Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's go HTTPS (Codemotion Rome 2016)

Let's go HTTPS (Codemotion Rome 2016)

Simone Carletti

March 18, 2016
Tweet

More Decks by Simone Carletti

Other Decks in Technology

Transcript

  1. ROME 18-19 MARCH 2016
    Let's Go ! HTTPS
    Simone Carle4

    View Slide

  2. ! HTTPS

    View Slide

  3. ! HTTPS
    I About HTTPS
    II Obtaining an SSL cer?ficate
    III Deploying an SSL cer?ficate
    IV Serving HTTPS
    IV
    III
    II
    I

    View Slide

  4. Simone Carle4
    @weppos

    View Slide

  5. View Slide

  6. About HTTPS
    I
    IV
    III
    II
    I

    View Slide

  7. What is HTTPS?
    IV
    III
    II
    I

    View Slide

  8. HTTPS (also called HTTP over TLS, HTTP
    over SSL, and HTTP Secure) is a protocol for
    secure communica?on over a computer
    network which is widely used on the
    Internet. HTTPS consists of communica?on
    over Hypertext Transfer Protocol (HTTP)
    within a connec?on encrypted by Transport
    Layer Security or its predecessor, Secure
    Sockets Layer.
    hTps:/
    /en.wikipedia.org/wiki/HTTPS
    IV
    III
    II
    I

    View Slide

  9. What is HTTPS?
    HTTPS is a secure HTTP connec?on.
    IV
    III
    II
    I

    View Slide

  10. HTTPS is HTTP
    over an encrypted connec?on
    secured by TLS (previously SSL).
    IV
    III
    II
    I

    View Slide

  11. HTTPS is how websites securely
    exchange informa?on.
    IV
    III
    II
    I

    View Slide

  12. Secure Connec>on
    Encryp>on
    The process of encoding messages or informa?on in such a way that
    only authorized par?es can read it.
    Authen>ca>on
    The process of determining whether someone or something is, in
    fact, who or what it is declared to be.
    IV
    III
    II
    I

    View Slide

  13. KEEP CALM
    AND
    HTTP IS NOT
    ENCRYPTED

    View Slide

  14. HTTP Response
    HTTP Request

    View Slide

  15. ! HTTPS Request
    HTTP Request

    View Slide

  16. Authen>ca>on

    View Slide

  17. Authen>ca>on

    View Slide

  18. Authen>ca>on

    View Slide

  19. Authen>ca>on

    View Slide

  20. View Slide

  21. SSL
    Cer>ficate
    IV
    III
    II
    I

    View Slide

  22. Why HTTPS?
    IV
    III
    II
    I

    View Slide

  23. Why HTTPS?
    ! Security
    ! Ranking factor
    ! HTTP/2
    ! HTML 5 features
    ! Chrome Geo loca?on
    ! Firefox form + HTTPS
    IV
    III
    II
    I

    View Slide

  24. ! Security
    • Data integrity
    • User sensible informa?on
    • Unencrypted traffic can be:
    • sniffed
    • modified (e.g. adver?sement or script injec?on)

    View Slide

  25. ! Ranking factor
    hTps:/
    /webmasters.googleblog.com/2014/08/hTps-as-ranking-signal.html

    View Slide

  26. ! HTTP/2
    hTps:/
    /webmasters.googleblog.com/2014/08/hTps-as-ranking-signal.html

    View Slide

  27. ! HTML 5 powerful features
    hTps:/
    /blog.mozilla.org/security/2015/04/30/depreca?ng-non-secure-hTp/
    hTps:/
    /sites.google.com/a/chromium.org/dev/Home/chromium-security/depreca?ng-powerful-features-on-insecure-origins

    View Slide

  28. ! Chrome Geo location
    hTps:/
    /codereview.chromium.org/1530403002/

    View Slide

  29. ! Firefox form + HTTPS
    hTps:/
    /www.fxsitecompat.com/en-CA/docs/2015/non-hTps-sites-containing-login-form-will-be-marked-insecure/

    View Slide

  30. " SSL Cer>ficate
    A cer?ficate is a digital document that contains a public key, some
    informa?on about the en?ty associated with it, and a digital
    signature from the cer?ficate issuer.
    IV
    III
    II
    I

