Tweet
Tweet

Slide 1

Slide 1 text

ROME 18-19 MARCH 2016 Let's Go ! HTTPS Simone Carle4

Slide 2

Slide 2 text

! HTTPS

Slide 3

Slide 3 text

! HTTPS I About HTTPS II Obtaining an SSL cer?ficate III Deploying an SSL cer?ficate IV Serving HTTPS IV III II I

Slide 4

Slide 4 text

Simone Carle4 @weppos

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

About HTTPS I IV III II I

Slide 7

Slide 7 text

What is HTTPS? IV III II I

Slide 8

Slide 8 text

HTTPS (also called HTTP over TLS, HTTP over SSL, and HTTP Secure) is a protocol for secure communica?on over a computer network which is widely used on the Internet. HTTPS consists of communica?on over Hypertext Transfer Protocol (HTTP) within a connec?on encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. hTps:/ /en.wikipedia.org/wiki/HTTPS IV III II I

Slide 9

Slide 9 text

What is HTTPS? HTTPS is a secure HTTP connec?on. IV III II I

Slide 10

Slide 10 text

HTTPS is HTTP over an encrypted connec?on secured by TLS (previously SSL). IV III II I

Slide 11

Slide 11 text

HTTPS is how websites securely exchange informa?on. IV III II I

Slide 12

Slide 12 text

Secure Connec>on Encryp>on The process of encoding messages or informa?on in such a way that only authorized par?es can read it. Authen>ca>on The process of determining whether someone or something is, in fact, who or what it is declared to be. IV III II I

Slide 13

Slide 13 text

KEEP CALM AND HTTP IS NOT ENCRYPTED

Slide 14

Slide 14 text

HTTP Response HTTP Request

Slide 15

Slide 15 text

! HTTPS Request HTTP Request

Slide 16

Slide 16 text

Authen>ca>on

Slide 17

Slide 17 text

Authen>ca>on

Slide 18

Slide 18 text

Authen>ca>on

Slide 19

Slide 19 text

Authen>ca>on

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

SSL Cer>ficate IV III II I

Slide 22

Slide 22 text

Why HTTPS? IV III II I

Slide 23

Slide 23 text

Why HTTPS? ! Security ! Ranking factor ! HTTP/2 ! HTML 5 features ! Chrome Geo loca?on ! Firefox form + HTTPS IV III II I

Slide 24

Slide 24 text

! Security • Data integrity • User sensible informa?on • Unencrypted traffic can be: • sniffed • modified (e.g. adver?sement or script injec?on)

Slide 25

Slide 25 text

! Ranking factor hTps:/ /webmasters.googleblog.com/2014/08/hTps-as-ranking-signal.html

Slide 26

Slide 26 text

! HTTP/2 hTps:/ /webmasters.googleblog.com/2014/08/hTps-as-ranking-signal.html

Slide 27

Slide 27 text

! HTML 5 powerful features hTps:/ /blog.mozilla.org/security/2015/04/30/depreca?ng-non-secure-hTp/ hTps:/ /sites.google.com/a/chromium.org/dev/Home/chromium-security/depreca?ng-powerful-features-on-insecure-origins

Slide 28

Slide 28 text

! Chrome Geo location hTps:/ /codereview.chromium.org/1530403002/

Slide 29

Slide 29 text

! Firefox form + HTTPS hTps:/ /www.fxsitecompat.com/en-CA/docs/2015/non-hTps-sites-containing-login-form-will-be-marked-insecure/

Slide 30

Slide 30 text

" SSL Cer>ficate A cer?ficate is a digital document that contains a public key, some informa?on about the en?ty associated with it, and a digital signature from the cer?ficate issuer. IV III II I

Slide 31

Slide 31 text

x.509 SSL Cer>ficate # Version $ Serial Number % Issuer & Validity ' Subject ( Public Key " ) Extensions IV III II I

Slide 32

Slide 32 text

Cer>ficate Types ! Single-name cer?ficate example.com ! Wildcard-name cer?ficate *.example.com ! SAN cer?ficate example.com, www.example.com, foobar.com, … IV III II I

Slide 33

Slide 33 text

Symmetric vs Asymmetric * ! ( encrypt ( decrypt Shared secret key ( + John + Jane * ! Jane public key Jane private key ( ( + John + Jane ( decrypt ( encrypt encryp>on IV III II I

