Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's go HTTPS (Codemotion Rome 2016)

Let's go HTTPS (Codemotion Rome 2016)

Simone Carletti

March 18, 2016
Tweet

More Decks by Simone Carletti

Other Decks in Technology

Transcript

  1. ROME 18-19 MARCH 2016
    Let's Go ! HTTPS
    Simone Carle4

    View full-size slide

  2. ! HTTPS
    I About HTTPS
    II Obtaining an SSL cer?ficate
    III Deploying an SSL cer?ficate
    IV Serving HTTPS
    IV
    III
    II
    I

    View full-size slide

  3. Simone Carle4
    @weppos

    View full-size slide

  4. About HTTPS
    I
    IV
    III
    II
    I

    View full-size slide

  5. What is HTTPS?
    IV
    III
    II
    I

    View full-size slide

  6. HTTPS (also called HTTP over TLS, HTTP
    over SSL, and HTTP Secure) is a protocol for
    secure communica?on over a computer
    network which is widely used on the
    Internet. HTTPS consists of communica?on
    over Hypertext Transfer Protocol (HTTP)
    within a connec?on encrypted by Transport
    Layer Security or its predecessor, Secure
    Sockets Layer.
    hTps:/
    /en.wikipedia.org/wiki/HTTPS
    IV
    III
    II
    I

    View full-size slide

  7. What is HTTPS?
    HTTPS is a secure HTTP connec?on.
    IV
    III
    II
    I

    View full-size slide

  8. HTTPS is HTTP
    over an encrypted connec?on
    secured by TLS (previously SSL).
    IV
    III
    II
    I

    View full-size slide

  9. HTTPS is how websites securely
    exchange informa?on.
    IV
    III
    II
    I

    View full-size slide

  10. Secure Connec>on
    Encryp>on
    The process of encoding messages or informa?on in such a way that
    only authorized par?es can read it.
    Authen>ca>on
    The process of determining whether someone or something is, in
    fact, who or what it is declared to be.
    IV
    III
    II
    I

    View full-size slide

  11. KEEP CALM
    AND
    HTTP IS NOT
    ENCRYPTED

    View full-size slide

  12. HTTP Response
    HTTP Request

    View full-size slide

  13. ! HTTPS Request
    HTTP Request

    View full-size slide

  14. Authen>ca>on

    View full-size slide

  15. Authen>ca>on

    View full-size slide

  16. Authen>ca>on

    View full-size slide

  17. Authen>ca>on

    View full-size slide

  18. SSL
    Cer>ficate
    IV
    III
    II
    I

    View full-size slide

  19. Why HTTPS?
    IV
    III
    II
    I

    View full-size slide

  20. Why HTTPS?
    ! Security
    ! Ranking factor
    ! HTTP/2
    ! HTML 5 features
    ! Chrome Geo loca?on
    ! Firefox form + HTTPS
    IV
    III
    II
    I

    View full-size slide

  21. ! Security
    • Data integrity
    • User sensible informa?on
    • Unencrypted traffic can be:
    • sniffed
    • modified (e.g. adver?sement or script injec?on)

    View full-size slide

  22. ! Ranking factor
    hTps:/
    /webmasters.googleblog.com/2014/08/hTps-as-ranking-signal.html

    View full-size slide

  23. ! HTTP/2
    hTps:/
    /webmasters.googleblog.com/2014/08/hTps-as-ranking-signal.html

    View full-size slide

  24. ! HTML 5 powerful features
    hTps:/
    /blog.mozilla.org/security/2015/04/30/depreca?ng-non-secure-hTp/
    hTps:/
    /sites.google.com/a/chromium.org/dev/Home/chromium-security/depreca?ng-powerful-features-on-insecure-origins

    View full-size slide

  25. ! Chrome Geo location
    hTps:/
    /codereview.chromium.org/1530403002/

    View full-size slide

  26. ! Firefox form + HTTPS
    hTps:/
    /www.fxsitecompat.com/en-CA/docs/2015/non-hTps-sites-containing-login-form-will-be-marked-insecure/

    View full-size slide

  27. " SSL Cer>ficate
    A cer?ficate is a digital document that contains a public key, some
    informa?on about the en?ty associated with it, and a digital
    signature from the cer?ficate issuer.
    IV
    III
    II
    I