    View Slide

  31. x.509 SSL Cer>ficate
    # Version
    $ Serial Number
    % Issuer
    & Validity
    ' Subject
    ( Public Key "
    ) Extensions
    IV
    III
    II
    I

    View Slide

  32. Cer>ficate Types
    ! Single-name cer?ficate
    example.com
    ! Wildcard-name cer?ficate
    *.example.com
    ! SAN cer?ficate
    example.com, www.example.com, foobar.com, …
    IV
    III
    II
    I

    View Slide

  33. Symmetric vs Asymmetric
    *
    !
    (
    encrypt
    (
    decrypt
    Shared secret key
    (
    +
    John
    +
    Jane
    *
    !
    Jane public key
    Jane private key
    (
    (
    +
    John
    +
    Jane
    (
    decrypt
    (
    encrypt
    encryp>on
    IV
    III
    II
    I

    View Slide

  34. Symmetric encryp>on
    "hello world!" "puggy eyxgr!"
    "hello world!"
    "puggy eyxgr!"
    [["a", "b"],
    ["b", "w"],
    ["c", "n"],
    ["d", "r"],
    ["e", "u"],
    ["f", "o"],
    ["g", "v"],
    ["h", "p"],
    ["i", "s"],
    ["j", "z"],
    ["k", "k"],
    ["l", "g"],
    ["m", "m"],
    ["n", "h"],
    ["o", "y"],
    ["p", "c"],
    ["q", "j"],
    ["r", "x"],
    ["s", "d"],
    ["t", "t"],
    ["u", "f"],
    ["v", "i"],
    ["w", "e"],
    ["x", "l"],
    ["y", "a"],
    ["z", "q"]]
    John encrypts John sends to Jane
    Jane receives from John Jane decrypts
    IV
    III
    II
    I

    View Slide

  35. How does HTTPS work?
    IV
    III
    II
    I

    View Slide

  36. It's not a one-click setup :(
    yet
    IV
    III
    II
    I

    View Slide

  37. Handshake
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View Slide

  38. Handshake
    SYN
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View Slide

  39. Handshake
    SYN SYN ACK
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View Slide

  40. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    ClientHello
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View Slide

  41. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View Slide

  42. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    1 Client key exchange data
    ClientKeyExchange
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View Slide

  43. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    1 Client key exchange data
    ClientKeyExchange
    SYMMETRIC KEY IS GENERATED
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View Slide

  44. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    1 Client key exchange data
    ! Client switches to encryp?on
    ! MAC of handshake
    ClientKeyExchange
    ChangeCipherSpec, Finished
    SYMMETRIC KEY IS GENERATED
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View Slide

  45. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    1 Client key exchange data
    ! Client switches to encryp?on
    ! MAC of handshake
    ClientKeyExchange
    ChangeCipherSpec, Finished
    ! Server switches to encryp?on
    ! MAC of handshake
    ChangeCipherSpec, Finished
    SYMMETRIC KEY IS GENERATED
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View Slide

  46. Handshake
    SYN SYN ACK
    . Client Random
    ( Cipher suites
    / Server Random
    ( Cipher suite
    " Cer?ficates
    0 Session ID
    1 Server key exchange data
    ClientHello
    ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone
    1 Client key exchange data
    ! Client switches to encryp?on
    ! MAC of handshake
    ClientKeyExchange
    ChangeCipherSpec, Finished
    ! Server switches to encryp?on
    ! MAC of handshake
    ChangeCipherSpec, Finished
    SYMMETRIC KEY IS GENERATED
    2 Applica?on data
    2 Applica?on data
    , -
    DISCLAIMER: This schema is simplified on purpose.
    IV
    III
    II
    I

    View Slide

  47. Cipher Suites
    A cipher suite is a selec?on of cryptographic primi?ves and other
    parameters that defines exactly how security will be implemented.
    Bulletproof SSL and TLS
    IV
    III
    II
    I

    View Slide

  48. Cryptographic primi>ves
    At the lowest level, cryptography relies on various cryptographic
    primi0ves. Each primi?ve is designed with a par?cular useful
    func?onality in mind.
    The primi?ves alone are not very useful, but we can combine them
    into schemes and protocols to provide robust security.
    For example, we might use one primi?ve for hashing, one for
    encryp>on and another for integrity checking.
    IV
    III
    II
    I

