Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's go HTTPS (Codemotion Rome 2016)

99e0b39c091e10d9c7d4452a34ca52dc?s=47 Simone Carletti
March 18, 2016
Technology
1
51

Let's go HTTPS (Codemotion Rome 2016)

99e0b39c091e10d9c7d4452a34ca52dc?s=128

Simone Carletti

March 18, 2016
Tweet

More Decks by Simone Carletti

See All by Simone Carletti
99e0b39c091e10d9c7d4452a34ca52dc?s=48 weppos
0
54
99e0b39c091e10d9c7d4452a34ca52dc?s=48 weppos
1
27
99e0b39c091e10d9c7d4452a34ca52dc?s=48 weppos
1
37
99e0b39c091e10d9c7d4452a34ca52dc?s=48 weppos
1
22
99e0b39c091e10d9c7d4452a34ca52dc?s=48 weppos
0
20
99e0b39c091e10d9c7d4452a34ca52dc?s=48 weppos
0
1k
99e0b39c091e10d9c7d4452a34ca52dc?s=48 weppos
7
2k
99e0b39c091e10d9c7d4452a34ca52dc?s=48 weppos
1
620
99e0b39c091e10d9c7d4452a34ca52dc?s=48 weppos
2
2.6k

Other Decks in Technology

See All in Technology
7f68f5f85f4a39df7d8d3c81cbbfb788?s=48 p1ass
15
5.6k
97d180294474e9df01503148f3b11f39?s=48 lambda
0
230
05e8adce66be4e80390a29ace0075161?s=48 ymatsuwitter
0
190
872c040ebc1db6c2090d99dde729a8d4?s=48 supership
0
180
23f4d5d797a91b6d17d627b90b5a42d9?s=48 kentaro
2
370
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
2
460
525442fc70ca92f82ae503f826956137?s=48 finengine
0
310
Ac734fc32781678475b577944bb5a9ae?s=48 charity
9
11k
7e3cdbf62ad6e34cf379443678b1b378?s=48 sogaoh
2
430
8aba6de431668fc8d09977c0e33c63c1?s=48 jaguar_imo
0
110
C65a5dd24a6781ffc618377347a0c48a?s=48 asahi_k2
0
720
61e7dc2e84a1a1c4ac1a8e2c552fee07?s=48 tutsunom
1
320

Featured

See All Featured
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
32
3.5k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
318
18k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
88
4k
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
208
10k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
479
150k
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
81
3.4k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
155
11k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
107
14k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
88
3.4k
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
70
3.6k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
147
6.7k
78b475797a14c84799063c7cd073962f?s=48 holman
288
130k

Transcript

  1. ROME 18-19 MARCH 2016 Let's Go ! HTTPS Simone Carle4

  2. ! HTTPS

  3. ! HTTPS I About HTTPS II Obtaining an SSL cer?ficate

    III Deploying an SSL cer?ficate IV Serving HTTPS IV III II I

  4. Simone Carle4 @weppos

  5. None

  6. About HTTPS I IV III II I

  7. What is HTTPS? IV III II I

  8. HTTPS (also called HTTP over TLS, HTTP over SSL, and

    HTTP Secure) is a protocol for secure communica?on over a computer network which is widely used on the Internet. HTTPS consists of communica?on over Hypertext Transfer Protocol (HTTP) within a connec?on encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. hTps:/ /en.wikipedia.org/wiki/HTTPS IV III II I

  9. What is HTTPS? HTTPS is a secure HTTP connec?on. IV

    III II I

  10. HTTPS is HTTP over an encrypted connec?on secured by TLS

    (previously SSL). IV III II I

  11. HTTPS is how websites securely exchange informa?on. IV III II

    I

  12. Secure Connec>on Encryp>on The process of encoding messages or informa?on

    in such a way that only authorized par?es can read it. Authen>ca>on The process of determining whether someone or something is, in fact, who or what it is declared to be. IV III II I

  13. KEEP CALM AND HTTP IS NOT ENCRYPTED

  14. HTTP Response HTTP Request

  15. ! HTTPS Request HTTP Request

  16. Authen>ca>on

  17. Authen>ca>on

  18. Authen>ca>on

  19. Authen>ca>on

  20. None

  21. SSL Cer>ficate IV III II I

  22. Why HTTPS? IV III II I

  23. Why HTTPS? ! Security ! Ranking factor ! HTTP/2 !

    HTML 5 features ! Chrome Geo loca?on ! Firefox form + HTTPS IV III II I

  24. ! Security • Data integrity • User sensible informa?on •

    Unencrypted traffic can be: • sniffed • modified (e.g. adver?sement or script injec?on)

  25. ! Ranking factor hTps:/ /webmasters.googleblog.com/2014/08/hTps-as-ranking-signal.html