    View full-size slide

  28. x.509 SSL Cer>ficate
    # Version
    $ Serial Number
    % Issuer
    & Validity
    ' Subject
    ( Public Key "
    ) Extensions
    IV
    III
    II
    I

    View full-size slide

  29. Cer>ficate Types
    ! Single-name cer?ficate
    example.com
    ! Wildcard-name cer?ficate
    *.example.com
    ! SAN cer?ficate
    example.com, www.example.com, foobar.com, …
    IV
    III
    II
    I

    View full-size slide

  30. Symmetric vs Asymmetric
    *
    !
    (
    encrypt
    (
    decrypt
    Shared secret key
    (
    +
    John
    +
    Jane
    *
    !
    Jane public key
    Jane private key
    (
    (
    +
    John
    +
    Jane
    (
    decrypt
    (
    encrypt
    encryp>on
    IV
    III
    II
    I

    View full-size slide

  31. Symmetric encryp>on
    "hello world!" "puggy eyxgr!"
    "hello world!"
    "puggy eyxgr!"
    [["a", "b"],
    ["b", "w"],
    ["c", "n"],
    ["d", "r"],
    ["e", "u"],
    ["f", "o"],
    ["g", "v"],
    ["h", "p"],
    ["i", "s"],
    ["j", "z"],
    ["k", "k"],
    ["l", "g"],
    ["m", "m"],
    ["n", "h"],
    ["o", "y"],
    ["p", "c"],
    ["q", "j"],
    ["r", "x"],
    ["s", "d"],
    ["t", "t"],
    ["u", "f"],
    ["v", "i"],
    ["w", "e"],
    ["x", "l"],
    ["y", "a"],
    ["z", "q"]]
    John encrypts John sends to Jane
    Jane receives from John Jane decrypts
    IV
    III
    II
    I

    View full-size slide

  32. How does HTTPS work?
    IV
    III
    II
    I

    View full-size slide

  33. It's not a one-click setup :(
    yet
    IV
    III
    II
    I

    View full-size slide

  34. Handshake
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View full-size slide

  35. Handshake
    SYN
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View full-size slide

  36. Handshake
    SYN SYN ACK
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View full-size slide

  37. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    ClientHello
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View full-size slide

  38. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View full-size slide

  39. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    1 Client key exchange data
    ClientKeyExchange
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View full-size slide

  40. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    1 Client key exchange data
    ClientKeyExchange
    SYMMETRIC KEY IS GENERATED
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View full-size slide

  41. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    1 Client key exchange data
    ! Client switches to encryp?on
    ! MAC of handshake
    ClientKeyExchange
    ChangeCipherSpec, Finished
    SYMMETRIC KEY IS GENERATED
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View full-size slide

  42. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    1 Client key exchange data
    ! Client switches to encryp?on
    ! MAC of handshake
    ClientKeyExchange
    ChangeCipherSpec, Finished
    ! Server switches to encryp?on
    ! MAC of handshake
    ChangeCipherSpec, Finished
    SYMMETRIC KEY IS GENERATED
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View full-size slide

  43. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    1 Client key exchange data
    ! Client switches to encryp?on
    ! MAC of handshake
    ClientKeyExchange
    ChangeCipherSpec, Finished
    ! Server switches to encryp?on
    ! MAC of handshake
    ChangeCipherSpec, Finished
    SYMMETRIC KEY IS GENERATED
    2 Applica?on data
    2 Applica?on data
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View full-size slide

  44. Cipher Suites
    A cipher suite is a selec?on of cryptographic primi?ves and other
    parameters that defines exactly how security will be implemented.
    Bulletproof SSL and TLS
    IV
    III
    II
    I

    View full-size slide

  45. Cryptographic primi>ves
    At the lowest level, cryptography relies on various cryptographic
    primi0ves. Each primi?ve is designed with a par?cular useful
    func?onality in mind.
    The primi?ves alone are not very useful, but we can combine them
    into schemes and protocols to provide robust security.
    For example, we might use one primi?ve for hashing, one for
    encryp>on and another for integrity checking.
    IV
    III
    II
    I

