Your SlideShare is downloading. ×
0
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SSL, HSTS and other stuff with two eSSes

434

Published on

SSL is widely accepted as a technology that protects site users from certain attacks. But does it really protect them? Are we deploying it right? Probably not. I will show you why …

SSL is widely accepted as a technology that protects site users from certain attacks. But does it really protect them? Are we deploying it right? Probably not. I will show you why

Presented at SAPO Session, 01/06/11, Lisbon.
Video available at http://videos.sapo.pt/MSR8wyZtEt4wrns0yFDO

note: this is the first version of this presentation. Please see the other presentations for updated content.

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
434
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SSL, HSTS and other stuff with two eSSes Versão 1.0 - 01/06/2011 Tiago  Mendo  -­‐  ,ago.mendo@telecom.pt
  • 2. Summary • History – SSL – TLS – SSL  vs  TLS • Protocol – Objec9ves – Applica9ons • How  it  works  -­‐  the  2  minutes  version • How  it  works  -­‐  the  30  minutes  version – Cer9ficate  valida9on – Cer9ficate  revoca9on  check – Cer9ficate  chain  of  trust  check – Fetching  content – Redirec9ng  from  HTTP  to  HTTPS – Full  HTTPS  browsing – Mixed  content  browsing • Recommenda9ons • Conclusions • Ques9onsSAPO  Websecurity  Team 2
  • 3. History > SSL • SSL  -­‐  Secure  Sockets  Layer • 1994  -­‐  SSL  1.0  created  by  Netscape,  never                          released • 1995  -­‐  SSL  2.0  released  in  Netscape  Navigator                              1.1.  Mul9ple  security  flaws  found • 1996  -­‐  SSL  3.0  releasedSAPO  Websecurity  Team 3
  • 4. History > TLS • TLS  -­‐  Transport  Layer  Security • 1999  -­‐  TLS  1.0  defined  in  RFC  2246,  using  SSL                          3.0  as  basis • 2006  -­‐  TLS  1.1  defined  in  RFC  4346 • 2008  -­‐  TLS  1.2  defined  in  RFC  5246SAPO  Websecurity  Team 4
  • 5. History > SSL vs TLS SSL TLS 1.0 2.0 3.0 (3.1) 1.0 (3.2) 1.1 (3.3) 1.2 • SSL  3.0  and  TLS  1.0  are  equivalent  in  security,   but  incompa9ble • TLS  1.0  can  be  downgraded  to  SSL  3.0SAPO  Websecurity  Team 5
  • 6. Protocol > Objectives • Why  SSL?SAPO  Websecurity  Team 6
  • 7. Protocol > Objectives • Why  SSL? • To  protect  the  communica9ons  between  two   hosts: – content  confiden9ality – integrity – authen9citySAPO  Websecurity  Team 6
  • 8. Protocol > Objectives • Why  SSL? • To  protect  the  communica9ons  between  two   hosts: – content  confiden9ality – integrity – authen9city • Host  iden9ty  is  not  protected  (requires  IPSEC) • Normally  only  the  server  is  authen9cated  SAPO  Websecurity  Team 6
  • 9. Protocol > Applications Applica,on HTTP Transport TCP Network IP Data  link 802.11  -­‐  WLAN Physical AirSAPO  Websecurity  Team 7
  • 10. Protocol > Applications Applica,on HTTP HTTP  /  SSL Transport TCP TCP Network IP IP Data  link 802.11  -­‐  WLAN 802.11  -­‐  WLAN Physical Air AirSAPO  Websecurity  Team 7
  • 11. Protocol > Applications HTTP Applica,on HTTP HTTP  /  SSL SSL Transport TCP TCP TCP Network IP IP IP Data  link 802.11  -­‐  WLAN 802.11  -­‐  WLAN 802.11  -­‐  WLAN Physical Air Air AirSAPO  Websecurity  Team 7
  • 12. Protocol > Applications HTTP Applica,on HTTP HTTP  /  SSL SSL Transport TCP TCP TCP Network IP IP IP Data  link 802.11  -­‐  WLAN 802.11  -­‐  WLAN 802.11  -­‐  WLAN Physical Air Air Air • On  top  of  any  Transport  layer  (including  UDP) • Used  with  any  Applica9on  layer  protocol • HTTP,  SMTP,  XMPP,  SIP,  etc. • Used  in  OpenVPNSAPO  Websecurity  Team 7
  • 13. How it works - the 2 minutes version • Type  hbps://www.facebook.com  and  hit  enterSAPO  Websecurity  Team 8
