Slide 1

Slide 1 text

The first 200 milliseconds of HTTPS 1 Joshua Thijssen jaytaph

Slide 2

Slide 2 text

2

Slide 3

Slide 3 text

➡ What’s happening in the first 200+ milliseconds in a initial HTTPS connection. 2

Slide 4

Slide 4 text

➡ What’s happening in the first 200+ milliseconds in a initial HTTPS connection. ➡ Give tips and hints on hardening your setup. 2

Slide 5

Slide 5 text

➡ What’s happening in the first 200+ milliseconds in a initial HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. 2

Slide 6

Slide 6 text

➡ What’s happening in the first 200+ milliseconds in a initial HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. ➡ Show you things to you (probably) didn’t knew. 2

Slide 7

Slide 7 text

This talk is inspired by a blogpost from Jeff Moser http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html Unknown fact! 3

Slide 8

Slide 8 text

HTTPS == HTTP on top of TLS 4

Slide 9

Slide 9 text

Transport Layer Security (TLS) 5

Slide 10

Slide 10 text

Secure Socket Layer (SSL) 6 A short and scary history

Slide 11

Slide 11 text

then now 7

Slide 12

Slide 12 text

then now SSL 1.0 Vaporware 1994 7

Slide 13

Slide 13 text

then now feb 1995 SSL 2.0 Not-so-secure-socket-layer SSL 1.0 Vaporware 1994 7

Slide 14

Slide 14 text

then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL 3.0 Something stable! SSL 1.0 Vaporware 1994 7

Slide 15

Slide 15 text

then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL 3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 SSL 1.0 Vaporware 1994 7

Slide 16

Slide 16 text

then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL 3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 SSL 1.0 Vaporware 1994 7

Slide 17

Slide 17 text

then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL 3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 TLS 1.2 aug 2008 SSL 1.0 Vaporware 1994 7

Slide 18

Slide 18 text

https://www.trustworthyinternet.org/ssl-pulse/ 25,7% 99,6% 99,3% 18,2% 20,7% SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 8 November 2013

Slide 19

Slide 19 text

https://www.trustworthyinternet.org/ssl-pulse/ 25,7% 99,6% 99,3% 18,2% 20,7% SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 8 20,5% 98,5% 99,3% 38,4% 40,8% SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 November 2013 Aug 2014

Slide 20

Slide 20 text

RFC 5246 (TLS v1.2) 9

Slide 21

Slide 21 text

10 Record Layer

Slide 22

Slide 22 text

10 Record Layer Type Version Length

Slide 23

Slide 23 text

10 Record Layer Type Version Length Protocol

Slide 24

Slide 24 text

10 Record Layer Type Version Length Protocol Protocol Protocol

Slide 25

Slide 25 text

10 Record Layer Type Version Length Protocol Protocol Protocol Record Layer Type Version Length Protocol

Slide 26

Slide 26 text

➡ Handshake protocol records ➡ Setup communication ➡ Change Cipher Spec protocol records ➡ Change communication ➡ Alert protocol records ➡ Errors ➡ Application Data protocol records ➡ Actual data transfers 11

Slide 27

Slide 27 text

12 https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

Slide 28

Slide 28 text

Attention: (live) wiresharking up ahead 13

Slide 29

Slide 29 text

14

Slide 30

Slide 30 text

15

Slide 31

Slide 31 text

Generating randomness is HARD 16

Slide 32

Slide 32 text

entropy (uncertainty) 17

Slide 33

Slide 33 text

TIME is NOT random thus not a very good entropy source 18

Slide 34

Slide 34 text

PHP is bad when it comes to entropy 19 Unknown fact!

