The first 200 milliseconds of HTTPS
1
Joshua Thijssen
jaytaph
Slide 2
Slide 2 text
2
Slide 3
Slide 3 text
➡ What’s happening in the first 200+
milliseconds in a initial HTTPS connection.
2
Slide 4
Slide 4 text
➡ What’s happening in the first 200+
milliseconds in a initial HTTPS connection.
➡ Give tips and hints on hardening your setup.
2
Slide 5
Slide 5 text
➡ What’s happening in the first 200+
milliseconds in a initial HTTPS connection.
➡ Give tips and hints on hardening your setup.
➡ Give you insights in new and upcoming
technologies.
2
Slide 6
Slide 6 text
➡ What’s happening in the first 200+
milliseconds in a initial HTTPS connection.
➡ Give tips and hints on hardening your setup.
➡ Give you insights in new and upcoming
technologies.
➡ Show you things to you (probably) didn’t
knew.
2
Slide 7
Slide 7 text
This talk is inspired by
a blogpost from Jeff Moser
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
Unknown fact!
3
Slide 8
Slide 8 text
HTTPS ==
HTTP on top of TLS
4
Slide 9
Slide 9 text
Transport Layer Security
(TLS)
5
Slide 10
Slide 10 text
Secure Socket Layer
(SSL)
6
A short and scary history
Slide 11
Slide 11 text
then
now
7
Slide 12
Slide 12 text
then
now
SSL 1.0
Vaporware
1994
7
Slide 13
Slide 13 text
then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
SSL 1.0
Vaporware
1994
7
Slide 14
Slide 14 text
then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
jun
1996
SSL 3.0
Something stable!
SSL 1.0
Vaporware
1994
7
Slide 15
Slide 15 text
then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
SSL 1.0
Vaporware
1994
7
Slide 16
Slide 16 text
then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
apr
2006
TLS 1.1
SSL 1.0
Vaporware
1994
7
Slide 17
Slide 17 text
then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
apr
2006
TLS 1.1
TLS 1.2
aug
2008
SSL 1.0
Vaporware
1994
7
10
Record Layer
Type Version Length
Protocol
Protocol
Protocol
Slide 25
Slide 25 text
10
Record Layer
Type Version Length
Protocol
Protocol
Protocol
Record Layer
Type Version Length
Protocol
Slide 26
Slide 26 text
➡ Handshake protocol records
➡ Setup communication
➡ Change Cipher Spec protocol records
➡ Change communication
➡ Alert protocol records
➡ Errors
➡ Application Data protocol records
➡ Actual data transfers
11
TIME is NOT random
thus not a very good
entropy source
18
Slide 34
Slide 34 text
PHP is bad
when it comes to
entropy
19
Unknown fact!
Slide 35
Slide 35 text
20
Slide 36
Slide 36 text
openssl_pseudo_random_bytes()
20
Slide 37
Slide 37 text
openssl_pseudo_random_bytes()
read from /dev/(u)random
20
Slide 38
Slide 38 text
openssl_pseudo_random_bytes()
read from /dev/(u)random
Use a HRNG
20
Slide 39
Slide 39 text
openssl_pseudo_random_bytes()
read from /dev/(u)random
Use a HRNG
“A million random digits”
20
Slide 40
Slide 40 text
openssl_pseudo_random_bytes()
read from /dev/(u)random
Use a HRNG
“A million random digits”
https://github.com/ircmaxell/RandomLib
20
Slide 41
Slide 41 text
21
Slide 42
Slide 42 text
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
22
Slide 43
Slide 43 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
23
Slide 44
Slide 44 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Cipher for exchanging
key information
23
Slide 45
Slide 45 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Cipher for exchanging
key information
Cipher for
authenticating key
information
23
Slide 46
Slide 46 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Cipher for exchanging
key information
Cipher for
authenticating key
information
Actual cipher (and
length) used for
communication
23
Slide 47
Slide 47 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Cipher for exchanging
key information
Cipher for
authenticating key
information
Hash algo for message
authenticating
Actual cipher (and
length) used for
communication
23
Slide 48
Slide 48 text
TLS_RSA_WITH_AES_256_CBC_SHA256
24
Slide 49
Slide 49 text
TLS_NULL_WITH_NULL_NULL
25
Slide 50
Slide 50 text
Client gives cipher options,
Server ultimately decides on cipher!
26
Slide 51
Slide 51 text
THIS IS WHY YOU SHOULD ALWAYS
CONFIGURE YOUR CIPHERS
ON YOUR WEB SERVER!
27
Unknown fact!
37
➡ SNI (Server Name Indication)
➡ Extension 0x0000
➡ Pretty much every decent browser /
server.
➡ IE6, Win XP, Blackberry, Android 2.x,
java 1.6.x
➡ So no worries!