  • 14. How it works > Traffic without SSLSAPO  Websecurity  Team 9
  • 15. How it works > Traffic with SSLSAPO  Websecurity  Team 10
  • 16. How it works - the 30 minutes version • Type  hbps://www.facebook.com  and  hit  enter • Browser  connects  to  www.facebook.com:443 • SSL  handshake  is  ini9ated • Server  sends  its  X.509  cer9ficate  to  the  client • The  client  starts  the  valida9on  processSAPO  Websecurity  Team 11
  • 17. How it works > Certificate validation • CN  matches  URL • For  each  cert.  in  the  chain – Has  not  expired – Was  not  revoked – Was  emibed  by  a   trusted  CASAPO  Websecurity  Team 12
  • 18. How it works > Certificate validation • CN  matches  URL • For  each  cert.  in  the  chain – Has  not  expired – Was  not  revoked – Was  emibed  by  a   trusted  CASAPO  Websecurity  Team 13
  • 19. How it works > Certificate validation • CN  matches  URL • For  each  cert.  in  the  chain – Has  not  expired – Was  not  revoked – Was  emibed  by  a   trusted  CASAPO  Websecurity  Team 14
  • 20. How it works > Certificate validation • CN  matches  URL • For  each  cert.  in  the  chain – Has  not  expired – Was  not  revoked – Was  emibed  by  a   trusted  CASAPO  Websecurity  Team 15
  • 21. How it works > Certificate revocation check • CRL  -­‐  Cer9ficate  Revoca9on  List • The  CRL  is  a  list  of  revoked  serial  numbers • The  cer9ficate  specifies  a  CRL  URL • Answer  can  be  cached  for  a  few  months – period  defined  by  the  CA • The  CRL  can  be  very  large:  enter  OCSP – expired  certs.  are  removed  from  the  CRLSAPO  Websecurity  Team 16
  • 22. How it works > Certificate revocation check • OCSP  -­‐  Online  Cer9ficate  Status  Protocol • Browser  asks  the  server  if  a  specific  cert.  is   s9ll  valid • The  cer9ficate  specifies  a  OCSP  server • Answer  can  be  cached  for  a  few  days – period  defined  by  the  CA • A  cert.  can  specify  both  the  CRL  and  OCSPSAPO  Websecurity  Team 17
  • 23. How it works > Certificate revocation check • What  can  go  wrong?SAPO  Websecurity  Team 18
  • 24. How it works > Certificate revocation check • What  can  go  wrong? • CRL  and  OCSP  servers  can  be  unreachable – Browsers  will  allow  user  to  con9nue – You  may  or  may  not  be  warned  about  this – Moxie  Marlinspike  found  that  OCSP  “try  again”   message  (error  code  3)  is  not  signed – Aback:  MiTM  with  a  revoked  cert.  and  reply  3  to   the  OCSP  requests.  SAPO  Websecurity  Team 18
  • 25. How it works > Certificate revocation check • How  to  mi9gate  this  problem?SAPO  Websecurity  Team 19
  • 26. How it works > Certificate revocation check • How  to  mi9gate  this  problem? • OCSP  Stapling  -­‐  Kerberos  style  9cket – Cert.  owner  frequently  asks  the  OCSP  for  a  9cket – Ticket  says  “I,  CA  guarantee  with  my  signature   that  this  cer9ficate  is  valid  for  a  few  hours” – Site  presents  this  9cket  to  reques9ng  browser • Fallback  to  OCSP • Support:  Chrome  on  Windows  Vista  or  higherSAPO  Websecurity  Team 19
  • 27. How it works > Certificate revocation check • How  to  mi9gate  this  problem?SAPO  Websecurity  Team 20
  • 28. How it works > Certificate revocation check • How  to  mi9gate  this  problem? • CRL  and  OCSP  cacheSAPO  Websecurity  Team 20
  • 29. How it works > Certificate revocation check • How  to  mi9gate  this  problem? • CRL  and  OCSP  cache • Which  introduces  another  problem – If  a  cert.  is  compromised,  there  may  a  significant   window  of  vulnerability  (days/months  for  a  CRL) – Remember  the  Comodo  RA  compromise? – 9  certs.  were  issued  to  7  domains – certs.  were  revoked  in  15  minutes – Browser  vendors  immediately  issued  browser   updatesSAPO  Websecurity  Team 20
