$30 off During Our Annual Pro Sale. View Details »

HTTPS is Coming: Are You Prepared? (Velocity 2016)

HTTPS is Coming: Are You Prepared? (Velocity 2016)

As web developers, we live in interesting times. A major movement toward an HTTPS-only Internet is afoot. Google, Mozilla, and even the Internet Engineering Task Force (IETF) have publicly declared their intent to move toward an HTTPS-only Web. New technologies, such as service workers and HTTP/2, are only supported with an HTTP connection secured via transport layer security (TLS). This transition is a significant win for privacy, security, and encryption, especially given the recent Edward Snowden revelations.

While a HTTPS-only Web is a great goal, there is a major problem that does not get a lot of attention: we are terrible at configuring TLS. Recent academic research suggests that while developers are able to achieve a working TLS connection, they struggle to implement it securely due to misconfiguration errors. Moreover, the two most recent attacks against TLS (FREAK and Logjam) only affected servers that were misconfigured. Unfortunately, one of these attacks was estimated to affect approximately 8% of all websites due to mass misunderstanding and misconfiguration of TLS. SSL Pulse suggests that ~43% of the Alexa-ranked sites they sampled that offer an HTTPS connection are not secure, meaning that they have failed in at least one major area of TLS configuration. An HTTPS-only Web is a powerful thing, but an insecure Web that parades as a secure Web is dangerous.

In the years to come, tweaking and understanding your TLS configuration will be as basic a skill as knowing how to adjust to an .htaccess file. While some web developers may work in areas that have dedicated security teams to handle TLS, many do not have such resources. Just as a developer might be responsible for setting up an Nginx server to deploy her code, she might also have to handle the TLS configuration. Without the proper knowledge in this area, the site is at risk for being insecure.

One can find information about a “proper” TLS configuration online, but making sense of that information is maddening. If you’ve not been exposed to this information, I dare you to make sense of such a configuration. Zack Tollman explores the key aspects of HTTPS, unraveling the meaning of the obfuscated notation behind TLS configuration in an effort to empower developers to take control of their HTTPS-only sites. Zack concludes with an interactive demonstration of a Diffie-Hellman key exchange.

Zack Tollman

June 23, 2016
Tweet

More Decks by Zack Tollman

Other Decks in Technology

Transcript

  1. HTTPS is Coming:

    Are You Prepared?
    Zack Tollman @tollmanz

    View Slide

  2. “I’ve got some stuff you
    might be interested in.”
    http://www.pbs.org/wgbh/frontline/article/how-edward-snowden-leaked-thousands-of-nsa-documents/

    View Slide

  3. “Pervasive monitoring

    is a technical attack”

    — IETF
    https://tools.ietf.org/html/rfc7258

    View Slide

  4. “Today we are announcing
    our intent to phase out
    non-secure HTTP”

    — Richard Barnes, Firefox Security Lead
    https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

    View Slide

  5. HTTP/2 is TLS only in
    Chrome, Firefox, Opera,
    IE/Edge, and Safari
    https://wiki.mozilla.org/Networking/http2

    View Slide

  6. “Let’s Encrypt is leaving
    beta today”
    https://letsencrypt.org/2016/04/12/leaving-beta-new-sponsors.html

    View Slide

  7. Now Later
    Less

    HTTPS
    More

    HTTPS

    View Slide

  8. HTTPS knowledge is now
    essential

    View Slide

  9. We are bad at HTTPS

    View Slide

  10. 43% of sites are not secure
    https://www.trustworthyinternet.org/ssl-pulse/

    View Slide

  11. “industry-wide configuration

    problem with the
    deployment of DHE key
    exchange”

    — Huang, Adhikarla, Boneh, & Jackson (2014)

    http://www.w2spconf.com/2014/papers/TLS.pdf

    View Slide

  12. “misconfiguration errors

    are undermining the
    potential security”

    — Kranch & Bonneau (2015)
    http://www.internetsociety.org/sites/default/files/01_4_0.pdf