  26. ! HTTP/2 hTps:/ /webmasters.googleblog.com/2014/08/hTps-as-ranking-signal.html

  27. ! HTML 5 powerful features hTps:/ /blog.mozilla.org/security/2015/04/30/depreca?ng-non-secure-hTp/ hTps:/ /sites.google.com/a/chromium.org/dev/Home/chromium-security/depreca?ng-powerful-features-on-insecure-origins

  28. ! Chrome Geo location hTps:/ /codereview.chromium.org/1530403002/

  29. ! Firefox form + HTTPS hTps:/ /www.fxsitecompat.com/en-CA/docs/2015/non-hTps-sites-containing-login-form-will-be-marked-insecure/

  30. " SSL Cer>ficate A cer?ficate is a digital document that

    contains a public key, some informa?on about the en?ty associated with it, and a digital signature from the cer?ficate issuer. IV III II I

  31. x.509 SSL Cer>ficate # Version $ Serial Number % Issuer

    & Validity ' Subject ( Public Key " ) Extensions IV III II I

  32. Cer>ficate Types ! Single-name cer?ficate example.com ! Wildcard-name cer?ficate *.example.com

    ! SAN cer?ficate example.com, www.example.com, foobar.com, … IV III II I

  33. Symmetric vs Asymmetric * ! ( encrypt ( decrypt Shared

    secret key ( + John + Jane * ! Jane public key Jane private key ( ( + John + Jane ( decrypt ( encrypt encryp>on IV III II I

  34. Symmetric encryp>on "hello world!" "puggy eyxgr!" "hello world!" "puggy eyxgr!"

    [["a", "b"], ["b", "w"], ["c", "n"], ["d", "r"], ["e", "u"], ["f", "o"], ["g", "v"], ["h", "p"], ["i", "s"], ["j", "z"], ["k", "k"], ["l", "g"], ["m", "m"], ["n", "h"], ["o", "y"], ["p", "c"], ["q", "j"], ["r", "x"], ["s", "d"], ["t", "t"], ["u", "f"], ["v", "i"], ["w", "e"], ["x", "l"], ["y", "a"], ["z", "q"]] John encrypts John sends to Jane Jane receives from John Jane decrypts IV III II I

  35. How does HTTPS work? IV III II I

  36. It's not a one-click setup :( yet IV III II

    I

  37. Handshake , - DISCLAIMER: This schema is simplified on purpose.

    IV III II I

  38. Handshake SYN , - DISCLAIMER: This schema is simplified on

    purpose. IV III II I

  39. Handshake SYN SYN ACK , - DISCLAIMER: This schema is

    simplified on purpose. IV III II I

  40. Handshake SYN SYN ACK . Client Random ( Cipher suites

    ClientHello , - DISCLAIMER: This schema is simplified on purpose. IV III II I

  41. Handshake SYN SYN ACK . Client Random ( Cipher suites

    / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone , - DISCLAIMER: This schema is simplified on purpose. IV III II I

  42. Handshake SYN SYN ACK . Client Random ( Cipher suites

    / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ClientKeyExchange , - DISCLAIMER: This schema is simplified on purpose. IV III II I

  43. Handshake SYN SYN ACK . Client Random ( Cipher suites

    / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ClientKeyExchange SYMMETRIC KEY IS GENERATED , - DISCLAIMER: This schema is simplified on purpose. IV III II I

  44. Handshake SYN SYN ACK . Client Random ( Cipher suites

    / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ! Client switches to encryp?on ! MAC of handshake ClientKeyExchange ChangeCipherSpec, Finished SYMMETRIC KEY IS GENERATED , - DISCLAIMER: This schema is simplified on purpose. IV III II I

  45. Handshake SYN SYN ACK . Client Random ( Cipher suites

    / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ! Client switches to encryp?on ! MAC of handshake ClientKeyExchange ChangeCipherSpec, Finished ! Server switches to encryp?on ! MAC of handshake ChangeCipherSpec, Finished SYMMETRIC KEY IS GENERATED , - DISCLAIMER: This schema is simplified on purpose. IV III II I

  46. Handshake SYN SYN ACK . Client Random ( Cipher suites

    / Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ! Client switches to encryp?on ! MAC of handshake ClientKeyExchange ChangeCipherSpec, Finished ! Server switches to encryp?on ! MAC of handshake ChangeCipherSpec, Finished SYMMETRIC KEY IS GENERATED 2 Applica?on data 2 Applica?on data , - DISCLAIMER: This schema is simplified on purpose. IV III II I

  47. Cipher Suites A cipher suite is a selec?on of cryptographic

    primi?ves and other parameters that defines exactly how security will be implemented. Bulletproof SSL and TLS IV III II I

