Slide 1

Slide 1 text

THE SORRY STATE OF SSL Hynek Schlawack

Slide 2

Slide 2 text

@hynek https://hynek.me https://github.com/hynek Guten Tag!

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

https://www.variomedia.de

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

ONLY LINK ox.cx/t

Slide 9

Slide 9 text

WTF

Slide 10

Slide 10 text

WTF SSL

Slide 11

Slide 11 text

WTF SSL & TLS

Slide 12

Slide 12 text

TIMELINE

Slide 13

Slide 13 text

TIMELINE 1995: Secure Sockets Layer 2.0, Netscape

Slide 14

Slide 14 text

TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0, still Netscape

Slide 15

Slide 15 text

TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0, still Netscape 1999: Transport Layer Security 1.0, IETF

Slide 16

Slide 16 text

TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0, still Netscape 1999: Transport Layer Security 1.0, IETF 2006: TLS 1.1

Slide 17

Slide 17 text

TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0, still Netscape 1999: Transport Layer Security 1.0, IETF 2006: TLS 1.1 2008: TLS 1.2

Slide 18

Slide 18 text

2013

Slide 19

Slide 19 text

2013 • newfound scrutiny

Slide 20

Slide 20 text

2013 • newfound scrutiny • browsers add TLS 1.2

Slide 21

Slide 21 text

2013 • newfound scrutiny • browsers add TLS 1.2 • just using TLS not enough

Slide 22

Slide 22 text

TLS

Slide 23

Slide 23 text

TLS • identity

Slide 24

Slide 24 text

TLS • identity • confidentiality

Slide 25

Slide 25 text

TLS • identity • confidentiality • integrity

Slide 26

Slide 26 text

TLS HYGIENE

Slide 27

Slide 27 text

SERVERS

Slide 28

Slide 28 text

1.0.1c 2.4.0 1.0.6 or 1.1.0 • OpenSSL >= • Apache >= • nginx >= BE UP-TO-DATE

Slide 29

Slide 29 text

• OpenSSL >= • Apache >= • nginx >= 1.0.1h 2.4.9 1.4.7 BE UP-TO-DATE

Slide 30

Slide 30 text

CERTIFICATES • identity • validity

Slide 31

Slide 31 text

CERTIFICATES • identity • validity • CA sig

Slide 32

Slide 32 text

CERTIFICATES • identity • validity • CA sig

Slide 33

Slide 33 text

CERTIFICATES • identity • validity • CA sig

Slide 34

Slide 34 text

CERTIFICATES • identity • validity • CA sig

Slide 35

Slide 35 text

CERTIFICATES • identity • validity • CA sig

Slide 36

Slide 36 text

TRUST CHAIN

Slide 37

Slide 37 text

TRUST CHAIN

Slide 38

Slide 38 text

TRUST CHAIN

Slide 39

Slide 39 text

CERTIFICATES • trust chain

Slide 40

Slide 40 text

CERTIFICATES • trust chain • host name/service

Slide 41

Slide 41 text

CERTIFICATES • trust chain • host name/service • already/still valid?

Slide 42

Slide 42 text

DISABLE • SSL 2.0

Slide 43

Slide 43 text

DISABLE • SSL 2.0 • SSL 3.0 (if you can)

