Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hansel & Gretel do TLS - PHPSW 2020

Marcus Bointon
May 13, 2020
Technology
0
41

Hansel & Gretel do TLS - PHPSW 2020

Effective encryption is a vital component of a safe and secure internet, especially since the arrival of HTTP/2. Many sites and mobile apps still don't use TLS to encrypt their traffic, often citing some kind of fear over the complexity of it all, or if they do, they make a mess of it, resulting in a literal false sense of security. The basics of TLS encryption are straightforward, but the practical realities run into a bewildering forest of acronyms. This talk gives you a breadcrumb trail through the backwoods of TLS, OCSP, ECDHE, ALPN, HTTP/2, HSTS, CT, and more, including the latest changes in TLS 1.3.

You'll get an overview of what problems TLS solves, how it works, its component pieces, how they fit together, where vulnerabilities and mitigations apply, and what tools and resources can help you get up to speed, and keep the wicked witch away!

This presentation was given online for PHPSW 2020 on May 13th, 2020.

Marcus Bointon

May 13, 2020
Tweet

More Decks by Marcus Bointon

See All by Marcus Bointon
Hands-on Privacy (IPC Munich 2023)
synchro
0
21
Picking the low hanging-fruit – Easy pentest wins (IPC Munich 2023)
synchro
0
42
It's new, it's shiny, it's... email?
synchro
0
150
Understanding Privacy By Design – ConFoo 2020
synchro
0
200
Hansel & Gretel do TLS - PHPBenelux 2020
synchro
0
190
What's new in TLS 1.3 (ConFoo 2019)
synchro
0
55
Practical privacy - GDPR explained (ConFoo Montreal 2019)
synchro
0
230
Deploying IPv6 (IPC Munich 2018)
synchro
0
140
Crypto for everyone - libsodium in PHP 7.2
synchro
0
310

Other Decks in Technology

See All in Technology
本当のAWS基礎
toru_kubota
0
500
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
0
120
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
330
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
120
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
890
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
210
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
640
Cracking the KubeCon CfP
inductor
2
240
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
150
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
500
アクセス制御にまつわる改善 / Improving access control
itkq
0
530
Databricks における 『MLOps』
databricksjapan
2
170

Featured

See All Featured
YesSQL, Process and Tooling at Scale
rocio
164
13k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
Thoughts on Productivity
jonyablonski
58
3.8k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
Ruby is Unlike a Banana
tanoku
96
10k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
Statistics for Hackers
jakevdp
789
220k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
Designing the Hi-DPI Web
ddemaree
276
33k
The Art of Programming - Codeland 2020
erikaheidi
42
12k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Testing 201, or: Great Expectations
jmmastey
28
6.3k

Transcript

  1. by Marcus Bointon Synchromedia Limited Smartmessages.net Radically Open Security

  2. Marcus Bointon - TLS PHPSW 2020 What is TLS? Transport

    Layer Security protocol The new(ish) name for SSL - Since 1999 Versions: SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 A set of standards for security & encryption Can wrap around any higher-level protocol HTTP, SMTP, FTP, IMAP, DNS, etc Popular implementations: OpenSSL, LibreSSL, BoringSSL

  3. Marcus Bointon - TLS PHPSW 2020 Why use TLS? Provides

    confidentiality, authenticity & integrity Better performance with HTTP/2 Google will rank you higher Required for iOS apps Chrome 50 disabled HTTP GeoLocation Keeps the wicked witch out

  4. Marcus Bointon - TLS PHPSW 2020 Toolkit: Hashes, MACs, Ciphers

    & KX Hashes produce a fixed-length digest from data; integrity MD5, SHA1, SHA2 (SHA256, SHA384, SHA512) Message Authentication Code (MAC): data + a key; authenticity HMAC-MD5, HMAC-SHA256, Poly1305 Ciphers; encryption algorithms; confidentiality Integer factoring, elliptic curve ("EC"), symmetric, asymmetric RC4, AES, 3DES, RSA, ChaCha20 Key Exchange RSA, Diffie-Hellman ("DH"), x25519, x448, EC, "Ephemeral", ECDHE