    View Slide

  13. Why?

    View Slide

  14. Unless you are a
    cryptographer, this

    stuff is hard

    View Slide

  15. Copying and pasting is
    easy

    View Slide

  16. Knowing what you are
    doing is hard

    View Slide

  17. TLS Basics

    View Slide

  18. Transport Layer

    Security

    View Slide

  19. SSL v2

    SSL v3

    TLS v1

    TLS v1.1

    TLS v1.2
    1995

    1996

    1999

    2006

    2008

    View Slide

  20. TCP

    Transport Layer Security

    HTTP

    View Slide

  21. Provides authentication,
    encryption, integrity,
    and key exchange

    View Slide

  22. Authentication

    View Slide

  23. Is the server the intended
    server?

    View Slide

  24. Integrity

    View Slide

  25. Is the message sent the
    message received?

    View Slide

  26. Encryption

    View Slide

  27. Converts plaintext to
    ciphertext

    View Slide

  28. i r y b p v g l

    View Slide

  29. i r y b p v g l
    v e l o c i t y

    View Slide

  30. A B C D E F
    N O P Q R S
    +13

    View Slide

  31. Letter + 13 = Cipher Letter

    View Slide

  32. Key is 13

    View Slide

  33. Key owners can encrypt
    and decrypt

    View Slide

  34. Key Exchange

    View Slide

  35. How do we establish an
    encryption key for 2
    unknown parties over an
    insecure connection?

    View Slide

  36. By Alessandro Nassiri - Museo della Scienza e della Tecnologia "Leonardo da Vinci", CC BY-SA 4.0, https://
    commons.wikimedia.org/w/index.php?curid=47910919

    View Slide

  37. Diffie-Hellman-Merkle
    key exchange

    View Slide

  38. p = 23

    g = 5
    https://github.com/tollmanz/diffie-hellman-key-exchange-demo
    Demo

    View Slide

  39. If anything goes wrong,
    make a joke about bad
    wifi

    View Slide

  40. Compromise of any of
    these, compromises the
    whole system

    View Slide

  41. Cipher Suites

    View Slide

  42. Combination of
    algorithms for
    authentication,
    integrity, encryption,
    and key exchange

    View Slide

  43. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate /path/to/public.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_ciphers ECDHE-RSA-AES128-GCM-
    SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
    RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-
    SHA384…;
    ssl_prefer_server_ciphers on;
    https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

    View Slide

  44. ECDHE-RSA-AES128-GCM-SHA256

    View Slide

  45. ECDHE-RSA-AES128-GCM-SHA256
    Key Exchange

    View Slide

  46. ECDHE-RSA-AES128-GCM-SHA256
    Certificate signing
    algorithm (Authentication)

    View Slide

  47. ECDHE-RSA-AES128-GCM-SHA256
    Cipher (Encryption)

    View Slide

  48. ECDHE-RSA-AES128-GCM-SHA256
    Message authentication
    code (Integrity)

    View Slide

  49. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-
    SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-
    GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-
    GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
    ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
    AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-
    SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
    SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-
    AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-
    SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-
    SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-
    SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!
    DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-
    RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    View Slide

  50. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-
    SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-
    GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-
    GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
    ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
    AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-
    SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
    SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-
    AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-
    SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-
    SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-
    SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!
    DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-
    RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    View Slide

  51. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-
    SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-
    GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-
    GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
    ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
    AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-
    SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
    SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-
    AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-
    SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-
    SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-
    SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!
    DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-
    RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    View Slide

  52. View Slide

  53. What?

    View Slide

  54. Use Mozilla’s guide

    https://wiki.mozilla.org/Security/Server_Side_TLS

    View Slide

  55. The Code Book

    Simon Singh
    High Performance Browser Networking (TLS
    Chapter)

    Ilya Grigorik
    Bulletproof SSL and TLS

    Ivan Ristic
    SSL and TLS: Designing and Building Secure
    Systems

    Eric Rescorla

    View Slide

  56. https://speakerdeck.com/
    tollmanz/https-is-coming-are-
    you-prepared-velocity-2016

    @tollmanz

    View Slide