Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HTTPS is Not Enough
Search
Tim Perry
November 03, 2016
Programming
0
26k
HTTPS is Not Enough
Tim Perry
November 03, 2016
Tweet
Share
More Decks by Tim Perry
See All by Tim Perry
IoT Hackathon
pimterry
0
340
Build Your Own TTN Gateway with Resin.io and RAK Wireless
pimterry
0
25k
The Cambrian Explosion of IoT
pimterry
0
24k
Modern Easy IoT with Docker & Resin.io
pimterry
1
380
Provision, Manage & Monitor Gateways in Production with Resin.io
pimterry
0
23k
Optimizing Docker for IoT with Multi-Stage Builds
pimterry
0
29k
Hardware Hacking for JS Developers
pimterry
1
25k
Promises Are So Passé
pimterry
0
26k
Opening Open Source With DevOps
pimterry
0
28k
Other Decks in Programming
See All in Programming
Kiroで始めるAI-DLC
kaonash
2
580
パッケージ設計の黒魔術/Kyoto.go#63
lufia
3
430
Performance for Conversion! 分散トレーシングでボトルネックを 特定せよ
inetand
0
110
Protocol Buffersの型を超えて拡張性を得る / Beyond Protocol Buffers Types Achieving Extensibility
linyows
0
110
はじめてのMaterial3 Expressive
ym223
2
230
AIを活用し、今後に備えるための技術知識 / Basic Knowledge to Utilize AI
kishida
20
5.5k
Updates on MLS on Ruby (and maybe more)
sylph01
1
180
プロパティベーステストによるUIテスト: LLMによるプロパティ定義生成でエッジケースを捉える
tetta_pdnt
0
300
CJK and Unicode From a PHP Committer
youkidearitai
PRO
0
110
プロポーザル駆動学習 / Proposal-Driven Learning
mackey0225
2
1.2k
Amazon RDS 向けに提供されている MCP Server と仕組みを調べてみた/jawsug-okayama-2025-aurora-mcp
takahashiikki
1
110
AIと私たちの学習の変化を考える - Claude Codeの学習モードを例に
azukiazusa1
7
3.3k
Featured
See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
580
KATA
mclloyd
32
14k
Practical Orchestrator
shlominoach
190
11k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
GitHub's CSS Performance
jonrohan
1032
460k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
187
55k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.4k
Navigating Team Friction
lara
189
15k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
36
2.5k
Documentation Writing (for coders)
carmenintech
74
5k
Transcript
HTTPS is Not Enough @pimterry
@pimterry
Don’t try this at home @pimterry
Everything is Terrible @pimterry
Interception is pretty hard @pimterry
Interception is easy @pimterry
Open Wifi Interception is easy @pimterry
ARP Spoofing Interception is easy @pimterry
Evil Twin Wifi Interception is easy @pimterry
Interception is easy @pimterry
HTTPS will Save The Day @pimterry
HTTPS is Not Enough @pimterry
You Your Bank https://example.com Secure! HTTPS is not enough @pimterry
You Your Bank Me https://example.com http://example.com Secure! Insecure HTTPS is
not enough @pimterry
You Your Bank Me https://example.com https://exomple.com Secure! Secure! (but useless)
HTTPS is not enough @pimterry
Pre-HTTPS MitM ≈ HTTPS MitM @pimterry
How do you get to HTTPS? Pre-HTTPS MitM @pimterry
Enter a URL Securely do things Pre-HTTPS MitM @pimterry
Enter example.com Pre-HTTPS MitM Load http://example.com Redirected to https://example.com Securely
do things! @pimterry
Pre-HTTPS MitM Enter example.com Load http://example.com Hijack request, transparently proxy
it without the redirect, and do what you like. GAME OVER N O PE @pimterry
Pre-HTTPS MitM Load a page Securely do things Click a
link @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to https://example.com Securely do
things! @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to http://example.com Proxy rewrites
all links to HTTP Transparently proxy your request GAME OVER N O PE @pimterry
Any insecure step = Easy hijacking @pimterry
Is this really a thing? github.com/resin-io-playground/raspberry-pineapple @pimterry
Any insecure step = Easy hijacking @pimterry
PANIC @pimterry
Don’t trust HTTP-only sites with anything Check the URL and
certificate, constantly Install HTTPS Everywhere Use a VPN As a user? @pimterry
We need a secure web @pimterry
We need to disable HTTP @pimterry
Disabling HTTP in the browser @pimterry
HTTPS-only Features Disabling HTTP in the browser: @pimterry
Geolocation Service Workers (i.e. offline, notifications, sync) DeviceMotion WebRTC HTTP/2
HTTPS-Only Features @pimterry
Warnings on HTTP Disabling HTTP in the browser: @pimterry
@pimterry
Disabling HTTP for your site @pimterry
Free certificates Disabling HTTP for your site: @pimterry
@pimterry
Content Security Policy (CSP) Disabling HTTP for your site: @pimterry
Automatically switch URLs to HTTPS Content-Security-Policy: upgrade-insecure-requests @pimterry
Report switched URLs Content-Security-Policy: upgrade-insecure-requests; report-uri /report-csp; @pimterry
Report-only, for testing Content-Security-Policy-Report-Only: upgrade-insecure-requests; report-uri /report-csp; @pimterry
Free reporting platform: report-uri.com @pimterry
HTTP Strict Transport Security (HSTS) Disabling HTTP for your site:
@pimterry
HTTP header for your server responses (ineffective basic example) Strict-Transport-Security:
max-age=3600 @pimterry
Strict-Transport-Security: max-age=31556926 Slightly better example @pimterry
Even better example Strict-Transport-Security: max-age=31556926; includeSubDomains @pimterry
What about the first request? @pimterry
Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Great example Then submit to hstspreload.org
@pimterry
Needs to be set on root domain (example.com) Required on
redirect domains too (example.net) Needs easily recognizable domains You’re committing to HTTPS forever Other gotchas @pimterry
We’re saved! @pimterry
Nobody uses it :-( @pimterry
Serve content with HTTPS only Use upgrade-insecure-requests Use HSTS, and
get preloaded Check other sites (securityheaders.io) and complain! Let’s build a secure web @pimterry
HTTPS is Not Enough @pimterry