Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting TLS Right

Zack Tollman
March 14, 2015
Technology
0
300

Getting TLS Right

Not all TLS deployments are created equal. Poorly configured TLS can can trick users into thinking their browsing experience is safe, yet leave them vulnerable to devastating man in the middle attacks, surveillance, and identity theft. Not to mention, a janky TLS setup can slow your otherwise performant site to a halt. In my talk, I will provide a primer on how to set up TLS for strong security and excellent performance. Additionally, I will discuss the TLS protocol to better familiarize the audience about the way that certificate and public key cryptography works to provide a secure web experience.

Zack Tollman

March 14, 2015
Tweet

More Decks by Zack Tollman

See All by Zack Tollman
Defining Fast: The Hardest Problem in Performance Engineering
tollmanz
0
64
Defining Fast: The Hardest Problem in Performance Engineering
tollmanz
0
92
ReWIRED: Moving WIRED.com from WordPress to Node
tollmanz
0
160
Put an "S" on it: Moving a Large Publishing Site to HTTPS
tollmanz
1
95
Building Custom User Experiences from the Edge
tollmanz
0
84
HTTPS Migrations: The Hard Parts
tollmanz
0
170
HTTPS is Coming: Are You Prepared? (Velocity 2016)
tollmanz
0
160
Understanding HTTPS and TLS
tollmanz
0
170
HTTPS Is Coming - WP SFO
tollmanz
0
85

Other Decks in Technology

See All in Technology
Building smarter apps with machine learning, from magic to reality
picardparis
4
3.6k
Mutating Meetup with GraphQL
adavis
1
340
「挑戦しなければ障害は生まれない」 社内ポストモーテム共有会について
sheep_san_white
0
380
YouTubeへのライブ配信機能をリリースするまで
yurihondo
0
830
できる!アクセシビリティ向上/droidkaigi2023-day2
nikkei_engineer_recruiting
0
1.4k
Jetpack Glanceではじめる Material 3のColor
mochico
1
600
DMMプラットフォームに ゼロベースでSLO導入している取り組み 適切なSLI模索の軌跡
junjunjunk
7
860
20230829_ccoe_seminar_session_3
hiashisan
0
160
The Evolution of GraphQL Code Generation
n1ru4l
0
270
土壌と植物で奏でるアート~農業における新たなパラダイム~
shinrinakamura
0
160
Setting up Monitoring for Kubernetes
prathamesh
0
160
Material 3 やめました / Good-bye M3 design system
yanzm
3
2.4k

Featured

See All Featured
Raft: Consensus for Rubyists
vanstee
130
5.9k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
Building an army of robots
kneath
300
41k
Atom: Resistance is Futile
akmur
257
24k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.3k
Support Driven Design
roundedbygravity
91
9.2k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
VelocityConf: Rendering Performance Case Studies
addyosmani
318
23k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
30k
Making the Leap to Tech Lead
cromwellryan
119
8.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
20k

Transcript

  1. Getting TLS Right
    @tollmanz
    Zack Tollman

    View Slide

  2. TLS is hot right now

    View Slide

  3. We implement TLS
    poorly

    View Slide

  4. SSL Pulse
    Reviews SSL/TLS sites in Alexa’s
    Top 300k sites
    https://www.trustworthyinternet.org/ssl-pulse/

    View Slide

  5. 474 are vulnerable to
    heartbleed

    View Slide

  6. 21.0% use
    weak ciphers

    View Slide

  7. 47.3% support
    SSLv3

    View Slide

  8. 38.3% do no support
    Forward Secrecy

    View Slide

  9. 97.3% do not use
    HSTS

    View Slide

  10. 83.6% are
    insecure

    View Slide

  11. “misconfiguration errors
    are undermining the potential
    security”
    Kranch & Bonneau (2015)
    http://www.internetsociety.org/sites/default/files/01_4_0.pdf

    View Slide

  12. “developers who should be in the
    best position to understand these
    new tools”
    Kranch & Bonneau (2015)
    http://www.internetsociety.org/sites/default/files/01_4_0.pdf

    View Slide

  13. “industry-wide configuration
    problem with the deployment
    of DHE key exchange"
    Huang, Adhikarla, Boneh, & Jackson (2014)
    http://www.w2spconf.com/2014/papers/TLS.pdf

    View Slide

  14. Why?

    View Slide

  15. Why?

    View Slide

  16. Why?

    View Slide

  17. Unless you are a cryptographer,
    this stuff is hard

    View Slide

  18. Copying and pasting is easy

    View Slide

  19. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate /path/to/public.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES128-GCM-
    SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
    RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-
    GCM-SHA384…;
    https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

    View Slide

  20. Knowing what you are
    doing is hard

    View Slide

  21. TLS Basics

    View Slide

  22. Transport Layer Security

    View Slide

  23. SSLv2
    SSLv3
    TLSv1.0
    TLSv1.1
    TLSv1.2

    View Slide

  24. SSLv2 1995
    SSLv3 1996
    TLSv1.0 1999
    TLSv1.1 2006
    TLSv1.2 2008

    View Slide

  25. SSLv2 1995 PHP Tools
    SSLv3 1996 PHP/FI (2.0)
    TLSv1.0 1999 PHP 3.0
    TLSv1.1 2006 PHP 5.2
    TLSv1.2 2008 PHP 5.2.8

