Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting TLS Right

Getting TLS Right

Not all TLS deployments are created equal. Poorly configured TLS can can trick users into thinking their browsing experience is safe, yet leave them vulnerable to devastating man in the middle attacks, surveillance, and identity theft. Not to mention, a janky TLS setup can slow your otherwise performant site to a halt. In my talk, I will provide a primer on how to set up TLS for strong security and excellent performance. Additionally, I will discuss the TLS protocol to better familiarize the audience about the way that certificate and public key cryptography works to provide a secure web experience.

Zack Tollman

March 14, 2015
Tweet

More Decks by Zack Tollman

Other Decks in Technology

Transcript

  1. Getting TLS Right
    @tollmanz
    Zack Tollman

    View full-size slide

  2. TLS is hot right now

    View full-size slide

  3. We implement TLS
    poorly

    View full-size slide

  4. SSL Pulse
    Reviews SSL/TLS sites in Alexa’s
    Top 300k sites
    https://www.trustworthyinternet.org/ssl-pulse/

    View full-size slide

  5. 474 are vulnerable to
    heartbleed

    View full-size slide

  6. 21.0% use
    weak ciphers

    View full-size slide

  7. 47.3% support
    SSLv3

    View full-size slide

  8. 38.3% do no support
    Forward Secrecy

    View full-size slide

  9. 97.3% do not use
    HSTS

    View full-size slide

  10. 83.6% are
    insecure

    View full-size slide

  11. “misconfiguration errors
    are undermining the potential
    security”
    Kranch & Bonneau (2015)
    http://www.internetsociety.org/sites/default/files/01_4_0.pdf

    View full-size slide

  12. “developers who should be in the
    best position to understand these
    new tools”
    Kranch & Bonneau (2015)
    http://www.internetsociety.org/sites/default/files/01_4_0.pdf

    View full-size slide

  13. “industry-wide configuration
    problem with the deployment
    of DHE key exchange"
    Huang, Adhikarla, Boneh, & Jackson (2014)
    http://www.w2spconf.com/2014/papers/TLS.pdf

    View full-size slide

  14. Unless you are a cryptographer,
    this stuff is hard

    View full-size slide

  15. Copying and pasting is easy

    View full-size slide

  16. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate /path/to/public.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES128-GCM-
    SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
    RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-
    GCM-SHA384…;
    https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

    View full-size slide

  17. Knowing what you are
    doing is hard

    View full-size slide

  18. Transport Layer Security

    View full-size slide

  19. SSLv2
    SSLv3
    TLSv1.0
    TLSv1.1
    TLSv1.2

    View full-size slide

  20. SSLv2 1995
    SSLv3 1996
    TLSv1.0 1999
    TLSv1.1 2006
    TLSv1.2 2008

    View full-size slide

  21. SSLv2 1995 PHP Tools
    SSLv3 1996 PHP/FI (2.0)
    TLSv1.0 1999 PHP 3.0
    TLSv1.1 2006 PHP 5.2
    TLSv1.2 2008 PHP 5.2.8

    View full-size slide

  22. SSLv2 1995 MITM
    SSLv3 1996 POODLE
    TLSv1.0 1999 BEAST
    TLSv1.1 2006
    TLSv1.2 2008

    View full-size slide

  23. Provides authentication,
    encryption, integrity, and
    key exchange

    View full-size slide

  24. Authentication

    View full-size slide

  25. Key exchange

    View full-size slide

  26. Compromise of any of these,
    compromises the whole system

    View full-size slide

  27. Cipher Suites

    View full-size slide

  28. Combination of algorithms for
    authentication, encryption,
    integrity and key exchange

    View full-size slide

  29. ECDHE-RSA-AES128-GCM-SHA256

    View full-size slide

  30. ECDHE-RSA-AES128-GCM-SHA256
    Key Exchange

    View full-size slide

  31. ECDHE-RSA-AES128-GCM-SHA256
    Certificate signing algorithm
    (authentication)

    View full-size slide

  32. ECDHE-RSA-AES128-GCM-SHA256
    Cipher (Encryption)

    View full-size slide

  33. ECDHE-RSA-AES128-GCM-SHA256
    Message authentication code
    (integrity)

    View full-size slide

  34. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-
    GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
    ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
    SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH
    +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-
    AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
    AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
    AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-
    AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-
    SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-
    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-
    SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-
    SHA256:AES256-SHA256:AES128-SHA:AES256-
    SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
    EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
    CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-
    SHA

