Getting TLS Right

Getting TLS Right

Not all TLS deployments are created equal. Poorly configured TLS can can trick users into thinking their browsing experience is safe, yet leave them vulnerable to devastating man in the middle attacks, surveillance, and identify theft. Not to mention, a janky TLS setup can slow your otherwise performant site to a halt. In my talk, I will provide a primer on how to set up TLS for strong security and excellent performance. Additionally, I will discuss the TLS protocol to better familiarize the audience about the way that certificate and public key cryptography works to provide a secure web experience.

980df66b142b2a067b3f8b67b04352de?s=128

Zack Tollman

May 06, 2015
Tweet

Transcript

  1. Getting TLS Right Zack Tollman @tollmanz

  2. None
  3. “Pervasive monitoring is a technical attack that should be mitigated

    in the design of IETF protocols, where possible.” — IETF https://tools.ietf.org/html/rfc7258
  4. “Today we are announcing our intent to phase out non-secure

    HTTP” — Richard Barnes, Firefox Security Lead https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
  5. HTTP/2 is TLS only in Chrome and Firefox https://wiki.mozilla.org/Networking/http2

  6. Now Later Less TLS More TLS

  7. TLS knowledge is now essential

  8. We are bad at TLS

  9. 78% of sites are not secure https://www.trustworthyinternet.org/ssl-pulse/

  10. 432 heartbleed vulnerabilities (0.3%) https://www.trustworthyinternet.org/ssl-pulse/

  11. 97% do not support HSTS https://www.trustworthyinternet.org/ssl-pulse/

  12. 37% do not support Perfect Forward Secrecy https://www.trustworthyinternet.org/ssl-pulse/

  13. “misconfiguration errors are undermining the potential security” — Kranch &

    Bonneau (2015) http://www.internetsociety.org/sites/default/files/01_4_0.pdf
  14. “industry-wide configuration problem with the deployment of DHE key exchange”

    — Huang, Adhikarla, Boneh, & Jackson (2014) http://www.w2spconf.com/2014/papers/TLS.pdf
  15. We don’t seem to understand TLS

  16. Let’s fix that

  17. Quick Note on TLS and SSL

  18. function capital_TLS_dangit( $content ) { return str_replace( array( 'SSL', 'Secure

    Sockets Layer' ), array( 'TLS', 'Transport Layer Security' ), $content ) }
  19. SSL v2 SSL v3 TLS v1 TLS v1.1 TLS v1.2

    1995 1996 1999 2006 2008
  20. Encryption Integrity Authentication Key Exchange

  21. Authentication

  22. Is the server the intended server?

  23. Chain of trust

  24. End Certificate *.wordpress.com Signing algorithm Signature Public Key Public Exponent

  25. End Intermediate Certificate CA certificate Signature

  26. End Root Certificate In browser Signature Intermediate

  27. End Intermediate Root Trusts Trusts

  28. Integrity

  29. Is the message received the message sent?

  30. Data Data

  31. Data Data Hash Encrypt

  32. Data Data Hash Encrypt Encrypt

  33. Data Data Hash Encrypt Encrypt Receiver

  34. Receiver has encrypted hash and encrypted data

  35. E-Hash E-Data

  36. E-Hash E-Data P-Hash P-Data

  37. E-Hash E-Data P-Hash P-Data Hash

  38. Hash Hash =

  39. Encryption

  40. Converts plaintext to ciphertext

  41. Y B B C P B A S

  42. Y B B C P B A S L O

    O P C O N F
  43. A B C D E F N O P Q

    R S +13
  44. Algorithm: Letter + 13 = Cipher Letter

  45. Substitution Cipher Caesar Cipher

  46. Key

  47. Key 13

  48. Weak cipher

  49. Secrecy in algorithm is a problem

  50. Secrecy in key is better

  51. Advanced Encryption Standard - Rijndael http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

  52. Many rounds of substitution and permutations

  53. Key Exchange

  54. How do we establish an encryption key for 2 unknown

    parties over an insecure connection?
  55. http://en.wikipedia.org/wiki/Enigma_machine#/media/File:Kenngruppenheft.jpg Ben Slivka

