Tweet
Tweet

Slide 1

Slide 1 text

A brief introduction to HTTPS Thierry Sans

Slide 2

Slide 2 text

Today, we are going to

Slide 3

Slide 3 text

Today, we are going to 1. understand HTTP

Slide 4

Slide 4 text

Today, we are going to 1. understand HTTP 2. break HTTP

Slide 5

Slide 5 text

Today, we are going to 1. understand HTTP 2. break HTTP 3. secure HTTP with HTTPS

Slide 6

Slide 6 text

Today, we are going to 1. understand HTTP 2. break HTTP 3. secure HTTP with HTTPS 4. go beyond HTTPS

Slide 7

Slide 7 text

1. Understanding HTTP

Slide 8

Slide 8 text

HTTP - Hypertext Transfer Protocol Web Server Web Browser

Slide 9

Slide 9 text

HTTP - Hypertext Transfer Protocol Web Server Web Browser HTTP request

Slide 10

Slide 10 text

HTTP - Hypertext Transfer Protocol Web Server Web Browser HTTP request HTTP response

Slide 11

Slide 11 text

HTTP - Hypertext Transfer Protocol Web Server Web Browser HTTP request HTTP response

Slide 12

Slide 12 text

HTTP - Hypertext Transfer Protocol Web Server Web Browser HTTP request HTTP response

Slide 13

Slide 13 text

HTTP Authentication

Slide 14

Slide 14 text

HTTP Authentication login: [email protected]
 password: pass4example

Slide 15

Slide 15 text

HTTP Authentication login: [email protected]
 password: pass4example SID:scACRSm…

Slide 16

Slide 16 text

HTTP Authentication session login: [email protected]
 password: pass4example SID:scACRSm…

Slide 17

Slide 17 text

The concept of session The session id (a.k.a authentication token) is • unique and unforgeable (usually a long random string) • sent back and forth between the web browser and the web server in the cookie • bound to user’s data on the server

Slide 18

Slide 18 text

2. Breaking HTTP

Slide 19

Slide 19 text

How to steal user’s credentials ➡ Brute force the user’s password or session ID

Slide 20

Slide 20 text

How to steal user’s credentials ➡ Brute force the user’s password or session ID

Slide 21

Slide 21 text

How to steal user’s credentials ➡ Brute force the user’s password or session ID

Slide 22

Slide 22 text

How to steal user’s credentials ➡ Brute force the user’s password or session ID ➡ Steal the user’s password or session ID

Slide 23

Slide 23 text

Do you trust the network?

Slide 24

Slide 24 text

Do you trust the network? interesting!

Slide 25

Slide 25 text

Do you trust the network? ๏ Threat 1 : an attacker can eavesdrop messages sent back and forth interesting!

Slide 26

Slide 26 text

Do you really trust the network? example.com

Slide 27

Slide 27 text

Do you really trust the network? I am example.com! example.com

Slide 28

Slide 28 text

Do you really trust the network? ๏ Threat 2 : an attacker can tamper with messages sent back and forth I am example.com! example.com

Slide 29

Slide 29 text

Confidentiality and Integrity

Slide 30

Slide 30 text

Confidentiality and Integrity ๏ Threat 1 : an attacker can eavesdrop messages sent back and forth

Slide 31

Slide 31 text

Confidentiality and Integrity ๏ Threat 1 : an attacker can eavesdrop messages sent back and forth Confidentiality: how do exchange information secretly?

Slide 32

Slide 32 text

Confidentiality and Integrity ๏ Threat 1 : an attacker can eavesdrop messages sent back and forth Confidentiality: how do exchange information secretly? ๏ Threat 2 : an attacker can tamper messages sent back and forth

Slide 33

Slide 33 text

Confidentiality and Integrity ๏ Threat 1 : an attacker can eavesdrop messages sent back and forth Confidentiality: how do exchange information secretly? ๏ Threat 2 : an attacker can tamper messages sent back and forth Integrity: How do we exchange information reliably?

Slide 34

Slide 34 text

3. Securing HTTP with HTTPS

Slide 35

Slide 35 text

Generic solution - HTTPS ✓ HTTPS = HTTP + TLS ➡ Transport Layer Security (TLS previously known as SSL) provides • confidentiality: end-to-end secure channel • integrity: authentication handshake


Slide 36

Slide 36 text

Generating and using (self-signed) certificates

Slide 37

Slide 37 text

Generating and using (self-signed) certificates

Slide 38

Slide 38 text

Generating and using (self-signed) certificates who are you?

Slide 39

Slide 39 text

Generating and using (self-signed) certificates who are you? I am example.com

Slide 40

Slide 40 text

Generating and using (self-signed) certificates who are you? I am example.com

Slide 41

Slide 41 text

Self-signed certificates
 are not trusted by
 your browser

Slide 42

Slide 42 text

Signed Certificate Certificate Authority (CA)

Slide 43

Slide 43 text

Signed Certificate Certificate Authority (CA)

Slide 44

Slide 44 text

Signed Certificate Certificate Authority (CA)

Slide 45

Slide 45 text

Signed Certificate Certificate Authority (CA)

Slide 46

Slide 46 text

Signed Certificate who are you? Certificate Authority (CA)

Slide 47

Slide 47 text

Signed Certificate who are you? Certificate Authority (CA) I am example.com

Slide 48

Slide 48 text

Signed Certificate who are you? Certificate Authority (CA) I am example.com

Slide 49

Slide 49 text

Your browser trusts many CAs by default

Slide 50

Slide 50 text

Real attacks

Slide 51

Slide 51 text

4. Beyond HTTPS

Slide 52

Slide 52 text

Why and when using HTTPS? HTTPS = HTTP + TLS ➡ TLS provides • confidentiality: end-to-end secure channel • integrity: authentication handshake
 ➡ HTTPS protects any data send back and forth including: • login and password • session ID ✓ HTTPS everywhere 
 HTTPS must be used during the entire session

Slide 53

Slide 53 text

Limitation of HTTPS

Slide 54

Slide 54 text

Limitation of HTTPS

Slide 55

Slide 55 text

Limitation of HTTPS

Slide 56

Slide 56 text

Limitation of HTTPS

Slide 57

Slide 57 text

Beyond this lecture 15-349 Introduction to Computer and Network Security • symmetric and asymmetric crypto-systems • the TLS protocol • network and host-based threat, vulnerabilities, attacks 
 and counter-measures 15-437 Web Application Development • the HTTP protocol • how to deploy your web application over HTTPS • web-based threats, vulnerabilities, attacks and counter-measures