Tim Perry - HTTPS Is Not Enough - Codemotion Milan 2017

•

0 likes•341 views

The web is moving slowly towards HTTPS everywhere, but even now man-in-the-middle attacks are still astoundingly effective and easy to do. In this talk you’ll see how to beat HTTPS on many major websites, discover the tools required to secure your own applications, and learn how to keep your users safe.

Technology

Open Wifi
Interception is easy
@pimterry

ARP Spoofing
Interception is easy
@pimterry

Evil Twin Wifi
Interception is easy
@pimterry

You
Your
Bank
https://example.com
Secure!
HTTPS is
not enough
@pimterry

You
Your
Bank
Me
https://example.comhttp://example.com
Secure!Insecure
HTTPS is
not enough
@pimterry

You
Your
Bank
Me
https://example.comhttps://exomple.com
Secure!Secure!
(but useless)
HTTPS is
not enough
@pimterry

How do you get to
HTTPS?
Pre-HTTPS
MitM
@pimterry

Enter a URL
Securely do
things
Pre-HTTPS
MitM
@pimterry

Enter
example.com
Pre-HTTPS
MitM
Load
http://example.com
Redirected to
https://example.com
Securely do things!
@pimterry

Pre-HTTPS
MitM
Enter
example.com
Load
http://example.com
Hijack request, transparently proxy it
without the redirect, and do what you like.
GAME OVER
N
O
PE
@pimterry

Pre-HTTPS
MitMLoad a page
Securely do
things
Click a link
@pimterry

Pre-HTTPS
MitM
Load
http://linking-site.com
Click link to
https://example.com
Securely do things!
@pimterry

Pre-HTTPS
MitM
Load
http://linking-site.com
Click link to
http://example.com
Proxy rewrites all links to HTTP
Transparently proxy your request
GAME OVER
N
O
PE
@pimterry

Any insecure step
=
Easy hijacking
@pimterry

Is this really
a thing?
github.com/resin-io-playground/raspberry-pineapple@pimterry

Don’t trust HTTP-only sites with anything
Check the URL and certificate, constantly
Install HTTPS Everywhere
Use a VPN
As a user?
@pimterry

HTTPS-only Features
Disabling HTTP in the browser:
@pimterry

Geolocation
Service Workers
(i.e. offline, notifications, sync)
DeviceMotion
WebRTC
HTTP/2
HTTPS-Only Features
@pimterry

Warnings on HTTP
Disabling HTTP in the browser:
@pimterry

Free certificates
Disabling HTTP for your site:
@pimterry

Content Security Policy
(CSP)
Disabling HTTP for your site:
@pimterry

Automatically switch URLs to HTTPS
Content-Security-Policy:
upgrade-insecure-requests
@pimterry

Report switched URLs
Content-Security-Policy:
upgrade-insecure-requests;
report-uri /report-csp;
@pimterry

Report-only, for testing
Content-Security-Policy-Report-Only:
upgrade-insecure-requests;
report-uri /report-csp;
@pimterry

Free reporting platform:
report-uri.com
@pimterry

HTTP Strict
Transport Security
(HSTS)
Disabling HTTP for your site:
@pimterry

HTTP header for your server responses
(ineffective basic example)
Strict-Transport-Security:
max-age=3600
@pimterry

Strict-Transport-Security:
max-age=31556926
Slightly better example
@pimterry

Even better example
Strict-Transport-Security:
max-age=31556926;
includeSubDomains
@pimterry

Strict-Transport-Security:
max-age=31556926;
includeSubDomains;
preload
Great example
Then submit to hstspreload.org
@pimterry

Needs to be set on root domain (example.com)
Required on redirect domains too (example.net)
Needs easily recognizable domains
You’re committing to HTTPS forever
Other gotchas
@pimterry

Serve content with HTTPS only
Use upgrade-insecure-requests
Use HSTS, and get preloaded
Check other sites (securityheaders.io) and complain!
Let’s build a secure web
@pimterry

More from Codemotion

What if Virtual Reality glasses could transform your environment into a three-dimensional work of art in realtime in the style of a painting from Van Gogh? One of the many interesting developments in the field of Deep Learning is the so called "Style Transfer". It describes a possibility to create a patchwork (or pastiche) from two images. While one of these images defines the the artistic style of the result picture, the other one is used for extracting the image content. A team from TNG Technology Consulting managed to build an AI showcase using OpenCV and Tensorflow to realize such goggles.

Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...

Codemotion

Blockchain (and Cryptocurrency) is an evolution of 20-year old research from scientists like Chaum, Lamport, and Castro & Liskov. Due to the current hype, it's hard to distinguish beneficial aspects of the technology from a desire for a "silver bullet" for device security, verifiable logistics, or "saving democracy". The problem: blockchain introduces new security challenges - and blind adoption without understanding reduces overall security. In this talk, Melanie Rieback and Klaus Kursawe explain the pitfalls and limits of blockchain, so you can avoid making your applications LESS secure.

Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...