Slide 34

Slide 34 text

Symmetric encryp>on "hello world!" "puggy eyxgr!" "hello world!" "puggy eyxgr!" [["a", "b"], ["b", "w"], ["c", "n"], ["d", "r"], ["e", "u"], ["f", "o"], ["g", "v"], ["h", "p"], ["i", "s"], ["j", "z"], ["k", "k"], ["l", "g"], ["m", "m"], ["n", "h"], ["o", "y"], ["p", "c"], ["q", "j"], ["r", "x"], ["s", "d"], ["t", "t"], ["u", "f"], ["v", "i"], ["w", "e"], ["x", "l"], ["y", "a"], ["z", "q"]] John encrypts John sends to Jane Jane receives from John Jane decrypts IV III II I

Slide 35

Slide 35 text

How does HTTPS work? IV III II I

Slide 36

Slide 36 text

It's not a one-click setup :( yet IV III II I

Slide 37

Slide 37 text

Handshake , - DISCLAIMER: This schema is simplified on purpose. IV III II I

Slide 38

Slide 38 text

Handshake SYN , - DISCLAIMER: This schema is simplified on purpose. IV III II I

Slide 39

Slide 39 text

Handshake SYN SYN ACK , - DISCLAIMER: This schema is simplified on purpose. IV III II I

Slide 40

Slide 40 text

Handshake SYN SYN ACK . Client Random ( Cipher suites ClientHello , - DISCLAIMER: This schema is simplified on purpose. IV III II I

Slide 41

Slide 41 text

Handshake SYN SYN ACK . Client Random ( Cipher suites / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone , - DISCLAIMER: This schema is simplified on purpose. IV III II I

Slide 42

Slide 42 text

Handshake SYN SYN ACK . Client Random ( Cipher suites / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ClientKeyExchange , - DISCLAIMER: This schema is simplified on purpose. IV III II I

Slide 43

Slide 43 text

Handshake SYN SYN ACK . Client Random ( Cipher suites / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ClientKeyExchange SYMMETRIC KEY IS GENERATED , - DISCLAIMER: This schema is simplified on purpose. IV III II I

Slide 44

Slide 44 text

Handshake SYN SYN ACK . Client Random ( Cipher suites / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ! Client switches to encryp?on ! MAC of handshake ClientKeyExchange ChangeCipherSpec, Finished SYMMETRIC KEY IS GENERATED , - DISCLAIMER: This schema is simplified on purpose. IV III II I

Slide 45

Slide 45 text

Handshake SYN SYN ACK . Client Random ( Cipher suites / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ! Client switches to encryp?on ! MAC of handshake ClientKeyExchange ChangeCipherSpec, Finished ! Server switches to encryp?on ! MAC of handshake ChangeCipherSpec, Finished SYMMETRIC KEY IS GENERATED , - DISCLAIMER: This schema is simplified on purpose. IV III II I

Slide 46

Slide 46 text

Handshake SYN SYN ACK . Client Random ( Cipher suites / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ! Client switches to encryp?on ! MAC of handshake ClientKeyExchange ChangeCipherSpec, Finished ! Server switches to encryp?on ! MAC of handshake ChangeCipherSpec, Finished SYMMETRIC KEY IS GENERATED 2 Applica?on data 2 Applica?on data , - DISCLAIMER: This schema is simplified on purpose. IV III II I

Slide 47

Slide 47 text

Cipher Suites A cipher suite is a selec?on of cryptographic primi?ves and other parameters that defines exactly how security will be implemented. Bulletproof SSL and TLS IV III II I

Slide 48

Slide 48 text

Cryptographic primi>ves At the lowest level, cryptography relies on various cryptographic primi0ves. Each primi?ve is designed with a par?cular useful func?onality in mind. The primi?ves alone are not very useful, but we can combine them into schemes and protocols to provide robust security. For example, we might use one primi?ve for hashing, one for encryp>on and another for integrity checking. IV III II I

Slide 49

Slide 49 text

Obtaining an SSL cer>ficate II IV III II I

Slide 50

Slide 50 text

self signed vs trusted • Provides encryp?on • Provides authen?ca?on • Issued and signed by a publicly trusted Cer?fica?on Authority • Suitable for produc?on environments as well for tes?ng • Generally not free • Provides encryp?on • Doesn't provide authen?ca?on • self-signed • Generally used for tes?ng • Free

Slide 51

Slide 51 text

Cer?ficate Authority A Cer?ficate Authority (CA) is a trusted, private en?ty that issues digital cer?ficates. IV III II I

Slide 52

Slide 52 text

Chain of trust • Browsers and opera?ng systems include a list of trusted cer?ficates • These cer?ficates are called root cer'ficates, and they generally belong to trusted par?es, such as cer?ficate authori?es IV III II I

Slide 53

Slide 53 text

Chain of trust • When a cer?ficate authority issues a cer?ficate, they sign the cer?ficate with their root cer?ficate IV III II I