    View full-size slide

  35. TLS Handshake

    View full-size slide

  36. Client presents supported
    cipher suites

    View full-size slide

  37. Server chooses suite to use

    View full-size slide

  38. Certificate sent to client

    View full-size slide

  39. Verified with signing algorithm to
    authenticate the certificate

    View full-size slide

  40. ECDHE-RSA-AES128-GCM-SHA256

    View full-size slide

  41. RSA is the most widely supported
    signing mechanism

    View full-size slide

  42. Recommendation
    RSA for Certificate
    Authentication
    but ECDSA will be the new hotness

    View full-size slide

  43. Key exchange

    View full-size slide

  44. Negotiate the key for
    encryption and decryption

    View full-size slide

  45. ECDHE-RSA-AES128-GCM-SHA256

    View full-size slide

  46. Preferring Ephemeral Diffie
    Hellman algorithms give you
    Perfect Forward Secrecy

    View full-size slide

  47. Guarantees a different key
    for each connection

    View full-size slide

  48. RSA uses the
    same key
    for each connection

    View full-size slide

  49. Recommendation
    ECDHE for Key Exchange

    View full-size slide

  50. Server is verified and
    keys are negotiated

    View full-size slide

  51. Key is used by encryption
    algorithm

    View full-size slide

  52. ECDHE-RSA-AES128-GCM-SHA256

    View full-size slide

  53. Advanced Encryption Standard
    (AES) is the only real option

    View full-size slide

  54. Other ciphers have known
    weaknesses

    View full-size slide

  55. Can choose between 128 and 256
    bit encryption

    View full-size slide

  56. Recommendation
    AES-128-GCM for encryption
    but watch for ChaCha20

    View full-size slide

  57. Encrypted messages are signed to
    guarantee integrity

    View full-size slide

  58. SHA-256 and SHA-384 are the
    two practical options

    View full-size slide

  59. Recommendation
    SHA-256 for MAC
    but watch for Poly1305

    View full-size slide

  60. Use Mozilla’s guide
    https://wiki.mozilla.org/Security/
    Server_Side_TLS

    View full-size slide

  61. HTTP Strict Transport Security

    View full-size slide

  62. SSL Stripping
    http://www.thoughtcrime.org/software/sslstrip/

    View full-size slide

  63. What if HTTP variant
    was never accessed?

    View full-size slide

  64. HSTS blocks browser from
    HTTP version of site

    View full-size slide

  65. Recommendation
    Set HSTS headers

    View full-size slide

  66. Set HSTS only after mixed
    content issues are resolved

    View full-size slide

  67. Content Security Policy

    View full-size slide

  68. Mixed content warnings
    are bad

    View full-size slide

  69. Whitelist assets loaded
    on your site

    View full-size slide

  70. Whitelist only HTTPS assets

    View full-size slide

  71. Use report-only variant

    View full-size slide

  72. Current recommendation
    Use CSP headers

    View full-size slide

  73. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  74. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  75. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  76. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  77. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  78. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  79. Content-Security-Policy-Report-
    Only:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com;
    report-uri /beacon.php

    View full-size slide

  80. HTTPS Mixed Content Detector
    Plugin for WordPress

    View full-size slide

  81. Do your homework

    View full-size slide

  82. Make good decisions

    View full-size slide

  83. Maintain your TLS config
    like you maintain your code

    View full-size slide

  84. The Code Book
    Simon Singh
    High Performance Browser Networking (TLS Chapter)
    Ilya Grigorik
    Bulletproof SSL and TLS
    Ivan Ristic
    SSL and TLS: Designing and Building Secure Systems
    Eric Rescorla

    View full-size slide

  85. @tollmanz
    tollmanz.com/mwphp15
    Zack Tollman

    View full-size slide