COMPATIBILITY, SECURITY & PERFORMANCE
FINDING A BALANCE WITH SSL / TLS

THAT DOESN’T EXIST
sam gammon

sam @ keen dot io
I AM A SECURITY ENGINEER.


I AM A SECURITY ENGINEER.
!
I AM A GUY WHO HAS SPENT

WAY TOO MUCH TIME WORRYING

ABOUT GIBBERISH

(THERE ARE NO
WORDS THERE)
I AM A SECURITY ENGINEER.
!
I AM A GUY WHO HAS SPENT

WAY TOO MUCH TIME WORRYING

ABOUT GIBBERISH

!
I DON’T KNOW MUCH ABO...
I AM A SECURITY ENGINEER.
!
I AM A GUY WHO HAS SPENT

WAY TOO MUCH TIME WORRYING

ABOUT GIBBERISH

!
I DON’T KNOW MUCH ABO...
agenda:

1) alice & bob: a short note on asymmetric
algorithms

2) intro to SSL/TLS on today’s internet

3) tour of the se...
Alice & Bob
Asymmetric vs. Symmetric Encryption
intro to TLS
here is the OSI model
!
my protocols, let me show you
them
!
ARP/L2TP
Bluetooth/Ethernet
IP / ICMP
TCP / UDP
SOCKS / SPDY
MIME
HTTP / DNS
a regular HTTP request uses
these
!
IP
TCP
HTTP
GET /home HTTP/1.1!
Host: keen.io!
Connection: keep-alive!
Cache-Control: ...
OSI model
!
IP
TCP
HTTP
“request”

“response”
“connection”
“address”
OSI model
!
IP
TCP
HTTP
nginx /

haproxy
haproxy /!
OS (linux)
OS (linux)
1gBASEe (Ethernet)
OSI model
!
IP
TCP
TLS
HTTP
OSI model
!
IP
TCP
HTTP
nginx /

haproxy
haproxy /!
OS (linux)
OS (linux)
1gBASEe (Ethernet)
TLS openSSL
OSI model
!
IP
TCP
TLS
HTTP
HTTPS
{
TLS has its own handshake…
TLS has its own handshake…
1) client says hello

- passes a list of supported ciphers

- in priority order

- other capabi...
elements of a cipher spec
key
exchange standard cipher
symmetric
size
brokenness
ECDHE TLSv1.2 AES-GCM
128: fast

256: str...
Tools
Testing: Qualys
!
1) Awesome for experimenting with settings!
2) Great for detecting issues!
3) Pretty reports!
Testing: Qualys
!
1) Awesome for experimenting with settings!
2) Great for detecting issues!
3) Pretty reports!
4) Fantast...
Diagnostics: OpenSSL
!
1) Tools for generating keys /

certificates!


2) openssl s_client for SSL client

testing!


3) op...
Diagnostics: Wireshark
!
1) Extremely powerful!


2) Kind of outside the scope of this

talk!


3) Can be configured with y...
Always: yer favorite browser
!
CIPH3R$!!1!
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
1 ECDHE-RSA-AES128-GCM-SHA2
2 ECDHE-RSA-AES256-GCM-SHA3
3 ECDHE-RSA-AES128-SHA256
4 ECDHE-RSA-AES256-SHA384
...
THEY COME IN ALL SHAPES AND SIZES
ciphers AES:ALL:!aNULL:!eNULL
ssl_ciphers

SSL_RSA_WITH_RC4_128_MD5
TLS_ECDHE_ECDSA_WITH...
EVERY HTTPS SERVER HAS ONE
ciphers AES:ALL:!aNULL:!eNULL
ssl_ciphers

SSL_RSA_WITH_RC4_128_MD5
TLS_ECDHE_ECDSA_WITH_RC4_12...
THE SECURITY OF YOUR SITE

DEPENDS LARGELY ON"
THE ORDER OF THESE

ARBITRARY

TOKENS."
!
:(
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
without forward secrecy…
with forward secrecy…
1) client says hello

- passes a list of supported ciphers

- in priority order

- other capabilitie...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH...
The future!
OCSP Stapling
!
1) OCSP is a way to verify certificate

validity and health

2) Certs can be “invalidated” by providers

wh...
ECC & DSA Certificates
!
1) ECC is an alternate key structure to RSA or DSA