    View Slide

  49. Obtaining an SSL cer>ficate
    II
    IV
    III
    II
    I

    View Slide

  50. self signed vs trusted
    • Provides encryp?on
    • Provides authen?ca?on
    • Issued and signed by a publicly
    trusted Cer?fica?on Authority
    • Suitable for produc?on
    environments as well for
    tes?ng
    • Generally not free
    • Provides encryp?on
    • Doesn't provide authen?ca?on
    • self-signed
    • Generally used for tes?ng
    • Free

    View Slide

  51. Cer?ficate Authority
    A Cer?ficate Authority (CA) is a trusted, private en?ty that issues
    digital cer?ficates.
    IV
    III
    II
    I

    View Slide

  52. Chain of trust
    • Browsers and opera?ng systems include a list of trusted cer?ficates
    • These cer?ficates are called root cer'ficates, and they generally belong to trusted
    par?es, such as cer?ficate authori?es
    IV
    III
    II
    I

    View Slide

  53. Chain of trust
    • When a cer?ficate authority issues a cer?ficate, they sign the cer?ficate with
    their root cer?ficate
    IV
    III
    II
    I

    View Slide

  54. Chain of trust
    • Truthfully, in most cases cer?fica?on authori?es use sub-cer?ficates to sign your
    cer?ficate
    • These cer?ficates are called intermediate cer'ficates, and they are signed with a
    root cer?ficate
    IV
    III
    II
    I

    View Slide

  55. Chain of trust
    • When the browser connects to a site via HTTPS, the browser reads the site
    cer?ficate
    • The cer?ficate doesn't match a trusted root cer?ficate
    IV
    III
    II
    I

    View Slide

  56. Chain of trust
    • The browser aTempts to download the cer?ficate that was used to sign the
    current cer?ficate
    • The cer?ficate doesn't match a trusted root cer?ficate
    IV
    III
    II
    I

    View Slide

  57. Chain of trust
    • The browser aTempts to download the cer?ficate that was used to sign the
    current cer?ficate
    • The cer?ficate matches a root cer?ficate
    • The original cer>ficate is trusted :)
    • The en?re cer>ficate chain is trusted
    3
    IV
    III
    II
    I

    View Slide

  58. Chain of trust
    • The browser aTempts to download the cer?ficate that was used to sign the
    current cer?ficate
    • The cer?ficate doesn't match a root cer?ficate, and there are no more cer?ficates
    • The original cer>ficate is untrusted :(
    • The en?re cer>ficate chain is untrusted
    4
    IV
    III
    II
    I

    View Slide

  59. IV
    III
    II
    I

    View Slide

  60. Create a Cer>ficate
    Generate a

    Private/Public key pair
    $ openssl genrsa -des3 -out private.key 2048
    ...
    Enter pass phrase for private.key:
    Verifying - Enter pass phrase for private.key:
    IV
    III
    II
    I

    View Slide

  61. Create a Cer>ficate
    Generate a

    Private/Public key pair
    Generate a

    Cer?ficate Signing Request (CSR)
    $ openssl req -nodes -new -key private.key -out
    server.csr
    ...
    Country Name (2 letter code) [AU]:US
    Common Name (eg, YOUR name) []:www.example.com
    ...
    IV
    III
    II
    I

    View Slide

  62. Create a Cer>ficate
    Generate a

    Private/Public key pair
    Generate a

    Cer?ficate Signing Request (CSR)
    for a self-signed cer?ficate

    Sign the cer?ficate
    $ openssl x509 -req -days 365 -in server.csr -signkey
    private.key -out certificate.pem
    hTps:/
    /devcenter.heroku.com/ar?cles/ssl-cer?ficate-self
    IV
    III
    II
    I

    View Slide

  63. Request a trusted Cer>ficate
    Generate a

    Private/Public key pair
    Generate a

    Cer?ficate Signing Request (CSR)
    for a trusted cer?ficate

    Request the Cer?ficate (*)
    Request generally means purchase.
    You can purchase an SSL cer?ficate either
    from a CA, or a reseller.
    Some providers offer visual tools that help you
    with the request process (e.g. by genera?ng
    the CSR)
    (*)
    IV
    III
    II
    I

