Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting TLS Right

Getting TLS Right

Not all TLS deployments are created equal. Poorly configured TLS can can trick users into thinking their browsing experience is safe, yet leave them vulnerable to devastating man in the middle attacks, surveillance, and identify theft. Not to mention, a janky TLS setup can slow your otherwise performant site to a halt. In my talk, I will provide a primer on how to set up TLS for strong security and excellent performance. Additionally, I will discuss the TLS protocol to better familiarize the audience about the way that certificate and public key cryptography works to provide a secure web experience.

Zack Tollman

May 06, 2015
Tweet

More Decks by Zack Tollman

Other Decks in Technology

Transcript

  1. “Pervasive monitoring is a technical attack that should be mitigated

    in the design of IETF protocols, where possible.” — IETF https://tools.ietf.org/html/rfc7258
  2. “Today we are announcing our intent to phase out non-secure

    HTTP” — Richard Barnes, Firefox Security Lead https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
  3. “misconfiguration errors are undermining the potential security” — Kranch &

    Bonneau (2015) http://www.internetsociety.org/sites/default/files/01_4_0.pdf
  4. “industry-wide configuration problem with the deployment of DHE key exchange”

    — Huang, Adhikarla, Boneh, & Jackson (2014) http://www.w2spconf.com/2014/papers/TLS.pdf
  5. function capital_TLS_dangit( $content ) { return str_replace( array( 'SSL', 'Secure

    Sockets Layer' ), array( 'TLS', 'Transport Layer Security' ), $content ) }
  6. SSL v2 SSL v3 TLS v1 TLS v1.1 TLS v1.2

    1995 1996 1999 2006 2008
  7. Y B B C P B A S L O

    O P C O N F
  8. Key

  9. How do we establish an encryption key for 2 unknown

    parties over an insecure connection?
  10. I failed to update the Lavabit SSL configuration to prefer

    ciphers that provided perfect forward secrecy. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/
  11. ssl_ciphers ECDHE-RSA-AES128-GCM- SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM- SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128- GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA- AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA- AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE- RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-

    AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128- SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256- SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256- GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:! aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:! aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3- SHA:!KRB5-DES-CBC3-SHA
  12. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  13. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  14. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  15. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  16. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  17. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  18. Content-Security-Policy-Report- Only: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self'

    https:; style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com; report-uri /beacon.php