  • 30. How it works > Certificate validation • CN  matches  URL • For  each  cert.  in  the  chain – Has  not  expired – Was  not  revoked – Was  emi@ed  by  a   trusted  CASAPO  Websecurity  Team 21
  • 31. How it works > Certificate chain of trust check • The  server  sends  the   whole  cer9ficate  chain • For  each  cert.  in  the  chain  verify – is  properly  signed  by  the  CA  cer9ficate   immediately  higher  in  the  hierarchy – last  cer9ficate  is  explicitly  trusted  by  the  browser,   so  no  signature  verifica9on  is  doneSAPO  Websecurity  Team 22
  • 32. How it works > Certificate chain of trust check • What  can  go  wrong?SAPO  Websecurity  Team 23
  • 33. How it works > Certificate chain of trust checkSAPO  Websecurity  Team 24
  • 34. How it works > Certificate chain of trust check • What  can  go  wrong? • The  browser  does  not  know  the  root  CA – can  happen  if  you  are  using  an  old  browser/device – Firefox  effec9vely  prevents  progress!SAPO  Websecurity  Team 25
  • 35. How it works > Certificate chain of trust check • What  can  go  wrong? • The  browser  does  not  know  the  root  CA – can  happen  if  you  are  using  an  old  browser/device – Firefox  effec9vely  prevents  progress! • How  to  mi9gate  this  problem?   • Mul9-­‐roo9ng  CAs – Server  sends  a  longer  chain  with  more  CA   cer9ficates  higher  in  the  hierarchy – Both  CAs  trusted  by  FirefoxSAPO  Websecurity  Team 25
  • 36. How it works > Certificate chain of trust check • What  can  go  wrong?SAPO  Websecurity  Team 26
  • 37. How it works > Certificate chain of trust check • What  can  go  wrong? • You  do  not  trust  what  your  browser  trusts – Firefox  ships  with  76  CAs • Chunghwa  Telecom  Co.,  Ltd • Türkiye  Bilimsel  ve  Teknolojik  AraşSrma  Kurumu  -­‐   TÜBİTAK – Are  all  of  them  secure  and  properly  managed?SAPO  Websecurity  Team 26
  • 38. How it works > Certificate chain of trust check • What  can  go  wrong? • You  do  not  trust  what  your  browser  trusts – Firefox  ships  with  76  CAs • Chunghwa  Telecom  Co.,  Ltd • Türkiye  Bilimsel  ve  Teknolojik  AraşSrma  Kurumu  -­‐   TÜBİTAK – Are  all  of  them  secure  and  properly  managed? – “I  have  not  been  able  to  find  the  current  owner  of   this  root.  Both  RSA  and  VeriSign  have  stated  in   email  that  they  do  not  own  this  root.”  said  one  of   the  maintainers  of  Mozilla  CA  list  (early  2010)SAPO  Websecurity  Team 26
  • 39. How it works > Certificate chain of trust check • What  can  go  wrong? • You  do  not  trust  what  your  browser  trusts – Recent  request  to  add  a  CA  to  Firefox • “This  is  a  request  to  add  the  CA  root  cerAficate  for   Honest  Achmeds  Used  Cars  and  CerAficates.” • “Achmeds  uncles  all  vouch  for  the  fact  that  hes   honest.” • “The  purpose  of  this  cerAficate  is  to  allow  Honest   Achmed  to  sell  bucketloads  of  other  cerAficates  and   make  a  lot  of  money.” – It  was  not  granted.  This  9me.SAPO  Websecurity  Team 27
  • 40. How it works > Certificate chain of trust check • How  to  mi9gate  this  problem?   • Remove  trust  or  delete  CAs – they  might  come  back  amer  somware  updates – how  do  you  evaluate  if  a  CA  should  be  trusted? – can  you  do  this  in  your  smartphone?SAPO  Websecurity  Team 28
  • 41. How it works > Fetching content • At  this  point  the  browser  trusts  the  site   cer9ficate • No  HTTP  request  was  made  yet! • First  HTTP  request  is  made  only  now GET / HTTP/1.1 Host: www.facebook.comSAPO  Websecurity  Team 29
  • 42. How it works > Fetching contentSAPO  Websecurity  Team 30