Slide 54

Slide 54 text

Chain of trust • Truthfully, in most cases cer?fica?on authori?es use sub-cer?ficates to sign your cer?ficate • These cer?ficates are called intermediate cer'ficates, and they are signed with a root cer?ficate IV III II I

Slide 55

Slide 55 text

Chain of trust • When the browser connects to a site via HTTPS, the browser reads the site cer?ficate • The cer?ficate doesn't match a trusted root cer?ficate IV III II I

Slide 56

Slide 56 text

Chain of trust • The browser aTempts to download the cer?ficate that was used to sign the current cer?ficate • The cer?ficate doesn't match a trusted root cer?ficate IV III II I

Slide 57

Slide 57 text

Chain of trust • The browser aTempts to download the cer?ficate that was used to sign the current cer?ficate • The cer?ficate matches a root cer?ficate • The original cer>ficate is trusted :) • The en?re cer>ficate chain is trusted 3 IV III II I

Slide 58

Slide 58 text

Chain of trust • The browser aTempts to download the cer?ficate that was used to sign the current cer?ficate • The cer?ficate doesn't match a root cer?ficate, and there are no more cer?ficates • The original cer>ficate is untrusted :( • The en?re cer>ficate chain is untrusted 4 IV III II I

Slide 59

Slide 59 text

IV III II I

Slide 60

Slide 60 text

Create a Cer>ficate Generate a
 Private/Public key pair $ openssl genrsa -des3 -out private.key 2048 ... Enter pass phrase for private.key: Verifying - Enter pass phrase for private.key: IV III II I

Slide 61

Slide 61 text

Create a Cer>ficate Generate a
 Private/Public key pair Generate a
 Cer?ficate Signing Request (CSR) $ openssl req -nodes -new -key private.key -out server.csr ... Country Name (2 letter code) [AU]:US Common Name (eg, YOUR name) []:www.example.com ... IV III II I

Slide 62

Slide 62 text

Create a Cer>ficate Generate a
 Private/Public key pair Generate a
 Cer?ficate Signing Request (CSR) for a self-signed cer?ficate
 Sign the cer?ficate $ openssl x509 -req -days 365 -in server.csr -signkey private.key -out certificate.pem hTps:/ /devcenter.heroku.com/ar?cles/ssl-cer?ficate-self IV III II I

Slide 63

Slide 63 text

Request a trusted Cer>ficate Generate a
 Private/Public key pair Generate a
 Cer?ficate Signing Request (CSR) for a trusted cer?ficate
 Request the Cer?ficate (*) Request generally means purchase. You can purchase an SSL cer?ficate either from a CA, or a reseller. Some providers offer visual tools that help you with the request process (e.g. by genera?ng the CSR) (*) IV III II I

Slide 64

Slide 64 text

Request a trusted Cer>ficate Generate a
 Private/Public key pair Generate a
 Cer?ficate Signing Request (CSR) for a trusted cer?ficate
 Request the Cer?ficate (*) • Select the cer?ficate type • Submit the CSR • Validate the request • Obtain the cer?ficate (*) IV III II I

Slide 65

Slide 65 text

! (DV) Domain Validated asserts control of a domain ! (OV) Organiza?on Validated asserts control of a domain as well basic organiza?onal vepng ! (EV) Extended Valida?on asserts control of a domain as well extended organiza?onal vepng Cer>ficate Types IV III II I

Slide 66

Slide 66 text

5 Now you should have 1. A CSR file 2. A cer?ficate file 3. A private key file 4. (op0onally) A list of intermediate cer?ficate files -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- IV III II I

Slide 67

Slide 67 text

Deploying an SSL cer>ficate IV III II I III

Slide 68

Slide 68 text

Install the cer>ficate on the server along with the private key, and intermediate cer?ficate chain. Configure HTTPS configure protocol version, cypher suite and cypher sepngs. To deploy HTTPS you need to: IV III II I

Slide 69

Slide 69 text

History of secure protocols SSL 1 Never released SSL 2 1996 A number of security flaws SSL 3 1995 Broken. Vulnerable to POODLE aTack TLS 1.0 1999 TLS 1.1 2006 TLS 1.2 2008 IV III II I

Slide 70

Slide 70 text

Example config server { listen 443 ssl http2; listen [::]:443 ssl http2; # ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key; # ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; } IV III II I

Slide 71

Slide 71 text

Example config server { listen 443 ssl http2; listen [::]:443 ssl http2; # ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key; # ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; } IV III II I

Slide 72

Slide 72 text

Example config server { listen 443 ssl http2; listen [::]:443 ssl http2; # ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key; # ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; } IV III II I

