Your SlideShare is downloading. ×
Compatibility, Security & Performance: Finding a Balance With SSL / TLS That Doesn't Exist
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Compatibility, Security & Performance: Finding a Balance With SSL / TLS That Doesn't Exist

960
views

Published on

General overview of TLS and SSL on today's internet, with tips about how you can protect your website with strong and unbroken cipher configurations.

General overview of TLS and SSL on today's internet, with tips about how you can protect your website with strong and unbroken cipher configurations.

Published in: Engineering

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
960
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. COMPATIBILITY, SECURITY & PERFORMANCE FINDING A BALANCE WITH SSL / TLS
 THAT DOESN’T EXIST sam gammon
 sam @ keen dot io
  • 2. I AM A SECURITY ENGINEER. 

  • 3. I AM A SECURITY ENGINEER. ! I AM A GUY WHO HAS SPENT
 WAY TOO MUCH TIME WORRYING
 ABOUT GIBBERISH

  • 4. (THERE ARE NO WORDS THERE)
  • 5. I AM A SECURITY ENGINEER. ! I AM A GUY WHO HAS SPENT
 WAY TOO MUCH TIME WORRYING
 ABOUT GIBBERISH
 ! I DON’T KNOW MUCH ABOUT THE MATHS BEHIND ENCRYPTION.
  • 6. I AM A SECURITY ENGINEER. ! I AM A GUY WHO HAS SPENT
 WAY TOO MUCH TIME WORRYING
 ABOUT GIBBERISH
 ! I DON’T KNOW MUCH ABOUT THE MATHS BEHIND ENCRYPTION.
 
