SSL++; Tales of Transport Layer Security at Twitter

700 views
634 views

Published on

presentation at BSides San Francisco, Feb 24 2013.

corresponding video available @ https://www.brighttalk.com/webcast/7651/69207

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
700
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SSL++; Tales of Transport Layer Security at Twitter

  1. 1. SSL++ Tales of Transport-Layer Security at Twitter @jimio | #BSidesSF
  2. 2. CRIME
  3. 3. BEAST
  4. 4. HTTP
  5. 5. 100% Certified SSL
  6. 6. <img src="http://twitter.com"/>
  7. 7. secure;
  8. 8. sslstrip
  9. 9. 301
  10. 10. #!
  11. 11. #!/jimio twitter.com/
  12. 12. #!/jimio twitter.com/
  13. 13. DISCLAIMER
  14. 14. DISCLAIMER we did this.
  15. 15. DISCLAIMER we did this. you can too.
  16. 16. Hello!
  17. 17. twitter Hello!
  18. 18. twitter
  19. 19. twitter
  20. 20. twitter
  21. 21. http://twitter.com
  22. 22. https://twitter.com http://twitter.com
  23. 23. http://twitter.ie https://twitter.com http://twitter.com
  24. 24. http://twitter.ie https://twitter.com http://twitter.com http://www.w3.org http://wtf.ru http://twitter.uz
  25. 25. <link rel="canonical" href="https://twitter.com/">
  26. 26. %2F
  27. 27. /
  28. 28. <-HTTPS
  29. 29. Hello!
  30. 30. twitter.com Hello!
  31. 31. HTTP...
  32. 32. but wait!!
  33. 33. HSTS
  34. 34. HSTS
  35. 35. HTTP=>HTTPS 300s 0
  36. 36. HTTP=>HTTPS 300s 0
  37. 37. includeSubdomains
  38. 38. include$ubdomains
  39. 39. CSP
  40. 40. CSP
  41. 41. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
  42. 42. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
  43. 43. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
  44. 44. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
  45. 45. secureheaders
  46. 46. secureheaders Strict-Transport-Security Content-Security-Policy X-XSS-Protection X-Frame-Options X-Content-Type-Options
  47. 47. SSL
  48. 48. 1. OS: validate revocation, expiration 2. App: check against local bundle 3. Party on
  49. 49. https://twitter.com/jobs https://t.co/h4x0r #jointheflock @jimio

×