Slide 35

Slide 35 text

20

Slide 36

Slide 36 text

openssl_pseudo_random_bytes() 20

Slide 37

Slide 37 text

openssl_pseudo_random_bytes() read from /dev/(u)random 20

Slide 38

Slide 38 text

openssl_pseudo_random_bytes() read from /dev/(u)random Use a HRNG 20

Slide 39

Slide 39 text

openssl_pseudo_random_bytes() read from /dev/(u)random Use a HRNG “A million random digits” 20

Slide 40

Slide 40 text

openssl_pseudo_random_bytes() read from /dev/(u)random Use a HRNG “A million random digits” https://github.com/ircmaxell/RandomLib 20

Slide 41

Slide 41 text

21

Slide 42

Slide 42 text

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 22

Slide 43

Slide 43 text

TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 23

Slide 44

Slide 44 text

TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Cipher for exchanging key information 23

Slide 45

Slide 45 text

TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Cipher for exchanging key information Cipher for authenticating key information 23

Slide 46

Slide 46 text

TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Cipher for exchanging key information Cipher for authenticating key information Actual cipher (and length) used for communication 23

Slide 47

Slide 47 text

TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Cipher for exchanging key information Cipher for authenticating key information Hash algo for message authenticating Actual cipher (and length) used for communication 23

Slide 48

Slide 48 text

TLS_RSA_WITH_AES_256_CBC_SHA256 24

Slide 49

Slide 49 text

TLS_NULL_WITH_NULL_NULL 25

Slide 50

Slide 50 text

Client gives cipher options, Server ultimately decides on cipher! 26

Slide 51

Slide 51 text

THIS IS WHY YOU SHOULD ALWAYS CONFIGURE YOUR CIPHERS ON YOUR WEB SERVER! 27 Unknown fact!

Slide 52

Slide 52 text

28 https://cipherli.st SSLCipherSuite AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLCompression off # Requires Apache >= 2.4 SSLHonorCipherOrder On SSLUseStapling on # Requires Apache >= 2.4 SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires >= Apache 2.4 Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" Header always set X-Frame-Options DENY ssl_ciphers 'AES256+EECDH:AES256+EDH'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header X-Frame-Options DENY; ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver $DNS-IP-1 $DNS-IP-2 valid=300s; resolver_timeout 5s; Apache: nginx:

Slide 53

Slide 53 text

https://www.ssllabs.com/ssltest/ 29

Slide 54

Slide 54 text

30

Slide 55

Slide 55 text

31

Slide 56

Slide 56 text

32 https://www.overheid.nl/

Slide 57

Slide 57 text

33

Slide 58

Slide 58 text

34

Slide 59

Slide 59 text

35

Slide 60

Slide 60 text

36

Slide 61

Slide 61 text

37 ➡ SNI (Server Name Indication) ➡ Extension 0x0000 ➡ Pretty much every decent browser / server. ➡ IE6, Win XP, Blackberry, Android 2.x, java 1.6.x ➡ So no worries!

Slide 62

Slide 62 text

38

Slide 63

Slide 63 text

39

Slide 64

Slide 64 text

What an SSL certificate is NOT: 40 ➡ SSL certificate (but a X.509 certificate) ➡ Automatically secure ➡ Automatically trustworthy ➡ In any way better self-signed certificates ➡ Cheap

Slide 65

Slide 65 text

What an SSL certificate is: 41 ➡ The best way (but not perfect) to prove authenticity ➡ A way to bootstrap encrypted communication ➡ Misleading ➡ (Too) Expensive

Slide 66

Slide 66 text

42

Slide 67

Slide 67 text

42 ➡ X.509 Certificate

Slide 68

Slide 68 text

42 ➡ X.509 Certificate ➡ Owner info (who is this owner)

Slide 69

Slide 69 text

42 ➡ X.509 Certificate ➡ Owner info (who is this owner) ➡ Domain info (for which domain(s) is this certificate valid)

Slide 70

Slide 70 text

42 ➡ X.509 Certificate ➡ Owner info (who is this owner) ➡ Domain info (for which domain(s) is this certificate valid) ➡ Expiry info (from when to when is this certificate valid)

Slide 71

Slide 71 text

43 yourdomain.com

Slide 72

Slide 72 text

43 yourdomain.com Intermediate CA

Slide 73

Slide 73 text

43 yourdomain.com Intermediate CA

Slide 74

Slide 74 text

43 yourdomain.com Root CA Intermediate CA

Slide 75

Slide 75 text

43 yourdomain.com Root CA Intermediate CA

Slide 76

Slide 76 text

43 yourdomain.com Root CA Intermediate CA

Slide 77

Slide 77 text

44 IMPLIED TRU$T

Slide 78

Slide 78 text

➡ (Root) Certificate Authorities ➡ They are built into your browser / OS and you will automatically trust them. 45

Slide 79

Slide 79 text

46 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l

Slide 80

Slide 80 text

46 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l 181 And rising...

