Dipping your toes into web security part I: how https helps Florencia Herra Vega CTO, Peerio

Why is the internet so insecure?

Why is the internet so insecure? why is learning about security hard?

Why is the internet so insecure? why is learning about security hard? why does learning about security matter?

What happens when you request a webpage in your browser?

What happens when you request a webpage in your browser?

what assumptions do we make about the cloud?

http://harryblogs.potter-weasley-family.com

What happens when you request a webpage in your browser? 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001

What happens when you request a webpage in your browser? 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001

What happens when you request a webpage in your browser?

What happens when you request a webpage in your browser?

http://harryblogs.potter-weasley-family.com wtf?

104.236.208.232 101.222.28.111 92.32.112.30

Domain Name System browser OS router ISP authoritative nameserver found! ? ? ? ?

DNS hey browser, do you know about harryblogs.potter-weasley-family.com? nope

DNS hey OS, do you know about harryblogs.potter-weasley-family.com? nope

DNS hey router, do you know about harryblogs.potter-weasley-family.com? nope

DNS hey ISP, do you know about harryblogs.potter-weasley-family.com? nope

DNS hey root domain name server, do you know about harryblogs.potter-weasley-family.com? nope… but I know about .com go ask the .com TLD DNS server root

DNS nope… but I know about potter-weasley- family.com: ns1.diagonalhosting.com .com hey .com TLD name server, do you know about harryblogs.potter-weasley-family.com?

DNS WHY YES here is an IP: 159.203.37.70 .com hey ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? authoritative nameserver

browser OS router ISP find! cache for n seconds! TTL cache for n seconds! cache for n seconds! cache for n seconds! authoritative nameserver

DNS hey ISP, do you know about harryblogs.potter-weasley-family.com? WHY YES here is an IP: 159.203.37.70

all this for an address…

diagonal hosting old pc in luna lovegood’s basement some isp

old pc in luna lovegood’s basement some isp

TCP: SHALL WE DANCE? Hey buddy can I talk to you for a second? SYN Me? You wanna talk to me? SYN/ACK Yes you! ACK

HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com

HTTP HTTP/1.1 200 OK Harry’s blog This is a v political blog. GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com

larger broomsticks & love potions 4 u one weird trick wow wow Entrepreneur piverate integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable. Like this! Tweet this! fave wizardvine clips yay comments muggle studies cancelled!? buy my signed quidditch robes Patreon GitTip Flattr Bitcoin

How can we break this perfectly simple and logical system?

diagonal hosting some isp 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001

A simple prank > vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com

A simple prank > vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com

browser OS router ISP find! cache for n seconds! authoritative nameserver insert a record A simple prank

Some DNS only resolves locally.

insert malicious record browser OS router ISP find! cache for n seconds! cache for n seconds! cache for n seconds! authoritative nameserver cache poisoning

Problems • I can see what you’re saying • I can see your passwords • I can fool you into accessing the wrong website through DNS • I can fool you into accessing the wrong website a bunch of other ways too

Defence against the dark arts

Cleartext I want to volunteer! Here is my personal info

wow math encrypt all the things!

HTTPS wow AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7HafG jXMfDdvm2KRd3qXhxOoeTP9vyddrZ05o4 PkE86q54ySQOJA6UwwHt0NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/ OtxhEHNfhlB

HTTPS not so wow AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7HafGjXMfD dvm2KRd3qXhxOoeTP9vyddrZ05o4PkE86q54yS QOJA6UwwHt0NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/OtxhEHNfhlB

HTTPS not so wow Thanks! meet me at this totally legit location!

HTTPS not so wow I want to volunteer! Here is my personal info

math can do better!

symmetrical encryption let us use this one key for magic math stuff … I will send it to you by carrier pigeon

Asymmetrical encryption from this secret key i shall derive a public key which I shall publish and you will use it for magic math stuff

your public key is unique!

your public key is unique!

your public key is unique! domain: harryblogs.potter-weasley- family.com owner: harry potter

Signed Certificate Diagonal Hosting 1 Diagon Alley SEAL of APPROVAL

Chain of trust domain: diagonalhosting.com owner: diagonal Ltd

Chain of trust GRINGOTTS IDENTITIES 22 goblin lane SEAL of APPROVAL diagonalhosting.com

Chain of trust

Hello, I’d like to talk to Harry’s blog securely Yes this is Harry’s blog, v secure! Hold up, why should I trust that you’re actually Harry? Because Diagon Alley Hosting says so. Hey Diagon Alley Hosting, do you know this guy? Yes, we can vouch for him. But how do I know who you are? Look me up with Gringotts Identities.

Try your DNS tricks now, Voldy! your connection is not private attackers may steal etc

Why should I use HTTPS on my websites? • Protects your users from snooping. • Will raise hell if someone pretends to be you.

Why doesn’t everybody do this? • Money. • Pain. Bureaucracy + encryption = not cute.

Let’s Encrypt! • Certbot — https://certbot.eff.org/ • nginx guide — https://www.digitalocean.com/ community/tutorials/how-to-secure-nginx-with-let-s- encrypt-on-ubuntu-14-04 • apache guide — https://www.digitalocean.com/ community/tutorials/how-to-secure-apache-with-let-s- encrypt-on-ubuntu-14-04

No content

Shared hosting providers that support Let’s Encrypt https://github.com/letsencrypt/letsencrypt/wiki/Web-Hosting- Supporting-LE

What can I do as a user? • HTTPS everywhere browser extension • https://chrome.google.com/webstore/detail/https- everywhere/gcbommkclmclpchllfjekcdonpmejbdp?hl=en • https://addons.mozilla.org/en-US/firefox/addon/https- everywhere/ • Ad and tracker blocking • https://chrome.google.com/webstore/detail/ublock- origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en • https://www.eff.org/privacybadger

What can I do as a developer? • Learn how to be evil! • play with Wireshark https://wireshark.org • Books from NoStarch Press: The Tangled Web, Silence on the Wire, Penetration Testing, etc. • Learn about the security features in the tools and frameworks you use!

More resources • “Server Farm to Table” — http://jenna.is/ server-farm-to-table-annotated.pdf • Computerphile “Man in the Middle attacks” — https://www.youtube.com/watch?v=-enHfpHMBo4 • Computerphile “Public key cryptography” — https://www.youtube.com/watch?v=GSIDS_lvRv4 • “Cat DNS” — https://www.youtube.com/watch? v=qDPhW9P44fI

get in touch! @flohdot