A brief introduction to HTTPS

Transcript

1. A brief introduction to HTTPS Thierry Sans

2. Today, we are going to

3. Today, we are going to 1. understand HTTP

4. Today, we are going to 1. understand HTTP 2. break

   HTTP

5. Today, we are going to 1. understand HTTP 2. break

   HTTP 3. secure HTTP with HTTPS

6. Today, we are going to 1. understand HTTP 2. break

   HTTP 3. secure HTTP with HTTPS 4. go beyond HTTPS

7. 1. Understanding HTTP

8. HTTP - Hypertext Transfer Protocol Web Server Web Browser

9. HTTP - Hypertext Transfer Protocol Web Server Web Browser HTTP

   request

10. HTTP - Hypertext Transfer Protocol Web Server Web Browser HTTP

    request HTTP response

11. HTTP - Hypertext Transfer Protocol Web Server Web Browser HTTP

    request HTTP response

12. HTTP - Hypertext Transfer Protocol Web Server Web Browser HTTP

    request HTTP response

13. HTTP Authentication

14. HTTP Authentication login: [email protected]
 password: pass4example

15. HTTP Authentication login: [email protected]
 password: pass4example SID:scACRSm…

16. HTTP Authentication session login: [email protected]
 password: pass4example SID:scACRSm…

17. The concept of session The session id (a.k.a authentication token)

    is • unique and unforgeable (usually a long random string) • sent back and forth between the web browser and the web server in the cookie • bound to user’s data on the server

18. 2. Breaking HTTP

19. How to steal user’s credentials ➡ Brute force the user’s

    password or session ID

20. How to steal user’s credentials ➡ Brute force the user’s

    password or session ID

21. How to steal user’s credentials ➡ Brute force the user’s

    password or session ID

22. How to steal user’s credentials ➡ Brute force the user’s

    password or session ID ➡ Steal the user’s password or session ID

23. Do you trust the network?

24. Do you trust the network? interesting!

25. Do you trust the network? ๏ Threat 1 : an

    attacker can eavesdrop messages sent back and forth interesting!

26. Do you really trust the network? example.com

27. Do you really trust the network? I am example.com! example.com

28. Do you really trust the network? ๏ Threat 2 :

    an attacker can tamper with messages sent back and forth I am example.com! example.com

29. Confidentiality and Integrity

30. Confidentiality and Integrity ๏ Threat 1 : an attacker can

    eavesdrop messages sent back and forth

31. Confidentiality and Integrity ๏ Threat 1 : an attacker can

    eavesdrop messages sent back and forth Confidentiality: how do exchange information secretly?

32. Confidentiality and Integrity ๏ Threat 1 : an attacker can

    eavesdrop messages sent back and forth Confidentiality: how do exchange information secretly? ๏ Threat 2 : an attacker can tamper messages sent back and forth

33. Confidentiality and Integrity ๏ Threat 1 : an attacker can

    eavesdrop messages sent back and forth Confidentiality: how do exchange information secretly? ๏ Threat 2 : an attacker can tamper messages sent back and forth Integrity: How do we exchange information reliably?

34. 3. Securing HTTP with HTTPS

35. Generic solution - HTTPS ✓ HTTPS = HTTP + TLS

    ➡ Transport Layer Security (TLS previously known as SSL) provides • confidentiality: end-to-end secure channel • integrity: authentication handshake


36. Generating and using (self-signed) certificates

37. Generating and using (self-signed) certificates

38. Generating and using (self-signed) certificates who are you?

39. Generating and using (self-signed) certificates who are you? I am

    example.com

40. Generating and using (self-signed) certificates who are you? I am

    example.com

41. Self-signed certificates
 are not trusted by
 your browser

42. Signed Certificate Certificate Authority (CA)

43. Signed Certificate Certificate Authority (CA)

44. Signed Certificate Certificate Authority (CA)

45. Signed Certificate Certificate Authority (CA)

46. Signed Certificate who are you? Certificate Authority (CA)

47. Signed Certificate who are you? Certificate Authority (CA) I am

    example.com

48. Signed Certificate who are you? Certificate Authority (CA) I am

    example.com

49. Your browser trusts many CAs by default

50. Real attacks

51. 4. Beyond HTTPS

52. Why and when using HTTPS? HTTPS = HTTP + TLS

    ➡ TLS provides • confidentiality: end-to-end secure channel • integrity: authentication handshake
 ➡ HTTPS protects any data send back and forth including: • login and password • session ID ✓ HTTPS everywhere 
 HTTPS must be used during the entire session

53. Limitation of HTTPS

54. Limitation of HTTPS

55. Limitation of HTTPS

56. Limitation of HTTPS

57. Beyond this lecture 15-349 Introduction to Computer and Network Security

    • symmetric and asymmetric crypto-systems • the TLS protocol • network and host-based threat, vulnerabilities, attacks 
 and counter-measures 15-437 Web Application Development • the HTTP protocol • how to deploy your web application over HTTPS • web-based threats, vulnerabilities, attacks and counter-measures