Slide 81

Slide 81 text

47

Slide 82

Slide 82 text

47 ➡ X.509 certificates are used to authenticate the server.

Slide 83

Slide 83 text

47 ➡ X.509 certificates are used to authenticate the server. ➡ Servers can ask clients to authenticate themselves as well.

Slide 84

Slide 84 text

47 ➡ X.509 certificates are used to authenticate the server. ➡ Servers can ask clients to authenticate themselves as well. ➡ APIs

Slide 85

Slide 85 text

48

Slide 86

Slide 86 text

49

Slide 87

Slide 87 text

50 Generating secrets:

Slide 88

Slide 88 text

50 pre master secret server rand client rand Generating secrets: + +

Slide 89

Slide 89 text

50 pre master secret server rand client rand master secret Generating secrets: + +

Slide 90

Slide 90 text

50 pre master secret server rand client rand master secret master secret server rand client rand Generating secrets: + + + +

Slide 91

Slide 91 text

50 pre master secret server rand client rand master secret master secret server rand client rand key buffer Generating secrets: + + + +

Slide 92

Slide 92 text

50 pre master secret server rand client rand master secret client MAC client KEY client IV server MAC server KEY server IV master secret server rand client rand key buffer Generating secrets: + + + +

Slide 93

Slide 93 text

https://github.com/jaytaph/TLS-decoder 51 http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/ Try it yourself, php style:

Slide 94

Slide 94 text

52

Slide 95

Slide 95 text

53

Slide 96

Slide 96 text

54

Slide 97

Slide 97 text

55

Slide 98

Slide 98 text

56 Wireshark CAN decrypt your HTTPS traffic Unknown fact! SSLKEYLOGFILE https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

Slide 99

Slide 99 text

57 launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret on a mac:

Slide 100

Slide 100 text

58

Slide 101

Slide 101 text

➡ TLS has overhead in computation and transfers. But definitely worth it. ➡ Google likes it. ➡ Some ciphersuites are better, but slower. ➡ Speed / Security compromise ➡ (try: “openssl speed”) 59

Slide 102

Slide 102 text

Are we safe yet? 60

Slide 103

Slide 103 text

euh,.. no :/ 61

Slide 104

Slide 104 text

62 PRE MASTER SECRET

Slide 105

Slide 105 text

What if somebody* got hold of the site private key? 63

Slide 106

Slide 106 text

64

Slide 107

Slide 107 text

65

Slide 108

Slide 108 text

66

Slide 109

Slide 109 text

67

Slide 110

Slide 110 text

(PERFECT) FORWARDING SECRECY 68

Slide 111

Slide 111 text

Compromising the pre-master secret does not compromise our communication. 69

Slide 112

Slide 112 text

PFS: Can’t compromise other keys with a compromised key. 70

Slide 113

Slide 113 text

Unfortunately.. 71

Slide 114

Slide 114 text

72 PFS needs server AND browser support

Slide 115

Slide 115 text

73 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

Slide 116

Slide 116 text

74 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

Slide 117

Slide 117 text

Update your cipher suite list and place PFS ciphers at the top 75

Slide 118

Slide 118 text

But beware: heavy computations 76

Slide 119

Slide 119 text

77 SSL Test https://www.ssllabs.com/ssltest/

Slide 120

Slide 120 text

-ETOOMUCHINFO 78

Slide 121

Slide 121 text

79 https://www.ssllabs.com/projects/best-practices/index.html

Slide 122

Slide 122 text

http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 80

Slide 123

Slide 123 text

81 Find me on twitter: @jaytaph Find me for development and training: www.noxlogic.nl Find me on email: [email protected] Find me for blogs: www.adayinthelifeof.nl