Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting TLS Right

Getting TLS Right

Not all TLS deployments are created equal. Poorly configured TLS can can trick users into thinking their browsing experience is safe, yet leave them vulnerable to devastating man in the middle attacks, surveillance, and identity theft. Not to mention, a janky TLS setup can slow your otherwise performant site to a halt. In my talk, I will provide a primer on how to set up TLS for strong security and excellent performance. Additionally, I will discuss the TLS protocol to better familiarize the audience about the way that certificate and public key cryptography works to provide a secure web experience.

Zack Tollman

March 14, 2015
Tweet

More Decks by Zack Tollman

Other Decks in Technology

Transcript

  1. Getting TLS Right
    @tollmanz
    Zack Tollman

    View Slide

  2. TLS is hot right now

    View Slide

  3. We implement TLS
    poorly

    View Slide

  4. SSL Pulse
    Reviews SSL/TLS sites in Alexa’s
    Top 300k sites
    https://www.trustworthyinternet.org/ssl-pulse/

    View Slide

  5. 474 are vulnerable to
    heartbleed

    View Slide

  6. 21.0% use
    weak ciphers

    View Slide

  7. 47.3% support
    SSLv3

    View Slide

  8. 38.3% do no support
    Forward Secrecy

    View Slide

  9. 97.3% do not use
    HSTS

    View Slide

  10. 83.6% are
    insecure

    View Slide

  11. “misconfiguration errors
    are undermining the potential
    security”
    Kranch & Bonneau (2015)
    http://www.internetsociety.org/sites/default/files/01_4_0.pdf

    View Slide

  12. “developers who should be in the
    best position to understand these
    new tools”
    Kranch & Bonneau (2015)
    http://www.internetsociety.org/sites/default/files/01_4_0.pdf

    View Slide

  13. “industry-wide configuration
    problem with the deployment
    of DHE key exchange"
    Huang, Adhikarla, Boneh, & Jackson (2014)
    http://www.w2spconf.com/2014/papers/TLS.pdf

    View Slide

  14. Why?

    View Slide

  15. Why?

    View Slide

  16. Why?

    View Slide

  17. Unless you are a cryptographer,
    this stuff is hard

    View Slide

  18. Copying and pasting is easy

    View Slide

  19. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate /path/to/public.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES128-GCM-
    SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
    RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-
    GCM-SHA384…;
    https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

    View Slide

  20. Knowing what you are
    doing is hard

    View Slide

  21. TLS Basics

    View Slide

  22. Transport Layer Security

    View Slide

  23. SSLv2
    SSLv3
    TLSv1.0
    TLSv1.1
    TLSv1.2

    View Slide

  24. SSLv2 1995
    SSLv3 1996
    TLSv1.0 1999
    TLSv1.1 2006
    TLSv1.2 2008

    View Slide

  25. SSLv2 1995 PHP Tools
    SSLv3 1996 PHP/FI (2.0)
    TLSv1.0 1999 PHP 3.0
    TLSv1.1 2006 PHP 5.2
    TLSv1.2 2008 PHP 5.2.8

    View Slide

  26. SSLv2 1995 MITM
    SSLv3 1996 POODLE
    TLSv1.0 1999 BEAST
    TLSv1.1 2006
    TLSv1.2 2008

    View Slide

  27. Provides authentication,
    encryption, integrity, and
    key exchange

    View Slide

  28. Authentication

    View Slide

  29. Encryption

    View Slide

  30. Integrity

    View Slide

  31. Key exchange

    View Slide

  32. Compromise of any of these,
    compromises the whole system

    View Slide

  33. Cipher Suites

    View Slide

  34. Combination of algorithms for
    authentication, encryption,
    integrity and key exchange

    View Slide

  35. ECDHE-RSA-AES128-GCM-SHA256

    View Slide

  36. ECDHE-RSA-AES128-GCM-SHA256
    Key Exchange

    View Slide

  37. ECDHE-RSA-AES128-GCM-SHA256
    Certificate signing algorithm
    (authentication)

    View Slide

  38. ECDHE-RSA-AES128-GCM-SHA256
    Cipher (Encryption)

    View Slide

  39. ECDHE-RSA-AES128-GCM-SHA256
    Message authentication code
    (integrity)

    View Slide

  40. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-
    GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
    ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
    SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH
    +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-
    AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
    AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
    AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-
    AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-
    SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-
    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-
    SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-
    SHA256:AES256-SHA256:AES128-SHA:AES256-
    SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
    EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
    CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-
    SHA

