Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPS is Coming: Are you Prepared?

Zack Tollman
November 17, 2015

HTTPS is Coming: Are you Prepared?

Google, Firefox, and the IETF are currently engaged in significant initiatives to convert the Web to be secure by default. Page ranking, exciting new browser APIs, and HTTP/2 are all pushing websites to require HTTPS. An HTTPS-only web is imminent. Do you know how to configure HTTPS properly? According to SSL Pulse, 75% of the top 1 million websites that use HTTPS are not actually secure because of misconfiguration. In my talk, I will discuss the key aspects of HTTPS to empower developers to deploy truly secure HTTPS sites.

Zack Tollman

November 17, 2015
Tweet

More Decks by Zack Tollman

Other Decks in Technology

Transcript

  1. HTTPS is
    Coming
    Zack Tollman @tollmanz

    View full-size slide

  2. “Pervasive monitoring is a
    technical attack that
    should be mitigated in the
    design of IETF protocols,
    where possible.”

    — IETF
    https://tools.ietf.org/html/rfc7258

    View full-size slide

  3. “Today we are
    announcing our intent to
    phase out non-secure
    HTTP”

    — Richard Barnes, Firefox Security Lead
    https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

    View full-size slide

  4. HTTP/2 is TLS only in
    Chrome, Firefox, Opera,
    IE/Edge, and Safari
    https://wiki.mozilla.org/Networking/http2

    View full-size slide

  5. Now Later
    Less

    TLS
    More

    TLS

    View full-size slide

  6. TLS knowledge is now
    essential

    View full-size slide

  7. We are bad at TLS

    View full-size slide

  8. 68% of sites are not secure
    https://www.trustworthyinternet.org/ssl-pulse/

    View full-size slide

  9. 95% do not support HSTS
    https://www.trustworthyinternet.org/ssl-pulse/

    View full-size slide

  10. 25% do not support Perfect
    Forward Secrecy
    https://www.trustworthyinternet.org/ssl-pulse/

    View full-size slide

  11. “misconfiguration errors

    are undermining the
    potential security”

    — Kranch & Bonneau (2015)
    http://www.internetsociety.org/sites/default/files/01_4_0.pdf

    View full-size slide

  12. “industry-wide configuration

    problem with the
    deployment of DHE key
    exchange”

    — Huang, Adhikarla, Boneh, & Jackson
    (2014)

    http://www.w2spconf.com/2014/papers/TLS.pdf

    View full-size slide

  13. We don’t seem to
    understand TLS

    View full-size slide

  14. Let’s fix that

    View full-size slide

  15. 1. Understand TLS

    2. Acquire certificate

    3. Configure TLS

    View full-size slide

  16. Quick Note on

    TLS and SSL

    View full-size slide

  17. SSL v2

    SSL v3

    TLS v1

    TLS v1.1

    TLS v1.2
    1995

    1996

    1999

    2006

    2008

    View full-size slide

  18. Encryption
    Integrity
    Authentication
    Key Exchange

    View full-size slide

  19. Authentication

    View full-size slide

  20. Is the server the intended
    server?

    View full-size slide

  21. Chain of “trust”

    View full-size slide

  22. End Certificate

    example.com

    Signing algorithm

    Signature

    Public Key

    Public Exponent

    View full-size slide

  23. End
    Intermediate Certificate

    CA certificate

    Signature

    View full-size slide

  24. End
    Root Certificate

    In browser

    Signature
    Intermediate

    View full-size slide

  25. End
    Intermediate
    Root
    Trusts
    Trusts

    View full-size slide

  26. Is the message received
    the message sent?

    View full-size slide

  27. Data Data
    Hash Encrypt

    View full-size slide

  28. Data Data
    Hash Encrypt
    Encrypt

    View full-size slide

  29. Data Data
    Hash Encrypt
    Encrypt Receiver

    View full-size slide

  30. Receiver has encrypted
    hash and encrypted data

    View full-size slide

  31. E-Hash E-Data

    View full-size slide

  32. E-Hash E-Data
    P-Hash P-Data

    View full-size slide

  33. E-Hash E-Data
    P-Hash P-Data
    Hash

    View full-size slide

  34. Converts plaintext to
    ciphertext

    View full-size slide

  35. c u c j b e y q

    View full-size slide

  36. c u c j b e y q
    p h p w o r l d

    View full-size slide

  37. A B C D E F
    N O P Q R S
    +13

    View full-size slide

  38. Algorithm:

    Letter + 13 = Cipher Letter

    View full-size slide

  39. Substitution Cipher

    Caesar Cipher

    View full-size slide

  40. Secrecy in algorithm is a
    problem

    View full-size slide

  41. Secrecy in key is better

    View full-size slide

  42. Advanced Encryption
    Standard - Rijndael
    http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

    View full-size slide

  43. Many rounds of
    substitution and
    permutations

    View full-size slide

  44. Key Exchange

    View full-size slide

  45. How do we establish an
    encryption key for 2
    unknown parties over an
    insecure connection?

    View full-size slide

  46. http://en.wikipedia.org/wiki/Enigma_machine#/media/File:Kenngruppenheft.jpg
    Ben Slivka

    View full-size slide

  47. Couriers delivered the
    daily keys

    View full-size slide

  48. http://en.wikipedia.org/wiki/Jeff_Bezos#/media/File:Jeff_Bezos%27_iconic_laugh.jpg

    View full-size slide

  49. Doesn’t work for the
    modern web

    View full-size slide

  50. Diffie-Hellman-Merkle
    key exchange

    View full-size slide

  51. Each individual has a key
    by the time the process is
    complete

    View full-size slide

  52. Demo

    p = 23

    g = 5

    View full-size slide

  53. s is a premaster secret
    from which the master
    secret is derived

    View full-size slide

  54. Master secret is the key
    used for encryption

    View full-size slide

  55. Trapdoor functions

    View full-size slide

  56. Easy one way

    View full-size slide

  57. Impossibly difficult the
    other way

    View full-size slide

  58. If a, b, g, or p are
    different, s is different

    View full-size slide

  59. Perfect forward secrecy

    View full-size slide

  60. I failed to update the
    Lavabit SSL configuration
    to prefer ciphers that
    provided perfect forward
    secrecy.

