Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPS is Not Enough

Tim Perry
November 03, 2016

HTTPS is Not Enough

Tim Perry

November 03, 2016

More Decks by Tim Perry

Other Decks in Programming


  1. Pre-HTTPS MitM Enter example.com Load http://example.com Hijack request, transparently proxy

    it without the redirect, and do what you like. GAME OVER N O PE @pimterry
  2. Pre-HTTPS MitM Load http://linking-site.com Click link to http://example.com Proxy rewrites

    all links to HTTP Transparently proxy your request GAME OVER N O PE @pimterry
  3. Don’t trust HTTP-only sites with anything Check the URL and

    certificate, constantly Install HTTPS Everywhere Use a VPN As a user? @pimterry
  4. Needs to be set on root domain (example.com) Required on

    redirect domains too (example.net) Needs easily recognizable domains You’re committing to HTTPS forever Other gotchas @pimterry
  5. Serve content with HTTPS only Use upgrade-insecure-requests Use HSTS, and

    get preloaded Check other sites (securityheaders.io) and complain! Let’s build a secure web @pimterry