2) ECC keys are “faster” to compute/sign/verif...
ECC & DSA Certificates
!
structure
security vs.
complexity factor
AES-128
equivalent
maths
ECC linear 256-bit elliptic curv...
Salsa20 / Poly1305
!
1) These are new ciphers from Google

2) They haven’t been chill enough to share ‘em yet*!
!
3) Salsa...
AES-GCM Support
!
1) GCM-based algorithms were only introduced in TLSv1.2

2) Chrome (>=31) is all good, so are Firefox an...
Q&A / Experiences
@beepbeepboop
sam@keen.io
Compatibility, Security & Performance: Finding a Balance With SSL / TLS That Doesn't Exist
Compatibility, Security & Performance: Finding a Balance With SSL / TLS That Doesn't Exist
Compatibility, Security & Performance: Finding a Balance With SSL / TLS That Doesn't Exist
Upcoming SlideShare
Loading in …5
×

Compatibility, Security & Performance: Finding a Balance With SSL / TLS That Doesn't Exist

1,550 views
1,387 views

Published on

General overview of TLS and SSL on today's internet, with tips about how you can protect your website with strong and unbroken cipher configurations.

Published in: Engineering
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
1,550
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
9
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Compatibility, Security & Performance: Finding a Balance With SSL / TLS That Doesn't Exist

  1. 1. COMPATIBILITY, SECURITY & PERFORMANCE FINDING A BALANCE WITH SSL / TLS
 THAT DOESN’T EXIST sam gammon
 sam @ keen dot io
  2. 2. I AM A SECURITY ENGINEER. 

  3. 3. I AM A SECURITY ENGINEER. ! I AM A GUY WHO HAS SPENT
 WAY TOO MUCH TIME WORRYING
 ABOUT GIBBERISH

  4. 4. (THERE ARE NO WORDS THERE)
  5. 5. I AM A SECURITY ENGINEER. ! I AM A GUY WHO HAS SPENT
 WAY TOO MUCH TIME WORRYING
 ABOUT GIBBERISH
 ! I DON’T KNOW MUCH ABOUT THE MATHS BEHIND ENCRYPTION.
  6. 6. I AM A SECURITY ENGINEER. ! I AM A GUY WHO HAS SPENT
 WAY TOO MUCH TIME WORRYING
 ABOUT GIBBERISH
 ! I DON’T KNOW MUCH ABOUT THE MATHS BEHIND ENCRYPTION.
 