    View full-size slide

  46. Obtaining an SSL cer>ficate
    II
    IV
    III
    II
    I

    View full-size slide

  47. self signed vs trusted
    • Provides encryp?on
    • Provides authen?ca?on
    • Issued and signed by a publicly
    trusted Cer?fica?on Authority
    • Suitable for produc?on
    environments as well for
    tes?ng
    • Generally not free
    • Provides encryp?on
    • Doesn't provide authen?ca?on
    • self-signed
    • Generally used for tes?ng
    • Free

    View full-size slide

  48. Cer?ficate Authority
    A Cer?ficate Authority (CA) is a trusted, private en?ty that issues
    digital cer?ficates.
    IV
    III
    II
    I

    View full-size slide

  49. Chain of trust
    • Browsers and opera?ng systems include a list of trusted cer?ficates
    • These cer?ficates are called root cer'ficates, and they generally belong to trusted
    par?es, such as cer?ficate authori?es
    IV
    III
    II
    I

    View full-size slide

  50. Chain of trust
    • When a cer?ficate authority issues a cer?ficate, they sign the cer?ficate with
    their root cer?ficate
    IV
    III
    II
    I

    View full-size slide

  51. Chain of trust
    • Truthfully, in most cases cer?fica?on authori?es use sub-cer?ficates to sign your
    cer?ficate
    • These cer?ficates are called intermediate cer'ficates, and they are signed with a
    root cer?ficate
    IV
    III
    II
    I

    View full-size slide

  52. Chain of trust
    • When the browser connects to a site via HTTPS, the browser reads the site
    cer?ficate
    • The cer?ficate doesn't match a trusted root cer?ficate
    IV
    III
    II
    I

    View full-size slide

  53. Chain of trust
    • The browser aTempts to download the cer?ficate that was used to sign the
    current cer?ficate
    • The cer?ficate doesn't match a trusted root cer?ficate
    IV
    III
    II
    I

    View full-size slide

  54. Chain of trust
    • The browser aTempts to download the cer?ficate that was used to sign the
    current cer?ficate
    • The cer?ficate matches a root cer?ficate
    • The original cer>ficate is trusted :)
    • The en?re cer>ficate chain is trusted
    3
    IV
    III
    II
    I

    View full-size slide

  55. Chain of trust
    • The browser aTempts to download the cer?ficate that was used to sign the
    current cer?ficate
    • The cer?ficate doesn't match a root cer?ficate, and there are no more cer?ficates
    • The original cer>ficate is untrusted :(
    • The en?re cer>ficate chain is untrusted
    4
    IV
    III
    II
    I

    View full-size slide

  56. Create a Cer>ficate
    Generate a

    Private/Public key pair
    $ openssl genrsa -des3 -out private.key 2048
    ...
    Enter pass phrase for private.key:
    Verifying - Enter pass phrase for private.key:
    IV
    III
    II
    I

    View full-size slide

  57. Create a Cer>ficate
    Generate a

    Private/Public key pair
    Generate a

    Cer?ficate Signing Request (CSR)
    $ openssl req -nodes -new -key private.key -out
    server.csr
    ...
    Country Name (2 letter code) [AU]:US
    Common Name (eg, YOUR name) []:www.example.com
    ...
    IV
    III
    II
    I

    View full-size slide

  58. Create a Cer>ficate
    Generate a

    Private/Public key pair
    Generate a

    Cer?ficate Signing Request (CSR)
    for a self-signed cer?ficate

    Sign the cer?ficate
    $ openssl x509 -req -days 365 -in server.csr -signkey
    private.key -out certificate.pem
    hTps:/
    /devcenter.heroku.com/ar?cles/ssl-cer?ficate-self
    IV
    III
    II
    I

    View full-size slide

  59. Request a trusted Cer>ficate
    Generate a

    Private/Public key pair
    Generate a

    Cer?ficate Signing Request (CSR)
    for a trusted cer?ficate

    Request the Cer?ficate (*)
    Request generally means purchase.
    You can purchase an SSL cer?ficate either
    from a CA, or a reseller.
    Some providers offer visual tools that help you
    with the request process (e.g. by genera?ng
    the CSR)
    (*)
    IV
    III
    II
    I