    View Slide

  41. View Slide

  42. View Slide

  43. TLS Handshake

    View Slide

  44. Client presents supported
    cipher suites

    View Slide

  45. Server chooses suite to use

    View Slide

  46. Certificate sent to client

    View Slide

  47. Verified with signing algorithm to
    authenticate the certificate

    View Slide

  48. ECDHE-RSA-AES128-GCM-SHA256

    View Slide

  49. RSA is the most widely supported
    signing mechanism

    View Slide

  50. Recommendation
    RSA for Certificate
    Authentication
    but ECDSA will be the new hotness

    View Slide

  51. Key exchange

    View Slide

  52. Negotiate the key for
    encryption and decryption

    View Slide

  53. ECDHE-RSA-AES128-GCM-SHA256

    View Slide

  54. Preferring Ephemeral Diffie
    Hellman algorithms give you
    Perfect Forward Secrecy

    View Slide

  55. Guarantees a different key
    for each connection

    View Slide

  56. RSA uses the
    same key
    for each connection

    View Slide

  57. Recommendation
    ECDHE for Key Exchange

    View Slide

  58. Server is verified and
    keys are negotiated

    View Slide

  59. Key is used by encryption
    algorithm

    View Slide

  60. ECDHE-RSA-AES128-GCM-SHA256

    View Slide

  61. Advanced Encryption Standard
    (AES) is the only real option

    View Slide

  62. Other ciphers have known
    weaknesses

    View Slide

  63. Can choose between 128 and 256
    bit encryption

    View Slide

  64. Recommendation
    AES-128-GCM for encryption
    but watch for ChaCha20

    View Slide

  65. Encrypted messages are signed to
    guarantee integrity

    View Slide

  66. SHA-256 and SHA-384 are the
    two practical options

    View Slide

  67. Recommendation
    SHA-256 for MAC
    but watch for Poly1305

    View Slide

  68. So…huh?

    View Slide

  69. Use Mozilla’s guide
    https://wiki.mozilla.org/Security/
    Server_Side_TLS

    View Slide

  70. HTTP Strict Transport Security

    View Slide

  71. SSL Stripping
    http://www.thoughtcrime.org/software/sslstrip/

    View Slide

  72. What if HTTP variant
    was never accessed?

    View Slide

  73. HSTS blocks browser from
    HTTP version of site

    View Slide

  74. Recommendation
    Set HSTS headers

    View Slide

  75. Set HSTS only after mixed
    content issues are resolved

    View Slide

  76. Content Security Policy

    View Slide

  77. Mixed content warnings
    are bad

    View Slide

  78. Whitelist assets loaded
    on your site

    View Slide

  79. Whitelist only HTTPS assets

    View Slide

  80. Use report-only variant

    View Slide

  81. Current recommendation
    Use CSP headers

    View Slide

  82. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  83. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  84. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  85. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  86. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  87. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  88. Content-Security-Policy-Report-
    Only:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com;
    report-uri /beacon.php

    View Slide

  89. HTTPS Mixed Content Detector
    Plugin for WordPress

    View Slide

  90. Do your homework

    View Slide

  91. Make good decisions

    View Slide

  92. Maintain your TLS config
    like you maintain your code

    View Slide

  93. The Code Book
    Simon Singh
    High Performance Browser Networking (TLS Chapter)
    Ilya Grigorik
    Bulletproof SSL and TLS
    Ivan Ristic
    SSL and TLS: Designing and Building Secure Systems
    Eric Rescorla

    View Slide

  94. @tollmanz
    tollmanz.com/mwphp15
    Zack Tollman

    View Slide