    — Ladar Levison
    http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to-
    cryptographers-criticism/

    View full-size slide

  61. Cipher Suites

    View full-size slide

  62. Combination of
    algorithms for
    authentication, integrity,
    encryption, and key
    exchange

    View full-size slide

  63. ECDHE-RSA-AES128-GCM-SHA256

    View full-size slide

  64. ECDHE-RSA-AES128-GCM-SHA256
    Key Exchange

    View full-size slide

  65. ECDHE-RSA-AES128-GCM-SHA256
    Certificate signing
    algorithm
    (Authentication)

    View full-size slide

  66. ECDHE-RSA-AES128-GCM-SHA256
    Cipher (Encryption)

    View full-size slide

  67. ECDHE-RSA-AES128-GCM-SHA256
    Message authentication
    code (Integrity)

    View full-size slide

  68. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-
    GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
    ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
    SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH
    +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-
    AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
    AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
    AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-
    AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-
    SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-
    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-
    SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-
    SHA256:AES256-SHA256:AES128-SHA:AES256-
    SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
    EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
    CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-
    SHA

    View full-size slide

  69. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-
    GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
    ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
    SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH
    +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-
    AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
    AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
    AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-
    AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-
    SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-
    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-
    SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-
    SHA256:AES256-SHA256:AES128-SHA:AES256-
    SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
    EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
    CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-
    SHA

    View full-size slide

  70. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-
    GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
    ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
    SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH
    +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-
    AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
    AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
    AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-
    AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-
    SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-
    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-
    SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-
    SHA256:AES256-SHA256:AES128-SHA:AES256-
    SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
    EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
    CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-
    SHA

    View full-size slide

  71. TLS Handshake

    View full-size slide

  72. Client Server
    ClientHello ServerHello

    Certificate

    ServerHelloDone
    ClientKeyExchange

    ChangeCipherSpec

    Finished
    ChangeCipherSpec

    Finished
    Application Data

    View full-size slide

  73. 1. Client hello

    Cipher suites

    TLS version

    Random bytes
    Client -> Server

    View full-size slide

  74. 2. Server hello

    Cipher suite choice

    TLS version choice
    Server -> Client

    View full-size slide

  75. 3. Certificate

    Certificate chain sent

    Cert signature matches

    auth algorithm
    Server -> Client

    View full-size slide

  76. 4. Server Key Exchange

    Info for key exchange
    Server -> Client

    View full-size slide

  77. 5. Server Hello Done

    Server has sent all info
    Server -> Client

    View full-size slide

  78. 6. Client Key Exchange

    Info for key exchange
    Client -> Server

    View full-size slide

  79. 7. Change Cipher Spec

    Enough info for

    encryption

    Switch to encryption
    Client -> Server

    View full-size slide

  80. 8. Finished

    Signals that

    handshake is done
    Client -> Server

    View full-size slide

  81. 9. Change Cipher Spec
    Server -> Client

    View full-size slide

  82. 10. Finished
    Server -> Client

    View full-size slide

  83. TLS Handshake demo

    with Wireshark

    View full-size slide

  84. HTTP Strict
    Transport Security

    View full-size slide

  85. SSL Stripping
    http://www.thoughtcrime.org/software/sslstrip/

    View full-size slide

  86. What if HTTP variant

    was never accessed?

    View full-size slide

  87. HSTS blocks browser from

    HTTP version of site

    View full-size slide

  88. Set HSTS only after mixed
    content issues are resolved

    View full-size slide

  89. add_header Strict-Transport-
    Security 'max-age=31536000';

    View full-size slide

  90. add_header Strict-Transport-
    Security 'max-age=31536000;
    includeSubDomains';

    View full-size slide

  91. Mixed Content

    View full-size slide

  92. HTTP assets in HTTPS page
    is an attack vector

    View full-size slide

  93. Content Security Policy

    View full-size slide

  94. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  95. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  96. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  97. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  98. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  99. Content-Security-Policy:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com

    View full-size slide

  100. Content-Security-Policy-Report-
    Only:
    default-src 'self' https:;
    font-src https://
    fonts.gstatic.com;
    img-src 'self' https:;
    style-src ‘self' https:
    https://fonts.googleapis.com;
    script-src 'self' https:
    https://ssl.google-analytics.com;
    report-uri /beacon.php

    View full-size slide

  101. upgrade-insecure-requests
    coming soon
    http://www.w3.org/TR/upgrade-insecure-requests/

    View full-size slide

  102. Automated
    Certificate
    Management
    Environment

    (ACME)

    View full-size slide

  103. Let’s Encrypt

    View full-size slide

  104. TLS Configuration
    Needs Maintenance

    View full-size slide

  105. A theoretical weakness
    became practical.

    — Ladar Levison
    http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to-
    cryptographers-criticism/

    View full-size slide

  106. I missed that
    development.

    — Ladar Levison
    http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to-
    cryptographers-criticism/

    View full-size slide