Slide 1
Slide 1 text
The first 200 milliseconds of HTTPS
1
Joshua Thijssen
jaytaph
Slide 2
Slide 2 text
2
Joshua Thijssen
Freelance consultant, developer and
trainer @ NoxLogic
Founder of the Dutch Web Alliance
Development in PHP, Python, C, Java.
Lead developer of Saffire.
Blog: http://adayinthelifeof.nl
Email: [email protected]
Twitter: @jaytaph
Slide 3
Slide 3 text
3
Slide 4
Slide 4 text
➡ What’s happening in the first 200+
milliseconds on a HTTPS connection.
3
Slide 5
Slide 5 text
➡ What’s happening in the first 200+
milliseconds on a HTTPS connection.
➡ Give tips and hints on hardening your setup.
3
Slide 6
Slide 6 text
➡ What’s happening in the first 200+
milliseconds on a HTTPS connection.
➡ Give tips and hints on hardening your setup.
➡ Give you insights in new and upcoming
technologies.
3
Slide 7
Slide 7 text
➡ What’s happening in the first 200+
milliseconds on a HTTPS connection.
➡ Give tips and hints on hardening your setup.
➡ Give you insights in new and upcoming
technologies.
➡ Show you things to you (probably) didn’t
knew.
3
Slide 8
Slide 8 text
This talk is inspired by
a blogpost from Jeff Moser
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
Unknown fact!
4
Slide 9
Slide 9 text
Secure Socket Layer
(SSL)
5
A short and scary history
Slide 10
Slide 10 text
then
now
6
Slide 11
Slide 11 text
then
now
SSL 1.0
Vaporware
1994
6
Slide 12
Slide 12 text
then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
SSL 1.0
Vaporware
1994
6
Slide 13
Slide 13 text
then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
jun
1996
SSL 3.0
Something stable!
SSL 1.0
Vaporware
1994
6
Slide 14
Slide 14 text
then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
SSL 1.0
Vaporware
1994
6
Slide 15
Slide 15 text
then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
apr
2006
TLS 1.1
SSL 1.0
Vaporware
1994
6
Slide 16
Slide 16 text
then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
apr
2006
TLS 1.1
TLS 1.2
aug
2008
SSL 1.0
Vaporware
1994
6
Slide 17
Slide 17 text
https://www.trustworthyinternet.org/ssl-pulse/
25,7%
99,6% 99,3%
18,2% 20,7%
SSL 2.0 TLS 1.0 TLS 1.2
7
November 2013
Slide 18
Slide 18 text
https://www.trustworthyinternet.org/ssl-pulse/
25,7%
99,6% 99,3%
18,2% 20,7%
SSL 2.0 TLS 1.0 TLS 1.2
7
November 2013
Slide 19
Slide 19 text
https://www.trustworthyinternet.org/ssl-pulse/
25,7%
99,6% 99,3%
18,2% 20,7%
SSL 2.0 TLS 1.0 TLS 1.2
7
23,7%
99,4% 97,7%
27,6% 30,2%
SSL 2.0 TLS 1.0 TLS 1.2
November 2013 March 2014
Slide 20
Slide 20 text
RFC 5246
(TLS v1.2)
8
Slide 21
Slide 21 text
9
* We can with openssl
Slide 22
Slide 22 text
➡ Binary protocol - so no quick
telnet-to-see-if-it-works*
9
* We can with openssl
Slide 23
Slide 23 text
➡ Binary protocol - so no quick
telnet-to-see-if-it-works*
➡ Different records
9
* We can with openssl
Slide 24
Slide 24 text
➡ Binary protocol - so no quick
telnet-to-see-if-it-works*
➡ Different records
➡ Handshake protocol
9
* We can with openssl
Slide 25
Slide 25 text
➡ Binary protocol - so no quick
telnet-to-see-if-it-works*
➡ Different records
➡ Handshake protocol
➡ Alert protocol
9
* We can with openssl
Slide 26
Slide 26 text
➡ Binary protocol - so no quick
telnet-to-see-if-it-works*
➡ Different records
➡ Handshake protocol
➡ Alert protocol
➡ ChangeCipherSpec protocol
9
* We can with openssl
Slide 27
Slide 27 text
➡ Binary protocol - so no quick
telnet-to-see-if-it-works*
➡ Different records
➡ Handshake protocol
➡ Alert protocol
➡ ChangeCipherSpec protocol
➡ Application protocol
9
* We can with openssl
Slide 28
Slide 28 text
10
https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg
Slide 29
Slide 29 text
Attention:
(live)
wiresharking
up ahead
11
Slide 30
Slide 30 text
12
Slide 31
Slide 31 text
13
Slide 32
Slide 32 text
Generating
randomness is HARD
14
Slide 33
Slide 33 text
entropy
(uncertainty)
15
Slide 34
Slide 34 text
TIME is NOT random
thus not a very good
entropy source
16
Slide 35
Slide 35 text
PHP is bad
when it comes to
entropy
17
Unknown fact!