    View Slide

  64. Request a trusted Cer>ficate
    Generate a

    Private/Public key pair
    Generate a

    Cer?ficate Signing Request (CSR)
    for a trusted cer?ficate

    Request the Cer?ficate (*)
    • Select the cer?ficate type
    • Submit the CSR
    • Validate the request
    • Obtain the cer?ficate
    (*)
    IV
    III
    II
    I

    View Slide

  65. ! (DV) Domain Validated
    asserts control of a domain
    ! (OV) Organiza?on Validated
    asserts control of a domain as well basic organiza?onal vepng
    ! (EV) Extended Valida?on
    asserts control of a domain as well extended organiza?onal vepng
    Cer>ficate Types
    IV
    III
    II
    I

    View Slide

  66. 5 Now you should have
    1. A CSR file
    2. A cer?ficate file
    3. A private key file
    4. (op0onally) A list of
    intermediate cer?ficate files
    -----BEGIN CERTIFICATE-----
    MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
    MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
    IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
    MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
    FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
    bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
    dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
    H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
    uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
    mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
    a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
    E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
    WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
    VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
    Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
    cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
    IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
    AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
    YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
    6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
    Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
    c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
    mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
    -----END CERTIFICATE-----
    IV
    III
    II
    I

    View Slide

  67. Deploying an SSL cer>ficate
    IV
    III
    II
    I
    III

    View Slide

  68. Install the cer>ficate on the server
    along with the private key, and intermediate cer?ficate chain.
    Configure HTTPS
    configure protocol version, cypher suite and cypher sepngs.
    To deploy HTTPS you need to:
    IV
    III
    II
    I

    View Slide

  69. History of secure protocols
    SSL 1 Never released
    SSL 2 1996 A number of security flaws
    SSL 3 1995 Broken. Vulnerable to POODLE aTack
    TLS 1.0 1999
    TLS 1.1 2006
    TLS 1.2 2008
    IV
    III
    II
    I

    View Slide

  70. Example config
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # ssl certificate config
    ssl_certificate /path/to/certificate_and_intermediates;
    ssl_certificate_key /path/to/private_key;
    # ssl session config
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # protocol and cipher config
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers on;
    }
    IV
    III
    II
    I

    View Slide

  71. Example config
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # ssl certificate config
    ssl_certificate /path/to/certificate_and_intermediates;
    ssl_certificate_key /path/to/private_key;
    # ssl session config
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # protocol and cipher config
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers on;
    }
    IV
    III
    II
    I

    View Slide

  72. Example config
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # ssl certificate config
    ssl_certificate /path/to/certificate_and_intermediates;
    ssl_certificate_key /path/to/private_key;
    # ssl session config
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # protocol and cipher config
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers on;
    }
    IV
    III
    II
    I

    View Slide

  73. Example config
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # ssl certificate config
    ssl_certificate /path/to/certificate_and_intermediates;
    ssl_certificate_key /path/to/private_key;
    # ssl session config
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # protocol and cipher config
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers on;
    }
    IV
    III
    II
    I

    View Slide

  74. hTps:/
    /mozilla.github.io/server-side-tls/ssl-config-generator/
    hTps:/
    /cipherli.st/
    IV
    III
    II
    I

    View Slide

  75. Heroku
    $ heroku addons:create ssl:endpoint
    Adding ssl:endpoint on example... done, v1 ($20/mo)
    $ heroku certs:add server.crt server.key
    Adding SSL Endpoint to example... done
    example now served by example-2121.herokussl.com.
    Certificate details:
    Expires At: 2012-10-31 21:53:18 GMT
    Issuer: C=US; ST=CA; L=SF; O=Heroku; CN=www.example.com
    Starts At: 2011-11-01 21:53:18 GMT
    hTps:/
    /devcenter.heroku.com/ar?cles/ssl-endpoint
    hTps:/
    /devcenter.heroku.com/ar?cles/ssl-cer?ficate-dnsimple
    IV
    III
    II
    I

