Tweet
Tweet

Slide 1

Slide 1 text

©2017 AKAMAI | FASTER FORWARDTM ৗ࣌44-Խͷམͱ݀͠ Hideki Okamoto Akamai Technologies November 10, 2017

Slide 2

Slide 2 text

©2017 AKAMAI | FASTER FORWARDTM The opinions expressed in this slide are my own and do not express the positions, strategies or opinions of

Slide 3

Slide 3 text

©2017 AKAMAI | FASTER FORWARDTM 44-5-4ԽΛऔΓר͘ݱঢ় Photo by Chris Yang

Slide 4

Slide 4 text

©2017 AKAMAI | FASTER FORWARDTM 26 33 56 40 52 70 51 57 74 2015 2016 2017 (Oct) )5514ܦ༝ͰಡΈࠐ·Εͨϖʔδͷׂ߹ (%) US France Japan Japan Japan France US US France HTTPS encryption on the web https://transparencyreport.google.com/https/overview

Slide 5

Slide 5 text

©2017 AKAMAI | FASTER FORWARDTM

Slide 6

Slide 6 text

©2017 AKAMAI | FASTER FORWARDTM Not Secure ~ s ince J anu ar y 20 1 7 ~ (PPHMF$ISPNF͔ΒϩάΠϯ৘ใೖྗϑΥʔϜ͕44-Խ͞Ε͍ͯͳ͍ͱܯࠂදࣔ

Slide 7

Slide 7 text

©2017 AKAMAI | FASTER FORWARDTM

Slide 8

Slide 8 text

©2017 AKAMAI | FASTER FORWARDTM Not Secure ~ s ince O ct o b er 20 1 7 ~ (PPHMF$ISPNF͔Β44-Խ͞Ε͍ͯͳ͍શͯͷೖྗϑΥʔϜʹܯࠂදࣔ

Slide 9

Slide 9 text

©2017 AKAMAI | FASTER FORWARDTM ,FZ3FJOTUBMMBUJPO"UUBDLT ,3"$, ʹ Αͬͯ8J'J͸ΑΓةݥʹͳͬͨͷ͔ KRACK Attacks: Breaking WPA2 https://www.krackattacks.com/

Slide 10

Slide 10 text

©2017 AKAMAI | FASTER FORWARDTM ͳ͓ɺެऺແઢ-"/ͷ৔߹͸Ոఉ಺ແઢ-"/ͱ͸ҟͳΓɺ ෆಛఆଟ਺ͷར༻ऀ͕઀ଓ͢Δ؀ڥͰ͋ΔͨΊɺ"1઀ଓʹ ඞཁͱͳΔ44*%ͱ҉߸ԽΩʔΛෆಛఆଟ਺ͷར༻ऀͰڞ༗ ͢Δέʔε΋͋Δɻͦͷ৔߹ɺࣗ෼Ҏ֎ͷར༻ऀ΋ಉҰͷ ҉߸ԽΩʔͷ৘ใΛ஌͍ͬͯΔ͜ͱʹͳΓɺ$$.1Λ࠾༻ ͨ͠҉߸Խ௨৴Ͱ͋ͬͯ΋ղಡ͢Δ͜ͱ͕ՄೳͰ͋Δ https://www.ipa.go.jp/files/000051453.pdf ެऺແઢ-"/Λར༻͢Δࡍɺࣗ෼Ҏ֎ͷར༻ऀͱಉҰͷ ҉߸ԽΩʔΛڞ༗͢Δ"1Ͱ͸ɺ௨৴͕҉߸Խ͞Ε͍ͯΔ ৔߹Ͱ΋౪ௌ͞ΕΔةݥੑ͕͋Δ͜ͱΛೝࣝͯ͠ཉ͍͠ ಠཱߦ੓๏ਓ৘ใॲཧਪਐػߏʰެऺແઢ-"/ར༻ʹ܎ΔڴҖͱରࡦʱ

Slide 11

Slide 11 text

©2017 AKAMAI | FASTER FORWARDTM 2ͳͥ44-Խ͕ඞཁͳͷ͔ " ౪ௌɾվ᜵ɾͳΓ͢·͔͠Β ϢʔβʔΛอޢ͢ΔͨΊ 2ͳͥʮৗ࣌ʯ44-Խͳͷ͔ " ࣮ࡍͷͱ͜Ζ कΔ΂͖ϖʔδɺकΒͳͯ͘΋Α͍ϖʔδͷ۠ผ͸ࠔ೉