Slide 44

Slide 44 text

DISABLE • SSL 2.0 • SSL 3.0 (if you can) • TLS compression

Slide 45

Slide 45 text

CIPHER SUITES

Slide 46

Slide 46 text

CIPHER

Slide 47

Slide 47 text

CIPHER Cipher

Slide 48

Slide 48 text

CIPHER Cipher Plaintext

Slide 49

Slide 49 text

CIPHER Cipher Plaintext

Slide 50

Slide 50 text

CIPHER Cipher Ciphertext Plaintext

Slide 51

Slide 51 text

Ciphertext CIPHER Cipher Plaintext

Slide 52

Slide 52 text

CIPHER: MODE

Slide 53

Slide 53 text

CIPHER: MODE • CBC

Slide 54

Slide 54 text

CIPHER: MODE • CBC • stream ciphers

Slide 55

Slide 55 text

CIPHER: MODE • CBC • stream ciphers • GCM

Slide 56

Slide 56 text

ENCRYPTION: PREFER THIS

Slide 57

Slide 57 text

ENCRYPTION: PREFER THIS AES128-GCM &

Slide 58

Slide 58 text

ENCRYPTION: PREFER THIS AES128-GCM & ChaCha20

Slide 59

Slide 59 text

ENCRYPTION: FALL BACK TO AES128-CBC

Slide 60

Slide 60 text

ENCRYPTION: IF LIFE IS CRUEL TO YOU 3DES-CBC

Slide 61

Slide 61 text

ENCRYPTION: EOL

Slide 62

Slide 62 text

ENCRYPTION: DANGEROUS • EXP-*

Slide 63

Slide 63 text

ENCRYPTION: DANGEROUS • EXP-* • DES

Slide 64

Slide 64 text

ENCRYPTION: DANGEROUS • EXP-* • DES • RC4

Slide 65

Slide 65 text

ENCRYPTION: DANGEROUS • EXP-* • DES • RC4

Slide 66

Slide 66 text

KEY EXCHANGE

Slide 67

Slide 67 text

KEY EXCHANGE fast PFS RSA ✔️ ❌

Slide 68

Slide 68 text

KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️

Slide 69

Slide 69 text

KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️ ECDHE ✔️ ✔️

Slide 70

Slide 70 text

KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️ ECDHE ✔️ ✔️

Slide 71

Slide 71 text

INTEGRITY: MACS • Message Authentication Code

Slide 72

Slide 72 text

INTEGRITY: MACS • Message Authentication Code • HMAC

Slide 73

Slide 73 text

INTEGRITY: MACS • Message Authentication Code • HMAC • GCM

Slide 74

Slide 74 text

HAVE THE LAST WORD

Slide 75

Slide 75 text

YOU’RE DONE!

Slide 76

Slide 76 text

YOU’RE DONE! (but test your results!)

Slide 77

Slide 77 text

CERTIFICATE

Slide 78

Slide 78 text

CERTIFICATE

Slide 79

Slide 79 text

CERTIFICATE

Slide 80

Slide 80 text

CERTIFICATE

Slide 81

Slide 81 text

CERTIFICATE

Slide 82

Slide 82 text

CERTIFICATE

Slide 83

Slide 83 text

CERTIFICATE

Slide 84

Slide 84 text

PROTOCOLS

Slide 85

Slide 85 text

PROTOCOLS

Slide 86

Slide 86 text

PROTOCOLS

Slide 87

Slide 87 text

PROTOCOLS

Slide 88

Slide 88 text

CIPHER SUITES

Slide 89

Slide 89 text

CIPHER SUITES

Slide 90

Slide 90 text

CIPHER SUITES

Slide 91

Slide 91 text

CIPHER SUITES

Slide 92

Slide 92 text

CIPHER SUITES

Slide 93

Slide 93 text

CIPHER SUITES

Slide 94

Slide 94 text

CIPHER SUITES

Slide 95

Slide 95 text

CIPHER SUITES

Slide 96

Slide 96 text

CLIENTS

Slide 97

Slide 97 text

YOU HAD ONE JOB!

Slide 98

Slide 98 text

YOU HAD ONE JOB! VERIFY!

Slide 99

Slide 99 text

VERIFY THE CERTIFICATE! • valid?

Slide 100

Slide 100 text

VERIFY THE CERTIFICATE! • valid? • trustworthy chain?

Slide 101

Slide 101 text

VERIFY THE CERTIFICATE! • valid? • trustworthy chain? • correct hostname/service?

Slide 102

Slide 102 text

TRUST CHAIN

Slide 103

Slide 103 text

TRUST CHAIN • VERIFY_PEER

Slide 104

Slide 104 text

TRUST CHAIN • VERIFY_PEER • trust stores OS dependent

Slide 105

Slide 105 text

TRUST CHAIN • VERIFY_PEER • trust stores OS dependent • SSL_CTX_set_default_ verify_paths

Slide 106

Slide 106 text

SYSTEM CA • FreeBSD: ca_root_nss

Slide 107

Slide 107 text

SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates

Slide 108

Slide 108 text

SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates • OS X: TEA or homebrew

Slide 109

Slide 109 text

SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates • OS X: TEA or homebrew • Windows: wincertstore

Slide 110

Slide 110 text

SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates • OS X: TEA or homebrew • Windows: wincertstore • or: Mozilla/certifi

Slide 111

Slide 111 text

HOSTNAME VERIFICATION OpenSSL to developers:

Slide 112

Slide 112 text

HOSTNAME VERIFICATION OpenSSL to developers: LOL

Slide 113

Slide 113 text

DON’T VERIFY TRUST CHAIN I can pretend to be Google with any self-signed certificate.

Slide 114

Slide 114 text

DON’T VERIFY HOSTNAME I can pretend to be Google with any valid certificate.

Slide 115

Slide 115 text

No content

Slide 116

Slide 116 text

SET SOME OPTIONS • acceptable ciphers • disable SSL 2.0

Slide 117

Slide 117 text

THAT’S ALL!

Slide 118

Slide 118 text

USERS

Slide 119

Slide 119 text

FUNDAMENTAL MISCONCEPTIONS

Slide 120

Slide 120 text

FUNDAMENTAL MISCONCEPTIONS • no end-to-end security

Slide 121

Slide 121 text

FUNDAMENTAL MISCONCEPTIONS • no end-to-end security • metadata

Slide 122

Slide 122 text

VPN?