    View Slide

  76. Caddy server
    hTps:/
    /caddyserver.com/
    IV
    III
    II
    I

    View Slide

  77. Caddy server
    IV
    III
    II
    I

    View Slide

  78. Caddy server
    IV
    III
    II
    I

    View Slide

  79. hTps:/
    /www.ssllabs.com/ssltest/
    IV
    III
    II
    I

    View Slide

  80. Lifecycle of a Cer>ficate
    6 Requested
    ! Issued
    & Expired
    4 Revoked
    7 Rekeyed

    View Slide

  81. Serving HTTPS
    IV
    III
    II
    I
    IV

    View Slide

  82. Cookie security
    $ curl -I https://dnsimple.com
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 15 Mar 2016 15:52:08 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    ETag: W/"f2d21600cdff911b9ee6a44dabcda234"
    Cache-Control: max-age=0, private, must-revalidate
    Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure
    X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5
    X-Runtime: 0.016254
    Strict-Transport-Security: max-age=31536000
    IV
    III
    II
    I

    View Slide

  83. Cookie security
    $ curl -I https://dnsimple.com
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 15 Mar 2016 15:52:08 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    ETag: W/"f2d21600cdff911b9ee6a44dabcda234"
    Cache-Control: max-age=0, private, must-revalidate
    Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure
    X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5
    X-Runtime: 0.016254
    Strict-Transport-Security: max-age=31536000
    IV
    III
    II
    I

    View Slide

  84. Mixed Content security error
    IV
    III
    II
    I

    View Slide

  85. Mixed Content security error
    IV
    III
    II
    I

    View Slide

  86. Mixed Content security error
    IV
    III
    II
    I

    View Slide

  87. Mixed Content security error
    IV
    III
    II
    I

    View Slide

  88. Mixed Content security error
    IV
    III
    II
    I

    View Slide

  89. Chrome security debugger
    IV
    III
    II
    I

    View Slide

  90. HSTS Header
    $ curl -I https://dnsimple.com
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 15 Mar 2016 15:52:08 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    ETag: W/"f2d21600cdff911b9ee6a44dabcda234"
    Cache-Control: max-age=0, private, must-revalidate
    Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure
    X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5
    X-Runtime: 0.016254
    Strict-Transport-Security: max-age=31536000
    IV
    III
    II
    I

    View Slide

  91. HSTS Header
    The first ?me your site is accessed using HTTPS and it returns the Strict-Transport-
    Security header, the browser records this informa?on, so that future aTempts to
    load the site using HTTP will automa?cally use HTTPS instead.
    When the expira?on ?me specified by the Strict-Transport-Security header elapses,
    the next aTempt to load the site via HTTP will proceed as normal instead of
    automa?cally using HTTPS.
    Strict-Transport-Security: max-age=31536000
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    IV
    III
    II
    I

    View Slide

  92. HSTS Header
    The first ?me your site is accessed using HTTPS and it returns the Strict-Transport-
    Security header, the browser records this informa?on, so that future aTempts to
    load the site using HTTP will automa?cally use HTTPS instead.
    When the expira?on ?me specified by the Strict-Transport-Security header elapses,
    the next aTempt to load the site via HTTP will proceed as normal instead of
    automa?cally using HTTPS.
    Strict-Transport-Security: max-age=31536000
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    IV
    III
    II
    I

    View Slide

  93. HSTS Header
    Strict-Transport-Security: max-age=31536000
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    hTps:/
    /developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
    hTps:/
    /hstspreload.appspot.com/
    IV
    III
    II
    I

    View Slide

  94. Public Key Pinning
    hTps:/
    /developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
    Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime
    [; includeSubdomains][; report-uri="reportURI"]
    Public-Key-Pins: max-age=5184000;
    pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";
    pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";
    pin-sha256="JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg="
    IV
    III
    II
    I

    View Slide

  95. SecurityHeaders.io
    IV
    III
    II
    I

    View Slide

  96. Let's Encrypt

    View Slide

  97. Bulletproof
    SSL and TLS
    hTp:/
    /bit.ly/codemo?on2016-sslbook
    ⋆ ⋆ ⋆ ⋆ ⋆

    View Slide

  98. Simone Carle4
    ! hTps:/
    /simonecarlep.com
    @weppos
    Thanks!

    View Slide