  48. Cryptographic primi>ves At the lowest level, cryptography relies on various

    cryptographic primi0ves. Each primi?ve is designed with a par?cular useful func?onality in mind. The primi?ves alone are not very useful, but we can combine them into schemes and protocols to provide robust security. For example, we might use one primi?ve for hashing, one for encryp>on and another for integrity checking. IV III II I

  49. Obtaining an SSL cer>ficate II IV III II I

  50. self signed vs trusted • Provides encryp?on • Provides authen?ca?on

    • Issued and signed by a publicly trusted Cer?fica?on Authority • Suitable for produc?on environments as well for tes?ng • Generally not free • Provides encryp?on • Doesn't provide authen?ca?on • self-signed • Generally used for tes?ng • Free

  51. Cer?ficate Authority A Cer?ficate Authority (CA) is a trusted, private

    en?ty that issues digital cer?ficates. IV III II I

  52. Chain of trust • Browsers and opera?ng systems include a

    list of trusted cer?ficates • These cer?ficates are called root cer'ficates, and they generally belong to trusted par?es, such as cer?ficate authori?es IV III II I

  53. Chain of trust • When a cer?ficate authority issues a

    cer?ficate, they sign the cer?ficate with their root cer?ficate IV III II I

  54. Chain of trust • Truthfully, in most cases cer?fica?on authori?es

    use sub-cer?ficates to sign your cer?ficate • These cer?ficates are called intermediate cer'ficates, and they are signed with a root cer?ficate IV III II I

  55. Chain of trust • When the browser connects to a

    site via HTTPS, the browser reads the site cer?ficate • The cer?ficate doesn't match a trusted root cer?ficate IV III II I

  56. Chain of trust • The browser aTempts to download the

    cer?ficate that was used to sign the current cer?ficate • The cer?ficate doesn't match a trusted root cer?ficate IV III II I

  57. Chain of trust • The browser aTempts to download the

    cer?ficate that was used to sign the current cer?ficate • The cer?ficate matches a root cer?ficate • The original cer>ficate is trusted :) • The en?re cer>ficate chain is trusted 3 IV III II I

  58. Chain of trust • The browser aTempts to download the

    cer?ficate that was used to sign the current cer?ficate • The cer?ficate doesn't match a root cer?ficate, and there are no more cer?ficates • The original cer>ficate is untrusted :( • The en?re cer>ficate chain is untrusted 4 IV III II I

  59. IV III II I

  60. Create a Cer>ficate Generate a
 Private/Public key pair $ openssl

    genrsa -des3 -out private.key 2048 ... Enter pass phrase for private.key: Verifying - Enter pass phrase for private.key: IV III II I

  61. Create a Cer>ficate Generate a
 Private/Public key pair Generate a


    Cer?ficate Signing Request (CSR) $ openssl req -nodes -new -key private.key -out server.csr ... Country Name (2 letter code) [AU]:US Common Name (eg, YOUR name) []:www.example.com ... IV III II I

  62. Create a Cer>ficate Generate a
 Private/Public key pair Generate a


    Cer?ficate Signing Request (CSR) for a self-signed cer?ficate
 Sign the cer?ficate $ openssl x509 -req -days 365 -in server.csr -signkey private.key -out certificate.pem hTps:/ /devcenter.heroku.com/ar?cles/ssl-cer?ficate-self IV III II I

  63. Request a trusted Cer>ficate Generate a
 Private/Public key pair Generate

    a
 Cer?ficate Signing Request (CSR) for a trusted cer?ficate
 Request the Cer?ficate (*) Request generally means purchase. You can purchase an SSL cer?ficate either from a CA, or a reseller. Some providers offer visual tools that help you with the request process (e.g. by genera?ng the CSR) (*) IV III II I

  64. Request a trusted Cer>ficate Generate a
 Private/Public key pair Generate

    a
 Cer?ficate Signing Request (CSR) for a trusted cer?ficate
 Request the Cer?ficate (*) • Select the cer?ficate type • Submit the CSR • Validate the request • Obtain the cer?ficate (*) IV III II I

  65. ! (DV) Domain Validated asserts control of a domain !

    (OV) Organiza?on Validated asserts control of a domain as well basic organiza?onal vepng ! (EV) Extended Valida?on asserts control of a domain as well extended organiza?onal vepng Cer>ficate Types IV III II I

  66. 5 Now you should have 1. A CSR file 2.

