HTTPS is Coming: Are you Prepared?

HTTPS is Coming: Are you Prepared?

Google, Firefox, and the IETF are currently engaged in significant initiatives to convert the Web to be secure by default. Page ranking, exciting new browser APIs, and HTTP/2 are all pushing websites to require HTTPS. An HTTPS-only web is imminent. Do you know how to configure HTTPS properly? According to SSL Pulse, 75% of the top 1 million websites that use HTTPS are not actually secure because of misconfiguration. In my talk, I will discuss the key aspects of HTTPS to empower developers to deploy truly secure HTTPS sites.

980df66b142b2a067b3f8b67b04352de?s=128

Zack Tollman

November 17, 2015
Tweet

Transcript

  1. HTTPS is Coming Zack Tollman @tollmanz

  2. None
  3. “Pervasive monitoring is a technical attack that should be mitigated

    in the design of IETF protocols, where possible.” — IETF https://tools.ietf.org/html/rfc7258
  4. “Today we are announcing our intent to phase out non-secure

    HTTP” — Richard Barnes, Firefox Security Lead https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
  5. HTTP/2 is TLS only in Chrome, Firefox, Opera, IE/Edge, and

    Safari https://wiki.mozilla.org/Networking/http2
  6. Now Later Less TLS More TLS

  7. TLS knowledge is now essential

  8. We are bad at TLS

  9. 68% of sites are not secure https://www.trustworthyinternet.org/ssl-pulse/

  10. 95% do not support HSTS https://www.trustworthyinternet.org/ssl-pulse/

  11. 25% do not support Perfect Forward Secrecy https://www.trustworthyinternet.org/ssl-pulse/

  12. “misconfiguration errors are undermining the potential security” — Kranch &

    Bonneau (2015) http://www.internetsociety.org/sites/default/files/01_4_0.pdf
  13. “industry-wide configuration problem with the deployment of DHE key exchange”

    — Huang, Adhikarla, Boneh, & Jackson (2014) http://www.w2spconf.com/2014/papers/TLS.pdf
  14. We don’t seem to understand TLS

  15. Let’s fix that

  16. 1. Understand TLS 2. Acquire certificate 3. Configure TLS

  17. Quick Note on TLS and SSL

  18. SSL v2 SSL v3 TLS v1 TLS v1.1 TLS v1.2

    1995 1996 1999 2006 2008
  19. Encryption Integrity Authentication Key Exchange

  20. Authentication

  21. Is the server the intended server?

  22. Chain of “trust”

  23. End Certificate example.com Signing algorithm Signature Public Key Public Exponent

  24. End Intermediate Certificate CA certificate Signature

  25. End Root Certificate In browser Signature Intermediate

  26. End Intermediate Root Trusts Trusts

  27. Integrity

  28. Is the message received the message sent?

  29. Data Data

  30. Data Data Hash Encrypt

  31. Data Data Hash Encrypt Encrypt

  32. Data Data Hash Encrypt Encrypt Receiver

  33. Receiver has encrypted hash and encrypted data

  34. E-Hash E-Data

  35. E-Hash E-Data P-Hash P-Data

  36. E-Hash E-Data P-Hash P-Data Hash

  37. Hash Hash =

  38. Encryption

  39. Converts plaintext to ciphertext

  40. c u c j b e y q

  41. c u c j b e y q p h

    p w o r l d
  42. A B C D E F N O P Q

    R S +13
  43. Algorithm: Letter + 13 = Cipher Letter

  44. Substitution Cipher Caesar Cipher

  45. Key

  46. Key 13

  47. Weak cipher

  48. Secrecy in algorithm is a problem

  49. Secrecy in key is better

  50. Advanced Encryption Standard - Rijndael http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

  51. Many rounds of substitution and permutations

  52. Key Exchange

  53. How do we establish an encryption key for 2 unknown

    parties over an insecure connection?
  54. http://en.wikipedia.org/wiki/Enigma_machine#/media/File:Kenngruppenheft.jpg Ben Slivka

  55. Couriers delivered the daily keys

  56. http://en.wikipedia.org/wiki/Jeff_Bezos#/media/File:Jeff_Bezos%27_iconic_laugh.jpg

  57. Doesn’t work for the modern web

  58. Diffie-Hellman-Merkle key exchange

  59. Each individual has a key by the time the process

    is complete
  60. Demo p = 23 g = 5

  61. s is a premaster secret from which the master secret

    is derived
  62. Master secret is the key used for encryption

  63. Trapdoor functions

  64. Easy one way

  65. Impossibly difficult the other way

  66. If a, b, g, or p are different, s is

    different
  67. Perfect forward secrecy

  68. Lavabit

  69. I failed to update the Lavabit SSL configuration to prefer

    ciphers that provided perfect forward secrecy. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/
  70. Cipher Suites

  71. Combination of algorithms for authentication, integrity, encryption, and key exchange

  72. ECDHE-RSA-AES128-GCM-SHA256

  73. ECDHE-RSA-AES128-GCM-SHA256 Key Exchange

  74. ECDHE-RSA-AES128-GCM-SHA256 Certificate signing algorithm (Authentication)

  75. ECDHE-RSA-AES128-GCM-SHA256 Cipher (Encryption)

  76. ECDHE-RSA-AES128-GCM-SHA256 Message authentication code (Integrity)

  77. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA
  78. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA
  79. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA
  80. None
  81. None
  82. TLS Handshake

  83. Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec

    Finished Application Data
  84. 1. Client hello Cipher suites TLS version Random bytes Client

    -> Server
  85. 2. Server hello Cipher suite choice TLS version choice Server

    -> Client
  86. 3. Certificate Certificate chain sent Cert signature matches auth algorithm

    Server -> Client
  87. 4. Server Key Exchange Info for key exchange Server ->

    Client
  88. 5. Server Hello Done Server has sent all info Server

    -> Client
  89. 6. Client Key Exchange Info for key exchange Client ->

    Server
  90. 7. Change Cipher Spec Enough info for encryption Switch to

    encryption Client -> Server
  91. 8. Finished Signals that handshake is done Client -> Server

  92. 9. Change Cipher Spec Server -> Client

  93. 10. Finished Server -> Client

  94. TLS Handshake demo with Wireshark

  95. HTTP Strict Transport Security

  96. SSL Stripping http://www.thoughtcrime.org/software/sslstrip/

  97. What if HTTP variant was never accessed?

  98. HSTS blocks browser from HTTP version of site

  99. Set HSTS only after mixed content issues are resolved

  100. add_header Strict-Transport- Security 'max-age=31536000';

  101. add_header Strict-Transport- Security 'max-age=31536000; includeSubDomains';

  102. Mixed Content

  103. HTTP assets in HTTPS page is an attack vector

  104. Content Security Policy

  105. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  106. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  107. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  108. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  109. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  110. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  111. Content-Security-Policy-Report- Only: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self'

    https:; style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com; report-uri /beacon.php
  112. upgrade-insecure-requests coming soon http://www.w3.org/TR/upgrade-insecure-requests/

  113. Automated Certificate Management Environment (ACME)

  114. Let’s Encrypt

  115. TLS Configuration Needs Maintenance

  116. A theoretical weakness became practical. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

  117. I missed that development. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/