Slide 12

Slide 12 text

©2017 AKAMAI | FASTER FORWARDTM ϩʔυόϥϯαʔ͸44-ͷίωΫγϣϯ૿ʹ଱͑ΒΕΔͩΖ͏͔ 44-ূ໌ॻͷ४උΛͲͷΑ͏ʹਐΊΕ͹ྑ͍ͩΖ͏͔ ͋ΔΠϯϑϥ୲౰ΑΓ ݱߦͷΞϓϦέʔγϣϯ͸44-Խͯ͠΋ਖ਼͘͠ಈͩ͘Ζ͏͔ 8FCσβΠφʔʹͲ͏͍͏͓ئ͍Λ͢Ε͹ྑ͍ͩΖ͏͔ ͋ΔΞϓϦέʔγϣϯ୲౰ΑΓ ૣ͘44-Խ͠ͳ͍ͱݕࡧΤϯδϯͷϥϯΩϯά͕Լ͕ΔͷͰ͸ͳ͍͔ 44-Խ͢ΔͱιʔγϟϧϘλϯʹӨڹ͕ग़Δͱฉ͍͕ͨʜ ͋ΔϚʔέςΟϯά୲౰ΑΓ 8FCαΠτͰͷ৘ใ࿙Ӯ΍վ᜵ͳͲͷηΩϡϦςΟϦεΫΛ௿ݮ͍ͤͨ͞ ͕ͩϏδωεʹѱӨڹ͸༩͑ΒΕͳ͍ɻ҆શʹ44-Խ͍ͨ͠ ܦӦਞΑΓ Photo by Johny Goerend

Slide 13

Slide 13 text

©2017 AKAMAI | FASTER FORWARDTM Photo by Ian Espinosa 44-Խͷམͱ݀͠

Slide 14

Slide 14 text

©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠ϩʔυόϥϯα΍8FCαʔό͕44-ऴ୺ͷෛՙʹ଱͑ΒΕͳ͍ “On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. Many people believe that SSL/TLS takes a lot of CPU time and we hope the preceding numbers will help to dispel that.” - Adam Langley, Google զʑͷຊ൪؀ڥʹ͋ΔϑϩϯτΤϯυϚγϯ্ʹ͓͍ͯɺ44-5-4ͷॲཧʹ͔ ͔Δෛՙ͸ɺ $16࢖༻཰ʹͯ͠ະຬ ɺίωΫγϣϯ͋ͨΓͷϝϞϦ࢖༻཰ ʹͯ͠,#ະຬɺωοτϫʔΫͷΦʔόʔϔουʹͯ͠ະຬͰ͋Δɻଟ͘ ͷਓʑ͕44-5-4͸ଟ͘ͷ$16࣌ؒΛফඅ͢Δͱ৴͍ͯ͡Δ͕ɺզʑ͸લड़ ͷ਺ࣈʹΑͬͯ͜ͷ͍͕ٙ੖ΕΔ͜ͱΛئ͍ͬͯΔ

Slide 15

Slide 15 text

©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠ϩʔυόϥϯα΍8FCαʔό͕44-ऴ୺ͷෛՙʹ଱͑ΒΕͳ͍ TLS Benchmarks – HiveMQ https://www.hivemq.com/tls-benchmarks ҉߸༻ͷ໋ྩηοτ͕$16ʹ࣮૷͞Εͨ͜ͱͰ$16ෛՙ͸ܰ͘ͳ͕ͬͨɺ ͦΕͰ΋ͳ͓44-5-4ͷωΰγΤʔγϣϯ͸ॏ͍

Slide 16

Slide 16 text

©2017 AKAMAI | FASTER FORWARDTM ղܾํ๏ • "LBNBJԽͯ͠1FSTJTUFOU$POOFDUJPOͰ44-5-4ηογϣϯΛू໿͢Δ Ωϟογϡػೳ΋ซ༻͢Δͱ͞Βʹྑ͍ • &$%4"ূ໌ॻ • 5-44FTTJPO3FTVNQUJPO 4FTTJPO*%4FTTJPO5JDLFUT མͱ݀͠ϩʔυόϥϯα΍8FCαʔό͕44-ऴ୺ͷෛՙʹ଱͑ΒΕͳ͍ https://blogs.akamai.com/2013/10/why-early-termination-is-not-a-bad-thing.html https://hpbn.co/transport-layer-security-tls/ ΤοδαʔόʔͰ44-5-4Λλʔϛωʔτ͢ΔͱύϑΥʔϚϯε΋޲্͢Δ

Slide 17

Slide 17 text

©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠.JYFE$POUFOUT What Is Mixed Content? https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content