 I DO KNOW HOW YOU CAN PROTECT YOUR APPS IN THE REAL WORLD.
  7. 7. agenda:
 1) alice & bob: a short note on asymmetric algorithms
 2) intro to SSL/TLS on today’s internet
 3) tour of the secure web, from the perspective of a lowly cipher line
 4) next-gen ciphers and features
 5) useful tools
 6) Q&A and story time ! ! !
  8. 8. Alice & Bob Asymmetric vs. Symmetric Encryption
  9. 9. intro to TLS
  10. 10. here is the OSI model !
  11. 11. my protocols, let me show you them ! ARP/L2TP Bluetooth/Ethernet IP / ICMP TCP / UDP SOCKS / SPDY MIME HTTP / DNS
  12. 12. a regular HTTP request uses these ! IP TCP HTTP GET /home HTTP/1.1! Host: keen.io! Connection: keep-alive! Cache-Control: no-cache! Accept-Encoding: gzip,deflate,sdch! Accept-Language: en-US,en;q=0.8! SYN
 SYN-ACK! ACK packets!
  13. 13. OSI model ! IP TCP HTTP “request”
 “response” “connection” “address”
  14. 14. OSI model ! IP TCP HTTP nginx /
 haproxy haproxy /! OS (linux) OS (linux) 1gBASEe (Ethernet)
  15. 15. OSI model ! IP TCP TLS HTTP
  16. 16. OSI model ! IP TCP HTTP nginx /
 haproxy haproxy /! OS (linux) OS (linux) 1gBASEe (Ethernet) TLS openSSL
  17. 17. OSI model ! IP TCP TLS HTTP HTTPS {
  18. 18. TLS has its own handshake…
  19. 19. TLS has its own handshake… 1) client says hello
 - passes a list of supported ciphers
 - in priority order
 - other capabilities like SNI 2) server says hello
 - passes a list of supported ciphers
 - in priority order
 - passes certificate chain
 - other capabilities like NPN/ALPN n) they agree and connect
 - a cipher is chosen!
 - a protocol is selected!
 - keys are exchanged! … awhile later …
  20. 20. elements of a cipher spec key exchange standard cipher symmetric size brokenness ECDHE TLSv1.2 AES-GCM 128: fast
 256: strong “no reason to believe it’s not broken… yet” DHE TLSv1 AES-GCM 128: fast
 256: strong “could be broken if you’re not careful” — SSLv3 RC4 140, that’s all you get foo “well, fuck it.
 it’s definitely broken, at least break fast?”
  21. 21. Tools
  22. 22. Testing: Qualys ! 1) Awesome for experimenting with settings! 2) Great for detecting issues! 3) Pretty reports!
  23. 23. Testing: Qualys ! 1) Awesome for experimenting with settings! 2) Great for detecting issues! 3) Pretty reports! 4) Fantastic compatibility simulator
  24. 24. Diagnostics: OpenSSL ! 1) Tools for generating keys /
 certificates! 
 2) openssl s_client for SSL client
 testing! 
 3) openssl ocsp for OCSP testing
 4) Benchmark your ciphers with
 openssl speed
  25. 25. Diagnostics: Wireshark ! 1) Extremely powerful! 
 2) Kind of outside the scope of this
 talk! 
 3) Can be configured with your
 private key/cert to decrypt traffic
 4) See traffic at all levels! (ARP, IP, TCP, TLS, DNS & HTTP)
  26. 26. Always: yer favorite browser !
  27. 27. CIPH3R$!!1!
  28. 28. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  29. 29. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; THIS IS A CIPHER LINE. IT’S BASICALLY A LIST OF YOUR
 FAVORITE<3 CIPHERS AND ALSO THE ONES YOU HATE
  30. 30. ssl_ciphers “ 1 ECDHE-RSA-AES128-GCM-SHA2 2 ECDHE-RSA-AES256-GCM-SHA3 3 ECDHE-RSA-AES128-SHA256 4 ECDHE-RSA-AES256-SHA384 5 ECDH-RSA-AES128-SHA256 6 ECDH-RSA-AES256-SHA384 7 DHE-RSA-AES128-GCM-SHA256 8 DHE-RSA-AES256-GCM-SHA384 9 ECDHE-RSA-RC4-SHA 10 ECDHE-RSA-AES128-SHA 11 ECDHE-RSA-AES256-SHA 12 ECDH-RSA-RC4-SHA 13 RC4-SHA 14 DHE-RSA-AES128-SHA 15 AES256-SHA 16 AES128-SHA 17 !ECDSA !DSA 18 !3DES !aNULL !eNULL !SEED 19 !MD5 !EXP !PSK !SRP !DSS “; IT’S RANKED FROM TOP TO BOTTOM
  31. 31. THEY COME IN ALL SHAPES AND SIZES ciphers AES:ALL:!aNULL:!eNULL ssl_ciphers
 SSL_RSA_WITH_RC4_128_MD5 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128__SHA TLS_ECDH_RSA_WITH_RC4_128_SHA; SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP tls.createServer({ ! ciphers: “AES128-GCM-SHA256:RC4:HIGH:! MD5:!aNULL:!EDH” ! }, …); <cipherSpecList> <cipherSpec> <cipher>RC4</cipher>
 <hash>SHA256</hash> <exchange>ECDHE</exchange> …
  32. 32. EVERY HTTPS SERVER HAS ONE ciphers AES:ALL:!aNULL:!eNULL ssl_ciphers
 SSL_RSA_WITH_RC4_128_MD5 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128__SHA TLS_ECDH_RSA_WITH_RC4_128_SHA; SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP tls.createServer({ ! ciphers: “AES128-GCM-SHA256:RC4:HIGH:! MD5:!aNULL:!EDH” ! }, …); <cipherSpecList> <cipherSpec> <cipher>RC4</cipher>
 <hash>SHA256</hash> <exchange>ECDHE</exchange> …
  33. 33. THE SECURITY OF YOUR SITE
 DEPENDS LARGELY ON" THE ORDER OF THESE
 ARBITRARY
 TOKENS." ! :(
  34. 34. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  35. 35. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  36. 36. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; DO NOT WANT MD5 is broken eNULL means no encryption at all!! aNULL means good luck no auth LOW is like 40-bit only! gross LOW is like 40-bit only! gross
  37. 37. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  38. 38. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; these ones are chill* but usually there’s no support for them client… or server side *the NSA invented them though so if you! are paranoid don’t use ‘em
  39. 39. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; instead, we’ll be talking
 about RSA stuff today! (mostly)* *RSA algos were made by a corporation! of the same name paid by the NSA to! weaken their algorithms.! 
 so if you’re paranoid, write your own
 encryption because all of them have" the NSA’s fingerprints
  40. 40. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  41. 41. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; these are for old! browsers specifically, SSLv3 all of them are “broken” some are more broken! than others, though
  42. 42. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; old versions of AES expose! you to the BEAST attack,! because of CBC mode that’s why these ciphers! are the least desired if you can get away with it,! turn them off
  43. 43. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; these are for old! browsers RC4 is broken too, but! only by the NSA
  44. 44. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; these are for old! browsers RC4 is broken too, but! only by the NSA since it’s less likely the NSA! will be after your data! (compared to some rando! with knowledge of BEAST),! RC4 is slightly less bad
  45. 45. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; THERE IS ONLY! ONE GIFT YOU GET
 WITH TLS! ON TODAY’S INTERNET
  46. 46. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; Forward Secrecy! :)
  47. 47. without forward secrecy…
  48. 48. with forward secrecy… 1) client says hello
 - passes a list of supported ciphers
 - in priority order
 - other capabilities like SNI 2) server says hello
 - passes a list of supported ciphers
 - in priority order
 - passes certificate chain
 - other capabilities like NPN/ALPN n) they agree and connect
 - a cipher is chosen!
 - a protocol is selected!
 - keys are exchanged! … awhile later … … awhile later … 3) Generate ephemeral forward secrecy key
  49. 49. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  50. 50. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; these are for TLS 1.0 RC4 is still prioritized AES is still broken :( BEAST, CRIME, BREACH
 (mostly compression attacks)
  51. 51. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  52. 52. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; GCM is unbroken! Yay!
  53. 53. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “; AES is unbroken in
 TLS 1.2, but only because
 of compression, explicit IV,
 and forward secrecy
  54. 54. ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
  55. 55. The future!
  56. 56. OCSP Stapling ! 1) OCSP is a way to verify certificate
 validity and health
 2) Certs can be “invalidated” by providers
 when they are breached! ! 3) “Stapling” a verifiably-valid OCSP
 response to an HTTP response
 can optimize the process significantly!
  57. 57. ECC & DSA Certificates ! 1) ECC is an alternate key structure to RSA or DSA
 2) ECC keys are “faster” to compute/sign/verify, and! “stronger” than RSA and DSA at “smaller” key sizes! ! 3) Almost nobody supports it (CA’s and browsers both)
 