Slide 62
Slide 62 text
38
Slide 63
Slide 63 text
39
Slide 64
Slide 64 text
What an SSL certificate is NOT:
40
➡ SSL certificate (but a X.509 certificate)
➡ Automatically secure
➡ Automatically trustworthy
➡ In any way better self-signed certificates
➡ Cheap
Slide 65
Slide 65 text
What an SSL certificate is:
41
➡ The best way (but not perfect) to prove authenticity
➡ A way to bootstrap encrypted communication
➡ Misleading
➡ (Too) Expensive
Slide 66
Slide 66 text
42
Slide 67
Slide 67 text
42
➡ X.509 Certificate
Slide 68
Slide 68 text
42
➡ X.509 Certificate
➡ Owner info (who is this owner)
Slide 69
Slide 69 text
42
➡ X.509 Certificate
➡ Owner info (who is this owner)
➡ Domain info (for which domain(s) is
this certificate valid)
Slide 70
Slide 70 text
42
➡ X.509 Certificate
➡ Owner info (who is this owner)
➡ Domain info (for which domain(s) is
this certificate valid)
➡ Expiry info (from when to when is this
certificate valid)
Slide 71
Slide 71 text
43
yourdomain.com
Slide 72
Slide 72 text
43
yourdomain.com
Intermediate
CA
Slide 73
Slide 73 text
43
yourdomain.com
Intermediate
CA
Slide 74
Slide 74 text
43
yourdomain.com
Root
CA
Intermediate
CA
Slide 75
Slide 75 text
43
yourdomain.com
Root
CA
Intermediate
CA
Slide 76
Slide 76 text
43
yourdomain.com
Root
CA
Intermediate
CA
Slide 77
Slide 77 text
44
IMPLIED TRU$T
Slide 78
Slide 78 text
➡ (Root) Certificate Authorities
➡ They are built into your browser / OS
and you will automatically trust them.
45
47
➡ X.509 certificates are used to authenticate
the server.
Slide 83
Slide 83 text
47
➡ X.509 certificates are used to authenticate
the server.
➡ Servers can ask clients to authenticate
themselves as well.
Slide 84
Slide 84 text
47
➡ X.509 certificates are used to authenticate
the server.
➡ Servers can ask clients to authenticate
themselves as well.
➡ APIs
Slide 85
Slide 85 text
48
Slide 86
Slide 86 text
49
Slide 87
Slide 87 text
50
Generating secrets:
Slide 88
Slide 88 text
50
pre master secret server rand
client rand
Generating secrets:
+ +
Slide 89
Slide 89 text
50
pre master secret server rand
client rand
master secret
Generating secrets:
+ +
Slide 90
Slide 90 text
50
pre master secret server rand
client rand
master secret
master secret server rand client rand
Generating secrets:
+ +
+
+
Slide 91
Slide 91 text
50
pre master secret server rand
client rand
master secret
master secret server rand client rand
key buffer
Generating secrets:
+ +
+
+
Slide 92
Slide 92 text
50
pre master secret server rand
client rand
master secret
client MAC client KEY client IV server MAC server KEY server IV
master secret server rand client rand
key buffer
Generating secrets:
+ +
+
+
Slide 93
Slide 93 text
https://github.com/jaytaph/TLS-decoder
51
http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/
Try it yourself, php style:
Slide 94
Slide 94 text
52
Slide 95
Slide 95 text
53
Slide 96
Slide 96 text
54
Slide 97
Slide 97 text
55
Slide 98
Slide 98 text
56
Wireshark CAN decrypt your HTTPS traffic
Unknown fact!
SSLKEYLOGFILE
https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415
Slide 99
Slide 99 text
57
launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
on a mac:
Slide 100
Slide 100 text
58
Slide 101
Slide 101 text
➡ TLS has overhead in computation and
transfers. But definitely worth it.
➡ Google likes it.
➡ Some ciphersuites are better, but slower.
➡ Speed / Security compromise
➡ (try: “openssl speed”)
59
Slide 102
Slide 102 text
Are we safe yet?
60
Slide 103
Slide 103 text
euh,.. no :/
61
Slide 104
Slide 104 text
62
PRE MASTER
SECRET
Slide 105
Slide 105 text
What if somebody*
got hold of the site
private key?
63
Slide 106
Slide 106 text
64
Slide 107
Slide 107 text
65
Slide 108
Slide 108 text
66
Slide 109
Slide 109 text
67
Slide 110
Slide 110 text
(PERFECT)
FORWARDING
SECRECY
68
Slide 111
Slide 111 text
Compromising the
pre-master secret does
not compromise our
communication.
69
Slide 112
Slide 112 text
PFS:
Can’t compromise
other keys with a
compromised key.
70
81
Find me on twitter: @jaytaph
Find me for development and training: www.noxlogic.nl
Find me on email: [email protected]
Find me for blogs: www.adayinthelifeof.nl