  5. Marcus Bointon - TLS PHPSW 2020 New in TLS 1.3

    Removal of all weak and legacy algorithms & extensions Moar encryption Lower handshake overhead All ciphers support forward secrecy Elliptic curve ciphers as standard Downgrade protection

  6. PHPSW 2020 Marcus Bointon - TLS TLS 1.3 Handshake ClientHello

    Cipher Suite List Key Share ServerHello Cipher Suite Key Share Certificate & Signature Server Finished Client Finished HTTP Request HTTP Response 200ms

  7. PHPSW 2020 Marcus Bointon - TLS TLS 1.3 Resumption ClientHello

    Session ticket Key Share HTTP GET ServerHello Key Share Server Finished HTTP Response 0-RTT!

  8. PHPSW 2020 Marcus Bointon - TLS Diffie-Hellman Key Exchange Alice

    Bob Random colour Secret colour + + + + = = = = Secret colour Common secret Exchange intermediate colours

  9. Marcus Bointon - TLS PHPSW 2020 Creating certificates Create a

    public/private key pair At least 2048 bits for RSA, 256 for ECC Create a certificate signing request (CSR) Use SHA-2 signature Sign the CSR to create a public certificate Yourself… By a Certificate Authority (CA)

  10. Marcus Bointon - TLS PHPSW 2020 Intermediate CA certificate Certificate

    chains Browser & OS certificate store Root CA certificate Site certificate Server certificate store Root CA certificate

  11. Marcus Bointon - TLS PHPSW 2020 CRLs, OCSP & Stapling

    How to find out if a cert has been revoked? Browser asks the CA — OCSP Our site becomes dependent on CA's site CA's site becomes a privacy leak risk Get the server to ask the CA in advance Staple the proof of validity to the certificate Can't fake it because it's signed by the CA Browser Server CA Browser Server CA

  12. Marcus Bointon - TLS PHPSW 2020 Use TLS by default,

    keeps things simple Don’t use protocol-relative URLs (//…) Avoid mixed mode: https + http HSTS & CSP can auto-upgrade Create proxies if HTTPS not available Cookies: set httponly, secure, samesite flags Deploying TLS - App concerns

  13. Marcus Bointon - TLS PHPSW 2020 https://mozilla.github.io/server-side-tls/ssl-config-generator/ Redirect to secure

    site Use SNI + SAN to host multiple domains on one IP Create DH params for forward secrecy At least TLSv1.2 — disable old & weak ciphers Enable TLS session caching Staple CA certs for OCSP Deploying TLS - Server config

  14. Marcus Bointon - TLS PHPSW 2020 Deploying TLS - Improving

    security HTTP Strict Transport Security (HSTS) header “We always encrypt” Certificate Authority Authorisation in DNS “Permit only these CAs to issue certs” Content Security Policy (CSP) header “Permit only these sources” Expect-CT header Check that the cert was issued correctly

  15. Marcus Bointon - TLS PHPSW 2020 Testing TLS Click the

    padlock! openssl s_client Qualys SSL Labs: https://www.ssllabs.com/ssltest/ https://hstspreload.appspot.com/ observatory.mozilla.org, testssl.sh, crt.sh, report-uri.com, securityheaders.com, webbkoll.dataskydd.net

  16. PHPSW 2020 Marcus Bointon - TLS TLS overhead - old

    way

  17. PHPSW 2020 Marcus Bointon - TLS TLS overhead - new

    way

  18. Marcus Bointon - TLS PHPSW 2020 TLS Summary It can

    be free It’s fast(er) - use HTTP/2 Use TLS everywhere by default Simple measures maximise security Help Hansel & Gretel make it to your site safely

  19. Marcus Bointon - TLS PHPSW 2020 ...and they all lived

    happily ever after

  20. PHPSW 2020 Marcus Bointon - TLS Thank you Feedback please:

    https://joind.in/talk/7ce30 https://speakerdeck.com/synchro/hansel-and-gretel- do-tls-phpsw-2020 Marcus Bointon, [email protected] @SynchroM & @PrivacySpider Synchro on GitHub & Stack Exchange
  21. None