  • 43. How it works > Redirecting from HTTP to HTTPS • Lets  go  back  a  lible • Imagine  you  type  hbp://www.facebook.com   instead  of  hbps... • Hit  enter!SAPO  Websecurity  Team 31
  • 44. How it works > Redirecting from HTTP to HTTPS • Lets  go  back  a  lible • Imagine  you  type  hbp://www.facebook.com   instead  of  hbps... • Hit  enter! • Browser  connects  to  www.facebook.com:80SAPO  Websecurity  Team 31
  • 45. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 32
  • 46. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 33
  • 47. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 34
  • 48. How it works > Redirecting from HTTP to HTTPS • What  can  go  wrong?SAPO  Websecurity  Team 35
  • 49. How it works > Redirecting from HTTP to HTTPS • What  can  go  wrong? • Moxie  Marlinskipe  and  his  sslstrip  toolSAPO  Websecurity  Team 35
  • 50. How it works > Redirecting from HTTP to HTTPS • What  can  go  wrong? • Moxie  Marlinskipe  and  his  sslstrip  toolSAPO  Websecurity  Team 35
  • 51. How it works > Redirecting from HTTP to HTTPS • sslstrip  func9oning – MiTM  tool – maps  HTTPS  links  to  HTTP – maps  redirects  to  HTTPS  back  to  HTTP – maps  HTTPS  links  to  homograph-­‐similar  HTTPS   links – can  supply  a  lock  favicon – logging!SAPO  Websecurity  Team 36
  • 52. How it works > Redirecting from HTTP to HTTPS • sslstrip  func9oningSAPO  Websecurity  Team 37
  • 53. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 38
  • 54. How it works > Redirecting from HTTP to HTTPS • You  type  hbp://www.facebook.com  and  get   redirected  to  hbps://www.facebook.com GET / HTTP/1.1 Host: www.facebook.com HTTP/1.1 302 Found Location: https://www.facebook.com/ • These  requests  are  not  protected  with  SSL!SAPO  Websecurity  Team 39
  • 55. How it works > Redirecting from HTTP to HTTPS • How  to  mi9gate  this  problem?SAPO  Websecurity  Team 40
  • 56. How it works > Redirecting from HTTP to HTTPS • How  to  mi9gate  this  problem? • Make  site  available  only  in  HTTPS – Does  not  work:  most  users  type  HTTP  and   redirects  are  dangerousSAPO  Websecurity  Team 40
  • 57. How it works > Redirecting from HTTP to HTTPS • How  to  mi9gate  this  problem? • Make  site  available  only  in  HTTPS – Does  not  work:  most  users  type  HTTP  and   redirects  are  dangerous • Use  STS:  Strict  Transport  Security – Formerly  HSTS:  HTTP  STS – Server  defined  policy  that  browsers  must  honor – Server  sends  HTTP  header  with  policySAPO  Websecurity  Team 40
  • 58. How it works > Redirecting from HTTP to HTTPS Strict-Transport-Security: max-age=15768000;includeSubdomains • This  header  says  “Browser,  convert  all   requests  to  my  domain  to  HTTPS” • It  also  says  “If  there  is  any  security  issue  with   the  connec9on  do  not  allow  progress” • Consequences: – the  user  types  hbp://www.facebook.com  and  the   browser  requests  hbps://www.facebook.com – any  HTTP  link  in  the  response  turns  to  HTTPS – no  HTTP  request  hits  the  networkSAPO  Websecurity  Team 41
  • 59. How it works > Redirecting from HTTP to HTTPS • S9ll,  there  is  a  problem:SAPO  Websecurity  Team 42
  • 60. How it works > Redirecting from HTTP to HTTPS • S9ll,  there  is  a  problem: • We  have  never  visited  the  site  or  policy   expired – browser  does  not  know  the  STS  policy  for  the  site – if  the  user  types  hbp://www.facebook.com  the   request  is  done  using  HTTP – TOFU:  Trust  On  First  Use • Recommenda9ons – first  visit  using  a  safe  wired  network – manually  instruct  the  browser  to  use  STS  SAPO  Websecurity  Team 42