 I DO KNOW HOW YOU CAN PROTECT YOUR APPS IN THE REAL WORLD.
  • 7. agenda:
 1) alice & bob: a short note on asymmetric algorithms
 2) intro to SSL/TLS on today’s internet
 3) tour of the secure web, from the perspective of a lowly cipher line
 4) next-gen ciphers and features
 5) useful tools
 6) Q&A and story time ! ! !
  • 8. Alice & Bob Asymmetric vs. Symmetric Encryption
  • 9. intro to TLS
  • 10. here is the OSI model !
  • 11. my protocols, let me show you them ! ARP/L2TP Bluetooth/Ethernet IP / ICMP TCP / UDP SOCKS / SPDY MIME HTTP / DNS
  • 12. a regular HTTP request uses these ! IP TCP HTTP GET /home HTTP/1.1! Host: keen.io! Connection: keep-alive! Cache-Control: no-cache! Accept-Encoding: gzip,deflate,sdch! Accept-Language: en-US,en;q=0.8! SYN
 SYN-ACK! ACK packets!
  • 13. OSI model ! IP TCP HTTP “request”
 “response” “connection” “address”
  • 14. OSI model ! IP TCP HTTP nginx /
 haproxy haproxy /! OS (linux) OS (linux) 1gBASEe (Ethernet)
  • 15. OSI model ! IP TCP TLS HTTP
  • 16. OSI model ! IP TCP HTTP nginx /
 haproxy haproxy /! OS (linux) OS (linux) 1gBASEe (Ethernet) TLS openSSL
  • 17. OSI model ! IP TCP TLS HTTP HTTPS {
  • 18. TLS has its own handshake…
  • 19. TLS has its own handshake… 1) client says hello
 - passes a list of supported ciphers
 - in priority order
 - other capabilities like SNI 2) server says hello
 - passes a list of supported ciphers
 - in priority order
 - passes certificate chain
 - other capabilities like NPN/ALPN n) they agree and connect
 - a cipher is chosen!
 - a protocol is selected!
 - keys are exchanged! … awhile later …
  • 20. elements of a cipher spec key exchange standard cipher symmetric size brokenness ECDHE TLSv1.2 AES-GCM 128: fast
 256: strong “no reason to believe it’s not broken… yet” DHE TLSv1 AES-GCM 128: fast
 256: strong “could be broken if you’re not careful” — SSLv3 RC4 140, that’s all you get foo “well, fuck it.
 it’s definitely broken, at least break fast?”
  • 21. Tools
  • 22. Testing: Qualys ! 1) Awesome for experimenting with settings! 2) Great for detecting issues! 3) Pretty reports!
  • 23. Testing: Qualys ! 1) Awesome for experimenting with settings! 2) Great for detecting issues! 3) Pretty reports! 4) Fantastic compatibility simulator
  • 24. Diagnostics: OpenSSL ! 1) Tools for generating keys /
 certificates! 
 2) openssl s_client for SSL client
 testing! 
 3) openssl ocsp for OCSP testing
 4) Benchmark your ciphers with
 openssl speed
  • 25. Diagnostics: Wireshark ! 1) Extremely powerful! 
 2) Kind of outside the scope of this
 talk! 
 3) Can be configured with your
 private key/cert to decrypt traffic
 4) See traffic at all levels! (ARP, IP, TCP, TLS, DNS & HTTP)
  • 26. Always: yer favorite browser !
  • 27. CIPH3R$!!1!
  • 28. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  • 29. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; THIS IS A CIPHER LINE. IT’S BASICALLY A LIST OF YOUR
 FAVORITE<3 CIPHERS AND ALSO THE ONES YOU HATE
  • 30. ssl_ciphers “ 1 ECDHE-RSA-AES128-GCM-SHA2 2 ECDHE-RSA-AES256-GCM-SHA3 3 ECDHE-RSA-AES128-SHA256 4 ECDHE-RSA-AES256-SHA384 5 ECDH-RSA-AES128-SHA256 6 ECDH-RSA-AES256-SHA384 7 DHE-RSA-AES128-GCM-SHA256 8 DHE-RSA-AES256-GCM-SHA384 9 ECDHE-RSA-RC4-SHA 10 ECDHE-RSA-AES128-SHA 11 ECDHE-RSA-AES256-SHA 12 ECDH-RSA-RC4-SHA 13 RC4-SHA 14 DHE-RSA-AES128-SHA 15 AES256-SHA 16 AES128-SHA 17 !ECDSA !DSA 18 !3DES !aNULL !eNULL !SEED 19 !MD5 !EXP !PSK !SRP !DSS “; IT’S RANKED FROM TOP TO BOTTOM
  • 31. THEY COME IN ALL SHAPES AND SIZES ciphers AES:ALL:!aNULL:!eNULL ssl_ciphers
 SSL_RSA_WITH_RC4_128_MD5 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128__SHA TLS_ECDH_RSA_WITH_RC4_128_SHA; SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP tls.createServer({ ! ciphers: “AES128-GCM-SHA256:RC4:HIGH:! MD5:!aNULL:!EDH” ! }, …); <cipherSpecList> <cipherSpec> <cipher>RC4</cipher>
 <hash>SHA256</hash> <exchange>ECDHE</exchange> …
  • 32. EVERY HTTPS SERVER HAS ONE ciphers AES:ALL:!aNULL:!eNULL ssl_ciphers
 SSL_RSA_WITH_RC4_128_MD5 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128__SHA TLS_ECDH_RSA_WITH_RC4_128_SHA; SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP tls.createServer({ ! ciphers: “AES128-GCM-SHA256:RC4:HIGH:! MD5:!aNULL:!EDH” ! }, …); <cipherSpecList> <cipherSpec> <cipher>RC4</cipher>
 <hash>SHA256</hash> <exchange>ECDHE</exchange> …
  • 33. THE SECURITY OF YOUR SITE
 DEPENDS LARGELY ON" THE ORDER OF THESE
 ARBITRARY
 TOKENS." ! :(
  • 34. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  • 35. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  • 36. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; DO NOT WANT MD5 is broken eNULL means no encryption at all!! aNULL means good luck no auth LOW is like 40-bit only! gross LOW is like 40-bit only! gross
  • 37. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  • 38. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; these ones are chill* but usually there’s no support for them client… or server side *the NSA invented them though so if you! are paranoid don’t use ‘em
  • 39. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; instead, we’ll be talking
 about RSA stuff today! (mostly)* *RSA algos were made by a corporation! of the same name paid by the NSA to! weaken their algorithms.! 
 so if you’re paranoid, write your own
 encryption because all of them have" the NSA’s fingerprints
  • 40. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  • 41. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; these are for old! browsers specifically, SSLv3 all of them are “broken” some are more broken! than others, though
  • 42. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; old versions of AES expose! you to the BEAST attack,! because of CBC mode that’s why these ciphers! are the least desired if you can get away with it,! turn them off
  • 43. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; these are for old! browsers RC4 is broken too, but! only by the NSA
  • 44. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; these are for old! browsers RC4 is broken too, but! only by the NSA since it’s less likely the NSA! will be after your data! (compared to some rando! with knowledge of BEAST),! RC4 is slightly less bad
  • 45. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; THERE IS ONLY! ONE GIFT YOU GET
 WITH TLS! ON TODAY’S INTERNET
  • 46. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; Forward Secrecy! :)
  • 47. without forward secrecy…
  • 48. with forward secrecy… 1) client says hello
 - passes a list of supported ciphers
 - in priority order
 - other capabilities like SNI 2) server says hello
 - passes a list of supported ciphers
 - in priority order
 - passes certificate chain
 - other capabilities like NPN/ALPN n) they agree and connect
 - a cipher is chosen!
 - a protocol is selected!
 - keys are exchanged! … awhile later … … awhile later … 3) Generate ephemeral forward secrecy key
  • 49. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  • 50. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; these are for TLS 1.0 RC4 is still prioritized AES is still broken :( BEAST, CRIME, BREACH
 (mostly compression attacks)
  • 51. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  • 52. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; GCM is unbroken! Yay!
  • 53. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; AES is unbroken in
 TLS 1.2, but only because
 of compression, explicit IV,
 and forward secrecy
  • 54. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  • 55. The future!
  • 56. OCSP Stapling ! 1) OCSP is a way to verify certificate
 validity and health
 2) Certs can be “invalidated” by providers
 when they are breached! ! 3) “Stapling” a verifiably-valid OCSP
 response to an HTTP response
 can optimize the process significantly!
  • 57. ECC & DSA Certificates ! 1) ECC is an alternate key structure to RSA or DSA
 2) ECC keys are “faster” to compute/sign/verify, and! “stronger” than RSA and DSA at “smaller” key sizes! ! 3) Almost nobody supports it (CA’s and browsers both)
 