    View full-size slide

  60. Request a trusted Cer>ficate
    Generate a

    Private/Public key pair
    Generate a

    Cer?ficate Signing Request (CSR)
    for a trusted cer?ficate

    Request the Cer?ficate (*)
    • Select the cer?ficate type
    • Submit the CSR
    • Validate the request
    • Obtain the cer?ficate
    (*)
    IV
    III
    II
    I

    View full-size slide

  61. ! (DV) Domain Validated
    asserts control of a domain
    ! (OV) Organiza?on Validated
    asserts control of a domain as well basic organiza?onal vepng
    ! (EV) Extended Valida?on
    asserts control of a domain as well extended organiza?onal vepng
    Cer>ficate Types
    IV
    III
    II
    I

    View full-size slide

  62. 5 Now you should have
    1. A CSR file
    2. A cer?ficate file
    3. A private key file
    4. (op0onally) A list of
    intermediate cer?ficate files
    -----BEGIN CERTIFICATE-----
    MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
    MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
    IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
    MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
    FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
    bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
    dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
    H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
    uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
    mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
    a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
    E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
    WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
    VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
    Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
    cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
    IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
    AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
    YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
    6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
    Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
    c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
    mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
    -----END CERTIFICATE-----
    IV
    III
    II
    I

    View full-size slide

  63. Deploying an SSL cer>ficate
    IV
    III
    II
    I
    III

    View full-size slide

  64. Install the cer>ficate on the server
    along with the private key, and intermediate cer?ficate chain.
    Configure HTTPS
    configure protocol version, cypher suite and cypher sepngs.
    To deploy HTTPS you need to:
    IV
    III
    II
    I

    View full-size slide

  65. History of secure protocols
    SSL 1 Never released
    SSL 2 1996 A number of security flaws
    SSL 3 1995 Broken. Vulnerable to POODLE aTack
    TLS 1.0 1999
    TLS 1.1 2006
    TLS 1.2 2008
    IV
    III
    II
    I

    View full-size slide

  66. Example config
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # ssl certificate config
    ssl_certificate /path/to/certificate_and_intermediates;
    ssl_certificate_key /path/to/private_key;
    # ssl session config
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # protocol and cipher config
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers on;
    }
    IV
    III
    II
    I

    View full-size slide

  67. Example config
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # ssl certificate config
    ssl_certificate /path/to/certificate_and_intermediates;
    ssl_certificate_key /path/to/private_key;
    # ssl session config
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # protocol and cipher config
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers on;
    }
    IV
    III
    II
    I

    View full-size slide

  68. Example config
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # ssl certificate config
    ssl_certificate /path/to/certificate_and_intermediates;
    ssl_certificate_key /path/to/private_key;
    # ssl session config
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # protocol and cipher config
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers on;
    }
    IV
    III
    II
    I

    View full-size slide

  69. Example config
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # ssl certificate config
    ssl_certificate /path/to/certificate_and_intermediates;
    ssl_certificate_key /path/to/private_key;
    # ssl session config
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # protocol and cipher config
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers on;
    }
    IV
    III
    II
    I

    View full-size slide

  70. hTps:/
    /mozilla.github.io/server-side-tls/ssl-config-generator/
    hTps:/
    /cipherli.st/
    IV
    III
    II
    I

    View full-size slide

  71. Heroku
    $ heroku addons:create ssl:endpoint
    Adding ssl:endpoint on example... done, v1 ($20/mo)
    $ heroku certs:add server.crt server.key
    Adding SSL Endpoint to example... done
    example now served by example-2121.herokussl.com.
    Certificate details:
    Expires At: 2012-10-31 21:53:18 GMT
    Issuer: C=US; ST=CA; L=SF; O=Heroku; CN=www.example.com
    Starts At: 2011-11-01 21:53:18 GMT
    hTps:/
    /devcenter.heroku.com/ar?cles/ssl-endpoint
    hTps:/
    /devcenter.heroku.com/ar?cles/ssl-cer?ficate-dnsimple
    IV
    III
    II
    I