Slide 36
Slide 36 text
srand(microtime())
18
Unknown fact!
Slide 37
Slide 37 text
rand()
mt_rand()
uniqid()
19
Slide 38
Slide 38 text
openssl_pseudo_random_bytes()
read from /dev/(u)random
Use a HRNG
“A million random digits”
https://github.com/ircmaxell/RandomLib
20
Slide 39
Slide 39 text
21
Slide 40
Slide 40 text
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
22
Slide 41
Slide 41 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
23
Slide 42
Slide 42 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Used for exchanging
key information
23
Slide 43
Slide 43 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Used for exchanging
key information
Used for authenticating
key information
23
Slide 44
Slide 44 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Used for exchanging
key information
Used for authenticating
key information
Actual cipher (and
length) used for
communication
23
Slide 45
Slide 45 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Used for exchanging
key information
Used for authenticating
key information
Actual cipher (and
length) used for
communication
Block cipher mode
23
Slide 46
Slide 46 text
TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Used for exchanging
key information
Used for authenticating
key information
Used for message
authenticating
Actual cipher (and
length) used for
communication
Block cipher mode
23
Slide 47
Slide 47 text
TLS_RSA_WITH_AES_256_CBC_SHA256
24
Slide 48
Slide 48 text
TLS_NULL_WITH_NULL_NULL
25
Slide 49
Slide 49 text
Client gives cipher options,
Server ultimately decides on cipher!
26
Slide 50
Slide 50 text
THIS IS WHY YOU SHOULD ALWAYS
CONFIGURE YOUR CIPHERS
ON YOUR WEB SERVER!
27
Unknown fact!
Slide 51
Slide 51 text
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
Apache
Nginx
28
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
Slide 52
Slide 52 text
https://www.ssllabs.com/ssltest/
29
Slide 53
Slide 53 text
30
Slide 54
Slide 54 text
31
➡ SNI (Server Name Indication)
➡ Extension 0x0000
➡ Pretty much every decent browser /
server.
➡ IE6, Win XP, Blackberry, Android 2.x
➡ So no worries!
Slide 55
Slide 55 text
32
Slide 56
Slide 56 text
33
Slide 57
Slide 57 text
What an SSL certificate is NOT:
34
➡ SSL certificate (but a X.509 certificate)
➡ Automatically secure
➡ Automatically trustworthy
➡ In any way better self-signed certificates
➡ Cheap
Slide 58
Slide 58 text
What an SSL certificate is:
35
➡ The best way (but not perfect) to prove authenticity
➡ A way to bootstrap encrypted communication
➡ Misleading
➡ (Too) Expensive
Slide 59
Slide 59 text
36
Slide 60
Slide 60 text
37
Slide 61
Slide 61 text
37
➡ X.509 Certificate
Slide 62
Slide 62 text
37
➡ X.509 Certificate
➡ Owner info (who is this owner)
Slide 63
Slide 63 text
37
➡ X.509 Certificate
➡ Owner info (who is this owner)
➡ Domain info (for which domain(s) is
this certificate valid)
Slide 64
Slide 64 text
37
➡ X.509 Certificate
➡ Owner info (who is this owner)
➡ Domain info (for which domain(s) is
this certificate valid)
➡ Expiry info (from when to when is this
certificate valid)
Slide 65
Slide 65 text
38
Slide 66
Slide 66 text
39
yourdomain.com
Slide 67
Slide 67 text
39
yourdomain.com
Intermediate
CA
Slide 68
Slide 68 text
39
yourdomain.com
Intermediate
CA
Slide 69
Slide 69 text
39
yourdomain.com
Root
CA
Intermediate
CA
Slide 70
Slide 70 text
39
yourdomain.com
Root
CA
Intermediate
CA
Slide 71
Slide 71 text
39
yourdomain.com
Root
CA
Intermediate
CA
Slide 72
Slide 72 text
40
IMPLIED TRU$T
Slide 73
Slide 73 text
➡ (Root) Certificate Authorities
➡ They are built into your browser / OS
and you will automatically trust them.