    View Slide

  26. SSLv2 1995 MITM
    SSLv3 1996 POODLE
    TLSv1.0 1999 BEAST
    TLSv1.1 2006
    TLSv1.2 2008

    View Slide

  27. Provides authentication,
    encryption, integrity, and
    key exchange

    View Slide

  28. Authentication

    View Slide

  29. Encryption

    View Slide

  30. Integrity

    View Slide

  31. Key exchange

    View Slide

  32. Compromise of any of these,
    compromises the whole system

    View Slide

  33. Cipher Suites

    View Slide

  34. Combination of algorithms for
    authentication, encryption,
    integrity and key exchange

    View Slide

  35. ECDHE-RSA-AES128-GCM-SHA256

    View Slide

  36. ECDHE-RSA-AES128-GCM-SHA256
    Key Exchange

    View Slide

  37. ECDHE-RSA-AES128-GCM-SHA256
    Certificate signing algorithm
    (authentication)

    View Slide

  38. ECDHE-RSA-AES128-GCM-SHA256
    Cipher (Encryption)

    View Slide

  39. ECDHE-RSA-AES128-GCM-SHA256
    Message authentication code
    (integrity)

    View Slide

  40. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-
    GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
    ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
    SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH
    +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-
    AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
    AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
    AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-
    AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-
    SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-
    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-
    SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-
    SHA256:AES256-SHA256:AES128-SHA:AES256-
    SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
    EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
    CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-
    SHA

    View Slide

  41. View Slide

  42. View Slide

  43. TLS Handshake

    View Slide

  44. Client presents supported
    cipher suites

    View Slide

  45. Server chooses suite to use

    View Slide

  46. Certificate sent to client

    View Slide

  47. Verified with signing algorithm to
    authenticate the certificate

    View Slide

  48. ECDHE-RSA-AES128-GCM-SHA256

    View Slide

  49. RSA is the most widely supported
    signing mechanism

    View Slide

  50. Recommendation
    RSA for Certificate
    Authentication
    but ECDSA will be the new hotness

    View Slide

  51. Key exchange

    View Slide

  52. Negotiate the key for
    encryption and decryption

    View Slide

  53. ECDHE-RSA-AES128-GCM-SHA256

    View Slide

  54. Preferring Ephemeral Diffie
    Hellman algorithms give you
    Perfect Forward Secrecy

    View Slide

  55. Guarantees a different key
    for each connection

    View Slide

  56. RSA uses the
    same key
    for each connection

    View Slide

  57. Recommendation
    ECDHE for Key Exchange

    View Slide

  58. Server is verified and
    keys are negotiated

    View Slide

  59. Key is used by encryption
    algorithm

    View Slide

  60. ECDHE-RSA-AES128-GCM-SHA256

    View Slide

  61. Advanced Encryption Standard
    (AES) is the only real option

    View Slide

  62. Other ciphers have known
    weaknesses

    View Slide

  63. Can choose between 128 and 256
    bit encryption

    View Slide

  64. Recommendation
    AES-128-GCM for encryption
    but watch for ChaCha20

    View Slide

  65. Encrypted messages are signed to
    guarantee integrity

    View Slide

  66. SHA-256 and SHA-384 are the
    two practical options

    View Slide

  67. Recommendation
    SHA-256 for MAC
    but watch for Poly1305

    View Slide

  68. So…huh?

    View Slide

  69. Use Mozilla’s guide
    https://wiki.mozilla.org/Security/
    Server_Side_TLS

    View Slide

  70. HTTP Strict Transport Security

    View Slide

  71. SSL Stripping
    http://www.thoughtcrime.org/software/sslstrip/

    View Slide

  72. What if HTTP variant
    was never accessed?

    View Slide

  73. HSTS blocks browser from
    HTTP version of site

    View Slide

  74. Recommendation
    Set HSTS headers

    View Slide

  75. Set HSTS only after mixed
    content issues are resolved

    View Slide

  76. Content Security Policy

    View Slide

  77. Mixed content warnings
    are bad

    View Slide

  78. Whitelist assets loaded
    on your site

    View Slide

  79. Whitelist only HTTPS assets

    View Slide

  80. Use report-only variant

    View Slide

  81. Current recommendation
    Use CSP headers

    View Slide

  82. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  83. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  84. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  85. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  86. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  87. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View Slide

  88. Content-Security-Policy-Report-
    Only:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com;
    report-uri /beacon.php

    View Slide

  89. HTTPS Mixed Content Detector
    Plugin for WordPress

    View Slide

  90. Do your homework

    View Slide

  91. Make good decisions

    View Slide

  92. Maintain your TLS config
    like you maintain your code

    View Slide

  93. The Code Book
    Simon Singh
    High Performance Browser Networking (TLS Chapter)
    Ilya Grigorik
    Bulletproof SSL and TLS
    Ivan Ristic
    SSL and TLS: Designing and Building Secure Systems
    Eric Rescorla

    View Slide

  94. @tollmanz
    tollmanz.com/mwphp15
    Zack Tollman

    View Slide