    View full-size slide

  72. Caddy server
    hTps:/
    /caddyserver.com/
    IV
    III
    II
    I

    View full-size slide

  73. Caddy server
    IV
    III
    II
    I

    View full-size slide

  74. Caddy server
    IV
    III
    II
    I

    View full-size slide

  75. hTps:/
    /www.ssllabs.com/ssltest/
    IV
    III
    II
    I

    View full-size slide

  76. Lifecycle of a Cer>ficate
    6 Requested
    ! Issued
    & Expired
    4 Revoked
    7 Rekeyed

    View full-size slide

  77. Serving HTTPS
    IV
    III
    II
    I
    IV

    View full-size slide

  78. Cookie security
    $ curl -I https://dnsimple.com
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 15 Mar 2016 15:52:08 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    ETag: W/"f2d21600cdff911b9ee6a44dabcda234"
    Cache-Control: max-age=0, private, must-revalidate
    Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure
    X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5
    X-Runtime: 0.016254
    Strict-Transport-Security: max-age=31536000
    IV
    III
    II
    I

    View full-size slide

  79. Cookie security
    $ curl -I https://dnsimple.com
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 15 Mar 2016 15:52:08 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    ETag: W/"f2d21600cdff911b9ee6a44dabcda234"
    Cache-Control: max-age=0, private, must-revalidate
    Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure
    X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5
    X-Runtime: 0.016254
    Strict-Transport-Security: max-age=31536000
    IV
    III
    II
    I

    View full-size slide

  80. Mixed Content security error
    IV
    III
    II
    I

    View full-size slide

  81. Mixed Content security error
    IV
    III
    II
    I

    View full-size slide

  82. Mixed Content security error
    IV
    III
    II
    I

    View full-size slide

  83. Mixed Content security error
    IV
    III
    II
    I

    View full-size slide

  84. Mixed Content security error
    IV
    III
    II
    I

    View full-size slide

  85. Chrome security debugger
    IV
    III
    II
    I

    View full-size slide

  86. HSTS Header
    $ curl -I https://dnsimple.com
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 15 Mar 2016 15:52:08 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    ETag: W/"f2d21600cdff911b9ee6a44dabcda234"
    Cache-Control: max-age=0, private, must-revalidate
    Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure
    X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5
    X-Runtime: 0.016254
    Strict-Transport-Security: max-age=31536000
    IV
    III
    II
    I

    View full-size slide

  87. HSTS Header
    The first ?me your site is accessed using HTTPS and it returns the Strict-Transport-
    Security header, the browser records this informa?on, so that future aTempts to
    load the site using HTTP will automa?cally use HTTPS instead.
    When the expira?on ?me specified by the Strict-Transport-Security header elapses,
    the next aTempt to load the site via HTTP will proceed as normal instead of
    automa?cally using HTTPS.
    Strict-Transport-Security: max-age=31536000
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    IV
    III
    II
    I

    View full-size slide

  88. HSTS Header
    The first ?me your site is accessed using HTTPS and it returns the Strict-Transport-
    Security header, the browser records this informa?on, so that future aTempts to
    load the site using HTTP will automa?cally use HTTPS instead.
    When the expira?on ?me specified by the Strict-Transport-Security header elapses,
    the next aTempt to load the site via HTTP will proceed as normal instead of
    automa?cally using HTTPS.
    Strict-Transport-Security: max-age=31536000
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    IV
    III
    II
    I

    View full-size slide

  89. HSTS Header
    Strict-Transport-Security: max-age=31536000
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    hTps:/
    /developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
    hTps:/
    /hstspreload.appspot.com/
    IV
    III
    II
    I

    View full-size slide

  90. Public Key Pinning
    hTps:/
    /developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
    Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime
    [; includeSubdomains][; report-uri="reportURI"]
    Public-Key-Pins: max-age=5184000;
    pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";
    pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";
    pin-sha256="JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg="
    IV
    III
    II
    I

    View full-size slide

  91. SecurityHeaders.io
    IV
    III
    II
    I

    View full-size slide

  92. Let's Encrypt

    View full-size slide

  93. Bulletproof
    SSL and TLS
    hTp:/
    /bit.ly/codemo?on2016-sslbook
    ⋆ ⋆ ⋆ ⋆ ⋆

    View full-size slide

  94. Simone Carle4
    ! hTps:/
    /simonecarlep.com
    @weppos
    Thanks!

    View full-size slide