Slide 18

Slide 18 text

©2017 AKAMAI | FASTER FORWARDTM "DUJWF.JYFE $POUFOU • )5514Ͱ഑৴͞Ε͍ͯΔ)5.-ʹຒΊࠐ·Εͨ+BWB4DSJQU $44΍ɺ 9.-)UUQ3FRVFTUʹΑΔϦΫΤετ͕)551ͷͱ͖ʹൃੜ • 8FCϒϥ΢βʹΑΓϒϩοΫ͞ΕΔ མͱ݀͠.JYFE$POUFOUT 1BTTJWF.JYFE $POUFOU • )5514Ͱ഑৴͞Ε͍ͯΔ)5.-ʹຒΊࠐ·Εͨը૾ɺಈըʹΑΔϦΫΤετ ͕)551ͷͱ͖ʹൃੜ • ϒϩοΫ͸͞Εͳ͍͕ϖʔδࣗମ͸/PU4FDVSFͱΈͳ͞ΕΔ ೥࣌఺

Slide 19

Slide 19 text

©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠.JYFE$POUFOUT .JYFE$POUFOUT௵͠͸ৗ࣌44-Խʹ͓͍ͯ ΋ͬͱ΋ࠔ೉ͳ࡞ۀͰ͋Δ ڐ༰ਫ४ͷ߹ҙ $POUFOU4FDVSJUZ1PMJDZʹΑΔݕ஌ ੾Γ໭͠खॱͷࡦఆ .JYFE$POUFOUTΛ ࣄલʹ௵͢ͷ͸ݱ࣮తʹ͔ͳΓ೉͍͠

Slide 20

Slide 20 text

©2017 AKAMAI | FASTER FORWARDTM 44-ԽͷਐΊํͷྫ  ෳ਺αΠτʹ·͕ͨͬͯը૾΍"1*ΤϯυϙΠϯτͳͲͷϦιʔεΛڞ༗͍ͯ͠Δ৔߹͸ɺαΠτؒͷґଘ ؔ܎Λચ͍ग़ͯ͠)5514ʹରԠͤ͞Δॱ൪ΛܾΊΔ  αʔόʔଆͰ)5514௨৴͕Ͱ͖ΔΑ͏ʹ͢Δ ϖʔδ่ΕΛى͍ͯ͜͠ΔαΠτΛ֎෦ʹݟͤͳ͍ͨΊʹɺ ͜ͷ࣌఺Ͱ)5.-ʹରͯ͠֎෦͔Β)5514ͰϦΫΤετ͕དྷͯ΋)551ʹϦμΠϨΫτ͢ΔઃఆΛೖΕΔͱ ͳ͓ྑ͍  )5.-ɺ+BWB4DSJQUɺ$44ɺΞϓϦέʔγϣϯίʔυͷதͰ IUUQͱϋʔυίʔυ͞Ε͍ͯΔͱ͜ΖΛ ݟ͚ͭͯద੾ʹॻ͖׵͑Δ ػցతʹ IUUQTʹஔ׵͢Δͱةݥͳ͜ͱ͕͋ΔͷͰ஫ҙ  ಺෦Ϣʔβʔ͚ͩʹ)5.-Λ)5514௨৴ͰݟͤΔΑ͏ʹͯ͠ಈ࡞֬ೝΛ͢Δɻ8FCϒϥ΢βʔͷ։ൃऀί ϯιʔϧ΍$POUFOU4FDVSJUZ1PMJDZ3FQPSU0OMZΛ׆༻ͯ͠.JYFE$POUFOUΛચ͍ग़͢  ҰൠϢʔβʔʹ)5514ܦ༝Ͱ)5.-ΛݟͤΔΑ͏ʹ͢Δ  )551ˠ )5514΁ͷϦμΠϨΫτΛೖΕΔ  ҰఆͷܦաظؒΛ͓͍ͯ)5514USJDU5SBOTQPSU4FDVSJUZͷ༗ޮԽɾ$PPLJFͷTFDVSFଐੑ༗ޮԽ མͱ݀͠.JYFE$POUFOUT

Slide 21

Slide 21 text

©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠.JYFE$POUFOUT ղܾํ๏ Content Security Policy (CSP) https://developer.mozilla.org/ja/docs/Web/Security/CSP Ͱಈతʹϖʔδ಺ͷ IUUQΛ IUUQTʹஔ׵Ͱ͖ͳ͍ͷͰ͔͢ • $POUFOU4FDVSJUZ1PMJDZҧ൓ϨϙʔτػೳΛ࢖͏ Ϣʔβʔͷ8FCϒϥ΢ βʔͰ.JYFE$POUFOU͕ൃੜ͢Δͱࢦఆͨ͠ΤϯυϙΠϯτʹใࠂͤ͞Δ • ใࠂ؅ཧπʔϧͱͯ͠ SFQPSUVSJJP ͕༗໊