  56. Couriers delivered the daily keys

  57. http://en.wikipedia.org/wiki/Jeff_Bezos#/media/File:Jeff_Bezos%27_iconic_laugh.jpg

  58. Doesn’t work for the modern web

  59. Diffie-Hellman-Merkle key exchange

  60. Each individual has a key by the time the process

    is complete
  61. Demo

  62. s is a premaster secret from which the master secret

    is derived
  63. Master secret is the key used for encryption

  64. Trapdoor functions

  65. Easy one way

  66. Impossibly difficult the other way

  67. If a, b, g, or p are different, s is

    different
  68. Perfect forward secrecy

  69. Lavabit

  70. I failed to update the Lavabit SSL configuration to prefer

    ciphers that provided perfect forward secrecy. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/
  71. Cipher Suites

  72. Combination of algorithms for authentication, integrity, encryption, and key exchange

  73. ECDHE-RSA-AES128-GCM-SHA256

  74. ECDHE-RSA-AES128-GCM-SHA256 Key Exchange

  75. ECDHE-RSA-AES128-GCM-SHA256 Certificate signing algorithm (Authentication)

  76. ECDHE-RSA-AES128-GCM-SHA256 Cipher (Encryption)

  77. ECDHE-RSA-AES128-GCM-SHA256 Message authentication code (Integrity)

  78. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA
  79. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA
  80. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA
  81. None
  82. None
  83. TLS Handshake

  84. Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec

    Finished Application Data
  85. 1. Client hello Cipher suites TLS version Random bytes Client

    -> Server
  86. 2. Server hello Cipher suite choice TLS version choice Server

    -> Client
  87. 3. Certificate Certificate chain sent Cert signature matches auth algorithm

    Server -> Client
  88. 4. Server Key Exchange Info for key exchange Server ->

    Client
  89. 5. Server Hello Done Server has sent all info Server

    -> Client
  90. 6. Client Key Exchange Info for key exchange Client ->

    Server
  91. 7. Change Cipher Spec Enough info for encryption Switch to

    encryption Client -> Server
  92. 8. Finished Signals that handshake is done Client -> Server

  93. 9. Change Cipher Spec Server -> Client

  94. 10. Finished Server -> Client

  95. TLS Handshake demo with Wireshark

  96. Configure TLS with Nginx

  97. All configuration in server block

  98. ssl on;

  99. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  100. ssl_ciphers ECDHE-RSA-AES128-GCM- SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM- SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128- GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA- AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA- AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE- RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-

    AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128- SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256- SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256- GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:! aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:! aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3- SHA:!KRB5-DES-CBC3-SHA
  101. ssl_prefer_server_ciphers on;

  102. ssl_certificate /path/to/ certificate.crt; ssl_certificate_key /path/to/ private-key.key;

  103. istlsfastyet.com https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

  104. HTTP Strict Transport Security

  105. SSL Stripping http://www.thoughtcrime.org/software/sslstrip/

  106. What if HTTP variant was never accessed?

  107. HSTS blocks browser from HTTP version of site

  108. Set HSTS only after mixed content issues are resolved

  109. add_header Strict-Transport- Security 'max-age=31536000; includeSubDomains';

  110. Mixed Content

  111. HTTP assets in HTTPS page is an attack vector

  112. Content Security Policy

  113. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  114. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  115. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  116. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  117. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  118. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  119. Content-Security-Policy-Report- Only: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self'

    https:; style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com; report-uri /beacon.php
  120. upgrade-insecure-requests coming soon http://www.w3.org/TR/upgrade-insecure-requests/

  121. TLS Configuration Needs Maintenance

  122. A theoretical weakness became practical. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

  123. I missed that development. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

  124. tollmanz.com/loopconf-2015 @tollmanz