Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPS is Coming: Are You Prepared?

Zack Tollman
November 07, 2015

HTTPS is Coming: Are You Prepared?

Google, Firefox, and the IETF are currently engaged in major initiatives to convert the web to be secure by default. Page ranking, new browser APIs, and HTTP/2 are all pushing websites to require HTTPS. An HTTPS only web is imminent. Unfortunately, according to SSL Pulse, 75% of the top 1 million websites that use HTTPS are not actually secure because of misconfiguration. Do you know how to configure HTTPS properly? In this talk, we will discuss the key aspects of HTTPS to empower developers to deploy truly secure HTTPS sites.

Zack Tollman

November 07, 2015
Tweet

More Decks by Zack Tollman

Other Decks in Technology

Transcript

  1. Today we are announcing our intent to phase out non-secure

    HTTP — Richard Barnes, Firefox Security Lead https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
  2. Pervasive monitoring is a technical attack that should be mitigated

    in the design of IETF protocols, where possible https://tools.ietf.org/html/rfc7258
  3. SSL Pulse Reviews HTTPS sites in Alexa’s Top 300k sites

    https://www.trustworthyinternet.org/ssl-pulse/
  4. “misconfiguration errors are undermining the potential security” Kranch & Bonneau

    (2015) http://www.internetsociety.org/sites/default/files/01_4_0.pdf
  5. “industry-wide configuration problem with the deployment of DHE key exchange"

    Huang, Adhikarla, Boneh, & Jackson (2014) http://www.w2spconf.com/2014/papers/TLS.pdf
  6. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate /path/to/public.crt; ssl_certificate_key /path/to/private.key; ssl_prefer_server_ciphers on;

    ssl_ciphers ECDHE-RSA-AES128-GCM- SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE- RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256- GCM-SHA384…; https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf
  7. The Code Book Simon Singh High Performance Browser Networking (TLS

    Chapter) Ilya Grigorik Bulletproof SSL and TLS Ivan Ristic SSL and TLS: Designing and Building Secure Systems Eric Rescorla