Slide 123

Slide 123 text

VPN? • sees all your traffic

Slide 124

Slide 124 text

VPN? • sees all your traffic • same for CDN

Slide 125

Slide 125 text

CERTIFICATE WARNINIGS

Slide 126

Slide 126 text

CERTIFICATE WARNINIGS

Slide 127

Slide 127 text

ROOT CERTIFICATE POISONING

Slide 128

Slide 128 text

TRUST ISSUES

Slide 129

Slide 129 text

TRUST ISSUES

Slide 130

Slide 130 text

TRUST ISSUES

Slide 131

Slide 131 text

TRUST ISSUES

Slide 132

Slide 132 text

TRUST ISSUES • hacked

Slide 133

Slide 133 text

TRUST ISSUES • hacked • screw up

Slide 134

Slide 134 text

TRUST ISSUES • hacked • screw up • court orders

Slide 135

Slide 135 text

TRUST ISSUES • hacked • screw up • court orders • big corp

Slide 136

Slide 136 text

No content

Slide 137

Slide 137 text

DON’T DO IT YOURSELF IF YOU CAN HELP IT. Rule of Thumb

Slide 138

Slide 138 text

STANDARD LIBRARY VS. PYOPENSSL

Slide 139

Slide 139 text

STANDARD LIBRARY

Slide 140

Slide 140 text

STANDARD LIBRARY • terrible pre-3.3

Slide 141

Slide 141 text

STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7

Slide 142

Slide 142 text

STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7 • PFS impossible

Slide 143

Slide 143 text

STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7 • PFS impossible • missing options

Slide 144

Slide 144 text

STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7 • PFS impossible • missing options • bound to Python’s OpenSSL

Slide 145

Slide 145 text

HOSTNAME VERIFICATION 3.2– from ssl import match_hostname 2.4–2.7 pip install backports.ssl_match_hostname

Slide 146

Slide 146 text

PYOPENSSL

Slide 147

Slide 147 text

PYOPENSSL • Python 2.6+, 3.2+, and PyPy

Slide 148

Slide 148 text

PYOPENSSL • Python 2.6+, 3.2+, and PyPy • more complete API coverage

Slide 149

Slide 149 text

PYOPENSSL • Python 2.6+, 3.2+, and PyPy • more complete API coverage • PyCA cryptography!

Slide 150

Slide 150 text

CRYPTOGRAPHY.IO

Slide 151

Slide 151 text

CRYPTOGRAPHY.IO • Python crypto w/o footguns

Slide 152

Slide 152 text

CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyCA

Slide 153

Slide 153 text

CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyCA • PyPy ♥ CFFI

Slide 154

Slide 154 text

CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyCA • PyPy ♥ CFFI • gives pyOpenSSL momentum

Slide 155

Slide 155 text

HOSTNAME VERIFICATION service_identity

Slide 156

Slide 156 text

LIBRARIES & FRAMEWORKS

Slide 157

Slide 157 text

SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌

Slide 158

Slide 158 text

SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️

Slide 159

Slide 159 text

SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️ uWSGI own C code ✔️ ❌ ✔️

Slide 160

Slide 160 text

SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️ uWSGI own C code ✔️ ❌ ✔️

Slide 161

Slide 161 text

CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌

Slide 162

Slide 162 text

CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌

Slide 163

Slide 163 text

CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL depends depends ✔️

Slide 164

Slide 164 text

CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL depends depends ✔️ urllib2 stdlib ❌ ❌ ❌

Slide 165

Slide 165 text

CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL depends depends ✔️ urllib2 stdlib ❌ ❌ ❌ urllib3/requests hybrid ✔️ ✔️ ✔️

Slide 166

Slide 166 text

SUMMARY

Slide 167

Slide 167 text

SUMMARY • keep TLS out of Python if you can

Slide 168

Slide 168 text

SUMMARY • keep TLS out of Python if you can • use pyOpenSSL-powered requests for HTTPS

Slide 169

Slide 169 text

SUMMARY • keep TLS out of Python if you can • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted

Slide 170

Slide 170 text

SUMMARY • keep TLS out of Python if you can • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted • use pyOpenSSL

Slide 171

Slide 171 text

SUMMARY • keep TLS out of Python if you can • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted • use pyOpenSSL • use Python 2 stdlib only for clients

Slide 172

Slide 172 text

WHY SORRY?

Slide 173

Slide 173 text

IMPLEMENTATIONS

Slide 174

Slide 174 text

IMPLEMENTATIONS

Slide 175

Slide 175 text

USERS

Slide 176

Slide 176 text

USERS • run outdated software

Slide 177

Slide 177 text

USERS • run outdated software • click certificate warnings away

Slide 178

Slide 178 text

USERS • run outdated software • click certificate warnings away • are at the mercy of 3rd parties

Slide 179

Slide 179 text

SERVERS

Slide 180

Slide 180 text

SERVERS

Slide 181

Slide 181 text

CLIENTS

Slide 182

Slide 182 text

PYTHON Is at the forefront of terrible.

Slide 183

Slide 183 text

HOPE

Slide 184

Slide 184 text

HOPE • people care again

Slide 185

Slide 185 text

HOPE • people care again • stdlib

Slide 186

Slide 186 text

HOPE • people care again • stdlib • PyCA

Slide 187

Slide 187 text

CALLS TO ACTION

Slide 188

Slide 188 text

CALLS TO ACTION

Slide 189

Slide 189 text

CALLS TO ACTION

Slide 190

Slide 190 text

CALLS TO ACTION

Slide 191

Slide 191 text

CALLS TO ACTION

Slide 192

Slide 192 text

ox.cx/t @hynek vrmd.de