Your SlideShare is downloading. ×
0
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
SSL++; Tales of Transport Layer Security at Twitter
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SSL++; Tales of Transport Layer Security at Twitter

468

Published on

presentation at BSides San Francisco, Feb 24 2013. …

presentation at BSides San Francisco, Feb 24 2013.

corresponding video available @ https://www.brighttalk.com/webcast/7651/69207

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
468
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
5
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SSL++ Tales of Transport-Layer Security at Twitter @jimio | #BSidesSF
  • 2. CRIME
  • 3. BEAST
  • 4. HTTP
  • 5. 100% Certified SSL
  • 6. <img src="http://twitter.com"/>
  • 7. secure;
  • 8. sslstrip
  • 9. 301
  • 10. #!
  • 11. #!/jimio twitter.com/
  • 12. #!/jimio twitter.com/
  • 13. DISCLAIMER
  • 14. DISCLAIMER we did this.
  • 15. DISCLAIMER we did this. you can too.
  • 16. Hello!
  • 17. twitter Hello!
  • 18. twitter
  • 19. twitter
  • 20. twitter
  • 21. http://twitter.com
  • 22. https://twitter.com http://twitter.com
  • 23. http://twitter.ie https://twitter.com http://twitter.com
  • 24. http://twitter.ie https://twitter.com http://twitter.com http://www.w3.org http://wtf.ru http://twitter.uz
  • 25. <link rel="canonical" href="https://twitter.com/">
  • 26. %2F
  • 27. /
  • 28. <-HTTPS
  • 29. Hello!
  • 30. twitter.com Hello!
  • 31. HTTP...
  • 32. but wait!!
  • 33. HSTS
  • 34. HSTS
  • 35. HTTP=>HTTPS 300s 0
  • 36. HTTP=>HTTPS 300s 0
  • 37. includeSubdomains
  • 38. include$ubdomains
  • 39. CSP
  • 40. CSP
  • 41. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
  • 42. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
  • 43. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
  • 44. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
  • 45. secureheaders
  • 46. secureheaders Strict-Transport-Security Content-Security-Policy X-XSS-Protection X-Frame-Options X-Content-Type-Options
  • 47. SSL
  • 48. 1. OS: validate revocation, expiration 2. App: check against local bundle 3. Party on
  • 49. https://twitter.com/jobs https://t.co/h4x0r #jointheflock @jimio

×