Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HTTPS is Not Enough
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Tim Perry
November 03, 2016
Programming
27k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
HTTPS is Not Enough
Tim Perry
November 03, 2016
More Decks by Tim Perry
See All by Tim Perry
Unlocking the Apps
pimterry
0
630
IoT Hackathon
pimterry
0
370
Build Your Own TTN Gateway with Resin.io and RAK Wireless
pimterry
0
26k
The Cambrian Explosion of IoT
pimterry
0
26k
Modern Easy IoT with Docker & Resin.io
pimterry
1
410
Provision, Manage & Monitor Gateways in Production with Resin.io
pimterry
0
25k
Optimizing Docker for IoT with Multi-Stage Builds
pimterry
0
31k
Hardware Hacking for JS Developers
pimterry
1
27k
Promises Are So Passé
pimterry
0
28k
Other Decks in Programming
See All in Programming
才能?センス?知らん、 続けたもん勝ちだ。-- 結婚・出産・癌を越えてなお、私がプロダクトを創り続ける理由
16bitidol
2
810
キャリア迷子上等 ─ "ない道"は自分で作ればいい
16bitidol
3
2.8k
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
580
AIを活用したE2Eテスト実装効率化のあゆみ / ebisu-mobile-14-kotetu
kotetuco
0
160
共通化で考えるべきは、実装より公開する型だった
codeegg
0
160
AI駆動開発を妨げる技術的負債の解消アプローチ / ai-refactoring-approach
minodriven
17
8.8k
トークンをケチるな、設計しろ:GitHub Copilotを賢く使うコンテキスト戦略
ochtum
0
300
はてなアカウント基盤 State of the Union
cockscomb
1
1.3k
1B+ /day規模のログを管理する技術
broadleaf
0
130
SLOをサービス品質の共通言語にするために 取り組んできたこと
wakana0222
0
420
スマートグラスで並列バイブコーディング
hyshu
0
280
分散システム、なんですぐ死んでしまうん?耐障害性を高めたいあなたのためのレジリエンスパターン入門
mshibuya
7
5.2k
Featured
See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
10k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
180
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
550
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.8k
Paper Plane
katiecoart
PRO
1
52k
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
290
Building Applications with DynamoDB
mza
96
7.1k
The #1 spot is gone: here's how to win anyway
tamaranovitovic
3
1.1k
Between Models and Reality
mayunak
4
370
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Transcript
HTTPS is Not Enough @pimterry
@pimterry
Don’t try this at home @pimterry
Everything is Terrible @pimterry
Interception is pretty hard @pimterry
Interception is easy @pimterry
Open Wifi Interception is easy @pimterry
ARP Spoofing Interception is easy @pimterry
Evil Twin Wifi Interception is easy @pimterry
Interception is easy @pimterry
HTTPS will Save The Day @pimterry
HTTPS is Not Enough @pimterry
You Your Bank https://example.com Secure! HTTPS is not enough @pimterry
You Your Bank Me https://example.com http://example.com Secure! Insecure HTTPS is
not enough @pimterry
You Your Bank Me https://example.com https://exomple.com Secure! Secure! (but useless)
HTTPS is not enough @pimterry
Pre-HTTPS MitM ≈ HTTPS MitM @pimterry
How do you get to HTTPS? Pre-HTTPS MitM @pimterry
Enter a URL Securely do things Pre-HTTPS MitM @pimterry
Enter example.com Pre-HTTPS MitM Load http://example.com Redirected to https://example.com Securely
do things! @pimterry
Pre-HTTPS MitM Enter example.com Load http://example.com Hijack request, transparently proxy
it without the redirect, and do what you like. GAME OVER N O PE @pimterry
Pre-HTTPS MitM Load a page Securely do things Click a
link @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to https://example.com Securely do
things! @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to http://example.com Proxy rewrites
all links to HTTP Transparently proxy your request GAME OVER N O PE @pimterry
Any insecure step = Easy hijacking @pimterry
Is this really a thing? github.com/resin-io-playground/raspberry-pineapple @pimterry
Any insecure step = Easy hijacking @pimterry
PANIC @pimterry
Don’t trust HTTP-only sites with anything Check the URL and
certificate, constantly Install HTTPS Everywhere Use a VPN As a user? @pimterry
We need a secure web @pimterry
We need to disable HTTP @pimterry
Disabling HTTP in the browser @pimterry
HTTPS-only Features Disabling HTTP in the browser: @pimterry
Geolocation Service Workers (i.e. offline, notifications, sync) DeviceMotion WebRTC HTTP/2
HTTPS-Only Features @pimterry
Warnings on HTTP Disabling HTTP in the browser: @pimterry
@pimterry
Disabling HTTP for your site @pimterry
Free certificates Disabling HTTP for your site: @pimterry
@pimterry
Content Security Policy (CSP) Disabling HTTP for your site: @pimterry
Automatically switch URLs to HTTPS Content-Security-Policy: upgrade-insecure-requests @pimterry
Report switched URLs Content-Security-Policy: upgrade-insecure-requests; report-uri /report-csp; @pimterry
Report-only, for testing Content-Security-Policy-Report-Only: upgrade-insecure-requests; report-uri /report-csp; @pimterry
Free reporting platform: report-uri.com @pimterry
HTTP Strict Transport Security (HSTS) Disabling HTTP for your site:
@pimterry
HTTP header for your server responses (ineffective basic example) Strict-Transport-Security:
max-age=3600 @pimterry
Strict-Transport-Security: max-age=31556926 Slightly better example @pimterry
Even better example Strict-Transport-Security: max-age=31556926; includeSubDomains @pimterry
What about the first request? @pimterry
Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Great example Then submit to hstspreload.org
@pimterry
Needs to be set on root domain (example.com) Required on
redirect domains too (example.net) Needs easily recognizable domains You’re committing to HTTPS forever Other gotchas @pimterry
We’re saved! @pimterry
Nobody uses it :-( @pimterry
Serve content with HTTPS only Use upgrade-insecure-requests Use HSTS, and
get preloaded Check other sites (securityheaders.io) and complain! Let’s build a secure web @pimterry
HTTPS is Not Enough @pimterry