    A cer?ficate file 3. A private key file 4. (op0onally) A list of intermediate cer?ficate files -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- IV III II I

  67. Deploying an SSL cer>ficate IV III II I III

  68. Install the cer>ficate on the server along with the private

    key, and intermediate cer?ficate chain. Configure HTTPS configure protocol version, cypher suite and cypher sepngs. To deploy HTTPS you need to: IV III II I

  69. History of secure protocols SSL 1 Never released SSL 2

    1996 A number of security flaws SSL 3 1995 Broken. Vulnerable to POODLE aTack TLS 1.0 1999 TLS 1.1 2006 TLS 1.2 2008 IV III II I

  70. Example config server { listen 443 ssl http2; listen [::]:443

    ssl http2; # ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key; # ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; } IV III II I

  71. Example config server { listen 443 ssl http2; listen [::]:443

    ssl http2; # ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key; # ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; } IV III II I

  72. Example config server { listen 443 ssl http2; listen [::]:443

    ssl http2; # ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key; # ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; } IV III II I

  73. Example config server { listen 443 ssl http2; listen [::]:443

    ssl http2; # ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key; # ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; } IV III II I

  74. hTps:/ /mozilla.github.io/server-side-tls/ssl-config-generator/ hTps:/ /cipherli.st/ IV III II I

  75. Heroku $ heroku addons:create ssl:endpoint Adding ssl:endpoint on example... done,

    v1 ($20/mo) $ heroku certs:add server.crt server.key Adding SSL Endpoint to example... done example now served by example-2121.herokussl.com. Certificate details: Expires At: 2012-10-31 21:53:18 GMT Issuer: C=US; ST=CA; L=SF; O=Heroku; CN=www.example.com Starts At: 2011-11-01 21:53:18 GMT hTps:/ /devcenter.heroku.com/ar?cles/ssl-endpoint hTps:/ /devcenter.heroku.com/ar?cles/ssl-cer?ficate-dnsimple IV III II I

  76. Caddy server hTps:/ /caddyserver.com/ IV III II I

  77. Caddy server IV III II I

  78. Caddy server IV III II I

  79. hTps:/ /www.ssllabs.com/ssltest/ IV III II I

  80. Lifecycle of a Cer>ficate 6 Requested ! Issued & Expired

    4 Revoked 7 Rekeyed

  81. Serving HTTPS IV III II I IV

  82. Cookie security $ curl -I https://dnsimple.com HTTP/1.1 200 OK Server:

    nginx Date: Tue, 15 Mar 2016 15:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive ETag: W/"f2d21600cdff911b9ee6a44dabcda234" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5 X-Runtime: 0.016254 Strict-Transport-Security: max-age=31536000 IV III II I

  83. Cookie security $ curl -I https://dnsimple.com HTTP/1.1 200 OK Server:

    nginx Date: Tue, 15 Mar 2016 15:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive ETag: W/"f2d21600cdff911b9ee6a44dabcda234" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5 X-Runtime: 0.016254 Strict-Transport-Security: max-age=31536000 IV III II I

  84. Mixed Content security error IV III II I

  85. Mixed Content security error IV III II I

  86. Mixed Content security error IV III II I

  87. Mixed Content security error IV III II I

  88. Mixed Content security error IV III II I

  89. Chrome security debugger IV III II I

  90. HSTS Header $ curl -I https://dnsimple.com HTTP/1.1 200 OK Server:

    nginx Date: Tue, 15 Mar 2016 15:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive ETag: W/"f2d21600cdff911b9ee6a44dabcda234" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5 X-Runtime: 0.016254 Strict-Transport-Security: max-age=31536000 IV III II I

  91. HSTS Header The first ?me your site is accessed using

    HTTPS and it returns the Strict-Transport- Security header, the browser records this informa?on, so that future aTempts to load the site using HTTP will automa?cally use HTTPS instead. When the expira?on ?me specified by the Strict-Transport-Security header elapses, the next aTempt to load the site via HTTP will proceed as normal instead of automa?cally using HTTPS. Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload IV III II I

  92. HSTS Header The first ?me your site is accessed using

    HTTPS and it returns the Strict-Transport- Security header, the browser records this informa?on, so that future aTempts to load the site using HTTP will automa?cally use HTTPS instead. When the expira?on ?me specified by the Strict-Transport-Security header elapses, the next aTempt to load the site via HTTP will proceed as normal instead of automa?cally using HTTPS. Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload IV III II I

  93. HSTS Header Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains;

    preload hTps:/ /developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security hTps:/ /hstspreload.appspot.com/ IV III II I

  94. Public Key Pinning hTps:/ /developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][;

    report-uri="reportURI"] Public-Key-Pins: max-age=5184000; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg=" IV III II I

  95. SecurityHeaders.io IV III II I

  96. Let's Encrypt

  97. Bulletproof SSL and TLS hTp:/ /bit.ly/codemo?on2016-sslbook ⋆ ⋆ ⋆ ⋆

  98. Simone Carle4 ! hTps:/ /simonecarlep.com @weppos Thanks!