
    @pimterry

    View Slide

  50. Needs to be set on root domain (example.com)
    Required on redirect domains too (example.net)
    Needs easily recognizable domains
    You’re committing to HTTPS forever
    Other gotchas
    @pimterry

    View Slide

  51. We’re
    saved!
    @pimterry

    View Slide

  52. Nobody uses it
    :-(
    @pimterry

    View Slide

  53. Serve content with HTTPS only
    Use upgrade-insecure-requests
    Use HSTS, and get preloaded
    Check other sites (securityheaders.io) and complain!
    Let’s build a secure web
    @pimterry

    View Slide

  54. HTTPS
    is
    Not
    Enough
    @pimterry

    View Slide