Slide 73

Slide 73 text

Example config server { listen 443 ssl http2; listen [::]:443 ssl http2; # ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key; # ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; } IV III II I

Slide 74

Slide 74 text

hTps:/ /mozilla.github.io/server-side-tls/ssl-config-generator/ hTps:/ /cipherli.st/ IV III II I

Slide 75

Slide 75 text

Heroku $ heroku addons:create ssl:endpoint Adding ssl:endpoint on example... done, v1 ($20/mo) $ heroku certs:add server.crt server.key Adding SSL Endpoint to example... done example now served by example-2121.herokussl.com. Certificate details: Expires At: 2012-10-31 21:53:18 GMT Issuer: C=US; ST=CA; L=SF; O=Heroku; CN=www.example.com Starts At: 2011-11-01 21:53:18 GMT hTps:/ /devcenter.heroku.com/ar?cles/ssl-endpoint hTps:/ /devcenter.heroku.com/ar?cles/ssl-cer?ficate-dnsimple IV III II I

Slide 76

Slide 76 text

Caddy server hTps:/ /caddyserver.com/ IV III II I

Slide 77

Slide 77 text

Caddy server IV III II I

Slide 78

Slide 78 text

Caddy server IV III II I

Slide 79

Slide 79 text

hTps:/ /www.ssllabs.com/ssltest/ IV III II I

Slide 80

Slide 80 text

Lifecycle of a Cer>ficate 6 Requested ! Issued & Expired 4 Revoked 7 Rekeyed

Slide 81

Slide 81 text

Serving HTTPS IV III II I IV

Slide 82

Slide 82 text

Cookie security $ curl -I https://dnsimple.com HTTP/1.1 200 OK Server: nginx Date: Tue, 15 Mar 2016 15:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive ETag: W/"f2d21600cdff911b9ee6a44dabcda234" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5 X-Runtime: 0.016254 Strict-Transport-Security: max-age=31536000 IV III II I

Slide 83

Slide 83 text

Cookie security $ curl -I https://dnsimple.com HTTP/1.1 200 OK Server: nginx Date: Tue, 15 Mar 2016 15:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive ETag: W/"f2d21600cdff911b9ee6a44dabcda234" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5 X-Runtime: 0.016254 Strict-Transport-Security: max-age=31536000 IV III II I

Slide 84

Slide 84 text

Mixed Content security error IV III II I

Slide 85

Slide 85 text

Mixed Content security error IV III II I

Slide 86

Slide 86 text

Mixed Content security error IV III II I

Slide 87

Slide 87 text

Mixed Content security error IV III II I

Slide 88

Slide 88 text

Mixed Content security error IV III II I

Slide 89

Slide 89 text

Chrome security debugger IV III II I

Slide 90

Slide 90 text

HSTS Header $ curl -I https://dnsimple.com HTTP/1.1 200 OK Server: nginx Date: Tue, 15 Mar 2016 15:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive ETag: W/"f2d21600cdff911b9ee6a44dabcda234" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5 X-Runtime: 0.016254 Strict-Transport-Security: max-age=31536000 IV III II I

Slide 91

Slide 91 text

HSTS Header The first ?me your site is accessed using HTTPS and it returns the Strict-Transport- Security header, the browser records this informa?on, so that future aTempts to load the site using HTTP will automa?cally use HTTPS instead. When the expira?on ?me specified by the Strict-Transport-Security header elapses, the next aTempt to load the site via HTTP will proceed as normal instead of automa?cally using HTTPS. Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload IV III II I

Slide 92

Slide 92 text

HSTS Header The first ?me your site is accessed using HTTPS and it returns the Strict-Transport- Security header, the browser records this informa?on, so that future aTempts to load the site using HTTP will automa?cally use HTTPS instead. When the expira?on ?me specified by the Strict-Transport-Security header elapses, the next aTempt to load the site via HTTP will proceed as normal instead of automa?cally using HTTPS. Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload IV III II I

Slide 93

Slide 93 text

HSTS Header Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload hTps:/ /developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security hTps:/ /hstspreload.appspot.com/ IV III II I

Slide 94

Slide 94 text

Public Key Pinning hTps:/ /developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][; report-uri="reportURI"] Public-Key-Pins: max-age=5184000; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg=" IV III II I

Slide 95

Slide 95 text

SecurityHeaders.io IV III II I

Slide 96

Slide 96 text

Let's Encrypt

Slide 97

Slide 97 text

Bulletproof SSL and TLS hTp:/ /bit.ly/codemo?on2016-sslbook ⋆ ⋆ ⋆ ⋆ ⋆

Slide 98

Slide 98 text

Simone Carle4 ! hTps:/ /simonecarlep.com @weppos Thanks!