 CA’s: Symantec is the only one I’ve found
 Browsers: the usual modern suspects
 (Webkit/Blink/SpiderMonkey/barely any Trident)!
  58. 58. ECC & DSA Certificates ! structure security vs. complexity factor AES-128 equivalent maths ECC linear 256-bit elliptic curves DSA exponential 3,072-bit finite fields RSA exponential 3,072-bit integer factorization
  59. 59. Salsa20 / Poly1305 ! 1) These are new ciphers from Google
 2) They haven’t been chill enough to share ‘em yet*! ! 3) Salsa20 is a new stream cipher (replaces RC4!) that is fast" ! 4) Poly1305 is a MAC algorithm that can wrap any reliable! symmetric cipher (AES being broken won’t fail us again)
 
 5) Would be great to have server-side but only Chrome supports
 this stuff yet
 *there might be some patches for OpenSSL
 that may or may not work in the Chromium
 source tree… :)
  60. 60. AES-GCM Support ! 1) GCM-based algorithms were only introduced in TLSv1.2
 2) Chrome (>=31) is all good, so are Firefox and Safari
 
 3) IE 11 is all good (sometimes)! ! 3) >=iOS 5 should have it, Android " ! 4) Java support is spotty

  61. 61. Q&A / Experiences
  62. 62. @beepbeepboop sam@keen.io

×