Slide 22

Slide 22 text

©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠$SPTT0SJHJO3FTPVSDF4IBSJOH $034 http://www.example.com/ https://api.example.com/ https://api.example.com/article/1234 Access-Control-Allow-Origin: http://www.example.com It Works! Ϩεϙϯεͷ "DDFTT$POUSPM"MMPX0SJHJOϔομʔͱΞΫηεݩυϝΠϯ͕ εΩʔϜ IUUQIUUQT ΛؚΊͯ Ұக͍ͯ͠Δ Cross-Origin Resource Sharing (CORS) https://developer.mozilla.org/ja/docs/Web/HTTP/HTTP_access_control

Slide 23

Slide 23 text

©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠$SPTT0SJHJO3FTPVSDF4IBSJOH $034 https://www.example.com/ https://api.example.com/ https://api.example.com/article/1234 Access-Control-Allow-Origin: http://www.example.com XMLHttpRequest cannot load https://api.example.com/article/1234. Origin https://www.example.com is not allowed by Access-Control-Allow-Origin.

Slide 24

Slide 24 text

©2017 AKAMAI | FASTER FORWARDTM ղܾํ๏ • ϦΫΤετͷ0SJHJOϔομʔΛݟͯద੾ͳυϝΠϯ͔Βདྷ͍ͯͨΒɺͦͷ஋ Λಈతʹ"DDFTT$POUSPM"MMPX0SJHJOʹ͚ͭΔ • ্هॲཧΛ"QBDIF΍OHJOYͳͲͰ࣮૷͢Δ • "DDFTT$POUSPM"MMPX0SJHJOˎ Λ࢖͏ ඇਪ঑ མͱ݀͠$SPTT0SJHJO3FTPVSDF4IBSJOH $034 Access-Control-Allow-Origin Multiple Origin Domains? https://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains

Slide 25

Slide 25 text

©2017 AKAMAI | FASTER FORWARDTM མͱ݀͠େྔͷ5-%ΛؚΉ44-ূ໌ॻͷऔಘ Photo by Andrew Butler www.example.com www.example.co.jp www.example.de www.example.co.uk www.example.fr ೝূہͷυϝΠϯ֬ೝ͕େม www.example.de www.example.ar www.example.ru www.example.th www.example.br

Slide 26

Slide 26 text

©2017 AKAMAI | FASTER FORWARDTM ରࡦ • Ұ෦ͷ5-%͸ߋ৽͕೉͔ͬͨ͠ΓɺೝূہʹΑΔXIPJT৘ใͷ֬ೝʹ͕࣌ؒ ͔͔ͬͨΓ͢ΔͷͰɺεέδϡʔϧΛܾΊΔࡍʹ44-ূ໌ॻͷऔಘʹ͔͔Δ ࣌ؒΛे෼ʹݟੵ΋Δ • XIPJTʹొ࿥͞ΕͨϝʔϧΞυϨε͕༗ޮ͔Ͳ͏͔ࣄલʹ֬ೝ͢Δ མͱ݀͠େྔͷ5-%ΛؚΉূ໌ॻͷऔಘ

Slide 27

Slide 27 text

©2017 AKAMAI | FASTER FORWARDTM <>΍ͰϦμΠϨΫτ͢Δͱ1045ϦΫΤετ͕(&5ϦΫΤετʹͳΔ <>63-ͷεΩʔϜ͕มΘΔͱγΣΞϘλϯͷΧ΢ϯτ਺͕ফ͑Δ <>$JQIFS4VJUFΛద੾ʹબ୒͠ͳ͍ͱݹ͍8JOEPXTɺ"OESPJE͔ΒΞΫηεͰ͖ͳ͘ͳΔ <>)5514ˠ)551αΠτʹભҠ͢ΔͱભҠઌͰ3FGFSFS͕औΕͳ͍ <>)551)5514ࠞࡏ؀ڥͰMPDBM4UPSBHFͷऔΓѻ͍ <>$PPLJFʹTFDVSFଐੑͱ)454Λ༗ޮԽ͢ΔλΠϛϯά ͦΕҎ֎ͷ஫ҙ͢΂͖఺ <>IUUQLJSJSJNPEFIBUFOBCMPHKQFOUSZQ <>IUUQTXXXBSLXFCKQCMPHBSDIJWFTIUUQT@GBDFCPPL@MJLFIUNM <>IUUQTXXXTTMMBCTDPNTTMUFTUDMJFOUTIUNM <>IUUQTUPPMTJFUGPSHIUNMSGDTFDUJPO <>IUUQQPTUEDDXFCTUPSBHFUIFMFTTFSFWJMGPSTFTTJPOUPLFOT <>IUUQTJOTJEFQJYJWCMPHDBUBUTVZ ߟྀ఺ɾରࡦ

Slide 28

Slide 28 text

©2017 AKAMAI | FASTER FORWARDTM ໊ࢗ ϙελʔ౳ͷൢചଅਐࢿྉ ϝʔϧͷॺ໊ཝ