  • 61. How it works > Redirecting from HTTP to HTTPS • Server  support:  all,  just  send  the  header • Browser  support – Chrome  4.0.211.0  (with  preloaded  domain  list) – Firefox  4 • Plugins – Safari  SSL  Everywhere – Firefox  EFF  HTTPS  Everywhere – Firefox  ForceTLS  (simple  list  edi9ng)SAPO  Websecurity  Team 43
  • 62. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 44
  • 63. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 44
  • 64. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 45
  • 65. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 45
  • 66. How it works > Full HTTPS browsing • At  this  point  we  have  all  the  contents  of  the   site  served  over  HTTPS.   • How  can  we  be  sure? • No9ce  the  green  hbps  textSAPO  Websecurity  Team 46
  • 67. How it works > Mixed content browsing • How  about  this  situa9on? • No9ce  the  red  strikethrough  hbps  textSAPO  Websecurity  Team 47
  • 68. How it works > Mixed content browsing • Chrome  console  output:SAPO  Websecurity  Team 48
  • 69. How it works > Mixed content browsing • What  is  the  problem?SAPO  Websecurity  Team 49
  • 70. How it works > Mixed content browsing • What  is  the  problem? • Sensi9ve  informa9on  can  be  captured – images:  your  last  night  weird  photos – javascript:  can  be  replaced  with  malicious  code – cookies:  sent  in  every  request! – full  browsing  informa9on • Browser  warnings – can  affect  site  reputa9on – most  users  ignore  thisSAPO  Websecurity  Team 49
  • 71. How it works > Mixed content browsingSAPO  Websecurity  Team 50
  • 72. How it works > Mixed content browsing • How  to  mi9gate  this  problem?  SAPO  Websecurity  Team 51
  • 73. How it works > Mixed content browsing • How  to  mi9gate  this  problem?   • STS – you  have  to  specify  all  domains  used  by  the  site – some  links  might  not  work  over  HTTPS – not  a  solu9on  for  all  sitesSAPO  Websecurity  Team 51
  • 74. How it works > Mixed content browsing • How  to  mi9gate  this  problem?   • STS – you  have  to  specify  all  domains  used  by  the  site – some  links  might  not  work  over  HTTPS – not  a  solu9on  for  all  sites • Use  only  HTTPS  links  :) – use  a  proxy:  make  your  server  fetch  the  HTTP   content  and  serve  it  over  HTTPS – do  not  forget  the  faviconSAPO  Websecurity  Team 51
  • 75. How it works > Mixed content browsing • How  to  minimize  this  problem?  SAPO  Websecurity  Team 52
  • 76. How it works > Mixed content browsing • How  to  minimize  this  problem?   • Secure  Cookies – the  server  can  set  the  secure  flag  for  the  cookie – a  secure  cookie  is  only  sent  over  HTTPS – beware:  this  does  not  prevent  the  mixed  content   warning,  it  ONLY  prevents  cookies  from  being  sent   over  HTTPSAPO  Websecurity  Team 52
  • 77. Recommendations • A  few  more  recommenda9onsSAPO  Websecurity  Team 53
  • 78. Recommendations • A  few  more  recommenda9ons • Make  a  bookmark  with  the  HTTPS  link  for  the   site  (specially  homebanking  sites) – avoids  requests  using  HTTP – avoids  abacks  caused  by  typos • Use  a  plugin  that  warns  you  if  the  cer9ficate   has  changed – Perspec9ves  (www.networknotary.org) – Cer9ficate  PatrolSAPO  Websecurity  Team 53
  • 79. Conclusions • Conclusions – SSL  3.0  and  TLS  1.0+  are  the  way  to  go – Use  STS  and  manually  add  your  important  sites – Update  your  browser  omen  or  automa9cally – Do  not  visit  sites  which  the  first  page  is  HTTP  using   public  wireless  networks – Do  not  create  sites  with  mixed  HTTP(S)  content – If  your  site  is  HTTPS  only,  use  secure  cookiesSAPO  Websecurity  Team 54
  • 80. Questions Any  ques9ons? 9ago.mendo@telecom.ptSAPO  Websecurity  Team 55

×