41
Slide 74
Slide 74 text
42
wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
Slide 75
Slide 75 text
42
wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
174
Slide 76
Slide 76 text
43
Slide 77
Slide 77 text
43
➡ X.509 certificates are used to authenticate
the server.
Slide 78
Slide 78 text
43
➡ X.509 certificates are used to authenticate
the server.
➡ Servers can ask clients to authenticate
themselves as well.
Slide 79
Slide 79 text
43
➡ X.509 certificates are used to authenticate
the server.
➡ Servers can ask clients to authenticate
themselves as well.
➡ APIs
Slide 80
Slide 80 text
44
Slide 81
Slide 81 text
45
Slide 82
Slide 82 text
46
Generating secrets:
Slide 83
Slide 83 text
46
pre master secret server rand
client rand
Generating secrets:
+ +
Slide 84
Slide 84 text
46
pre master secret server rand
client rand
master secret
Generating secrets:
+ +
Slide 85
Slide 85 text
46
pre master secret server rand
client rand
master secret
master secret server rand client rand
Generating secrets:
+ +
+
+
Slide 86
Slide 86 text
46
pre master secret server rand
client rand
master secret
master secret server rand client rand
key buffer
Generating secrets:
+ +
+
+
Slide 87
Slide 87 text
46
pre master secret server rand
client rand
master secret
client MAC client KEY client IV server MAC server KEY server IV
master secret server rand client rand
key buffer
Generating secrets:
+ +
+
+
Slide 88
Slide 88 text
https://github.com/jaytaph/TLS-decoder
47
http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/
Try it yourself, php style:
Slide 89
Slide 89 text
48
Slide 90
Slide 90 text
49
Slide 91
Slide 91 text
50
Slide 92
Slide 92 text
51
Slide 93
Slide 93 text
52
Wireshark CAN decrypt your HTTPS traffic
Unknown fact!
SSLKEYLOGFILE
https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415
Slide 94
Slide 94 text
53
launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
on a mac:
Slide 95
Slide 95 text
54
Slide 96
Slide 96 text
➡ TLS has overhead in computation and
transfers. But definitely worth it.
➡ Some ciphersuites are better, but slower
➡ Speed / Security compromise
➡ (try: “openssl speed”)
55
Slide 97
Slide 97 text
Are we safe yet?
56
Slide 98
Slide 98 text
euh,.. no :/
57
Slide 99
Slide 99 text
58
PRE MASTER
SECRET
Slide 100
Slide 100 text
What if somebody*
got hold of the site
private key?
59
Slide 101
Slide 101 text
60
Slide 102
Slide 102 text
61
Slide 103
Slide 103 text
62
Slide 104
Slide 104 text
63
Playing the waiting game...
Slide 105
Slide 105 text
63
Playing the waiting game...
Slide 106
Slide 106 text
64
Slide 107
Slide 107 text
65
Slide 108
Slide 108 text
(PERFECT)
FORWARDING
SECRECY
66
Slide 109
Slide 109 text
Compromising the
pre-master secret does
not compromise our
communication.
67
Slide 110
Slide 110 text
PFS:
Can’t compromise
other keys with a
compromised key.
68
Slide 111
Slide 111 text
Unfortunately..
69
Slide 112
Slide 112 text
70
PFS needs server
AND browser support
Slide 113
Slide 113 text
71
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html
Slide 114
Slide 114 text
72
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html
Slide 115
Slide 115 text
Update your cipher
suite list and place
PFS ciphers at the top
73
Slide 116
Slide 116 text
But beware:
heavy computations
74
Slide 117
Slide 117 text
75
SSL Test
https://www.ssllabs.com/ssltest/
Slide 118
Slide 118 text
-ETOOMUCHINFO
76
Slide 119
Slide 119 text
77
https://www.ssllabs.com/projects/best-practices/index.html
Slide 120
Slide 120 text
http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 78
Slide 121
Slide 121 text
79
Find me on twitter: @jaytaph
Find me for development and training: www.noxlogic.nl
Find me on email: [email protected]
Find me for blogs: www.adayinthelifeof.nl
Slide 122
Slide 122 text
80