 CA’s: Symantec is the only one I’ve found
 Browsers: the usual modern suspects
 (Webkit/Blink/SpiderMonkey/barely any Trident)!
  • 58. ECC & DSA Certificates ! structure security vs. complexity factor AES-128 equivalent maths ECC linear 256-bit elliptic curves DSA exponential 3,072-bit finite fields RSA exponential 3,072-bit integer factorization
  • 59. Salsa20 / Poly1305 ! 1) These are new ciphers from Google
 2) They haven’t been chill enough to share ‘em yet*! ! 3) Salsa20 is a new stream cipher (replaces RC4!) that is fast" ! 4) Poly1305 is a MAC algorithm that can wrap any reliable! symmetric cipher (AES being broken won’t fail us again)
 
 5) Would be great to have server-side but only Chrome supports
 this stuff yet
 *there might be some patches for OpenSSL
 that may or may not work in the Chromium
 source tree… :)
  • 60. AES-GCM Support ! 1) GCM-based algorithms were only introduced in TLSv1.2
 2) Chrome (>=31) is all good, so are Firefox and Safari
 
 3) IE 11 is all good (sometimes)! ! 3) >=iOS 5 should have it, Android " ! 4) Java support is spotty

  • 61. Q&A / Experiences
  • 62. @beepbeepboop sam@keen.io

×