Codemotion

Networking is a core part of computing in the digital world we inhabit. But, how well do you know how it works? Do you understand all the moving parts of the OSI stack inside your computer, and how the network is actually put together? How can this ever work? This guided safari of layers, standards, protocols, and happenstance will bring us close to the copper wire, and up through the layers of CDMA/CD, ARP, routing and HTTP. We will make a few excursions through patchworks that still work forty years later, and cleverly designed mechanisms that show that simplicity is the only way to last.

Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...

Codemotion

Performance tests are not only an important instrument for understanding a system and its runtime environment. It is also essential in order to check stability and scalability – non-functional requirements that might be decisive for success. But won't my cloud hosting service scale for me as long as I can afford it? Yes, but… It only operates and scales resources. It won't automatically make your system fast, stable and scalable. This talk shows how such and comparable questions can be clarified with performance tests and how DevOps teams benefit from regular test practise.

Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...

Codemotion

Sascha will demonstrate the opportunities and challenges of Conversational AI learned from the practice. Both Technology and User Experience will be covered introducing a process finding micro-moments, writing happy paths, gathering intents, designing the conversational flow, and finally publishing on almost all channels including Voice Services and Chatbots. Valuable for enterprises, developers, and designers. All live on stage in just minutes and with almost no code.

Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019

Codemotion

A key challenge we face at Pacmed is quickly calibrating and deploying our tools for clinical decision support in different hospitals, where data formats may vary greatly. Using Intensive Care Units as a case study, I’ll delve into our scalable Python pipeline, which leverages Pandas’ split-apply-combine approach to perform complex feature engineering and automatic quality checks on large time-varying data, e.g. vital signs. I’ll show how we use the resulting flexible and interpretable dataframes to quickly (re)train our models to predict mortality, discharge, and medical complications.

Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019

Codemotion

Coolblue is a proud Dutch company, with a large internal development department; one that truly takes CI/CD to heart. Empowerment through automation is at the heart of these development teams, and with more than 1000 deployments a day, we think it's working out quite well. In this session, Pat Hermens (a Development Managers) will step you through what enables us to move so quickly, which tools we use, and most importantly, the mindset that is required to enable development teams to deliver at such a rapid pace.

Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019

Codemotion

Quantum computers can use all of the possible pathways generated by quantum decisions to solve problems that will forever remain intractable to classical compute power. As the mega players vie for quantum supremacy and Rigetti announces its $1M "quantum advantage" prize, we live in exciting times. IBM-Q and Microsoft Q# are two ways you can learn to program quantum computers so that you're ready when the quantum revolution comes. I'll demonstrate some quantum solutions to problems that will forever be out of reach of classical, including organic chemistry and large number factorisation.

James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...

Codemotion

Chinese food exploded across America in the early 20th century, rapidly adapting to local tastes while also spreading like wildfire. How was it able to spread so fast? The GY6 is a family of scooter engines that has achieved near total ubiquity in Europe. It is reliable and cheap to manufacture, and it's made in factories across China. How are these factories able to remain afloat? Chinese-American food and the GY6 are both riveting studies in product-market fit, and both are the product of a distributed open source-like development model. What lessons can we learn for open source software?

Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...

Codemotion

Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019

Codemotion

Would you fly in a plane designed by a craftsman or would you prefer your aircraft to be designed by engineers? We are learning that science and empiricism works in software development, maybe now is the time to redefine what “Software Engineering” really means. Software isn't bridge-building, it is not car or aircraft development either, but then neither is Chemical Engineering. Engineering is different in different disciplines. Maybe it is time for us to begin thinking about retrieving the term "Software Engineering" maybe it is time to define what our "Engineering" discipline should be.

Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019

Codemotion

What is the job of a CTO and how does it change as a startup grows in size and scale? As a CTO, where should you spend your focus? As an engineer aspiring to be a CTO, what skills should you pursue? In this inspiring and personal talk, I describe my journey from early Red Hat engineer to CTO at Bloomon. I will share my view on what it means to be a CTO, and ultimately answer the question: Should the CTO be coding?

Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019

Codemotion

If Socrates met Linus Torvalds, what would they talk about? How much math should be bundled into a good programming language? Can compiler resolve an argument and prove, that someone is right? Trough semantics of code, that we write every day, when looking carefully, one can see foundations of logic and science, that has been build more than 2000 years ago. Why does it matter, and how can we leverage this enormous power to make our code safe and sound in languages with advanced type systems, like Typescript and Scala.

Mike Kotsur - What can philosophy teach us about programming - Codemotion Ams...

Codemotion

When you build a serverless app, you either tie yourself to a cloud provider, or you end up building your own serverless stack. Knative provides a better choice. Knative extends Kubernetes to provide a set of middleware components (build, serving, events) for modern, source-centric, and container-based apps that can run anywhere. In this talk, we’ll see how we can use Knative primitives to build a serverless app that utilizes the Machine Learning magic of the cloud.

Mete Atamel - Serverless with Knative - Codemotion Amsterdam 2019

Codemotion

Whenever you do something that nobody has tried to do before, you often encounter difficulties, that well, nobody has found before! During this talk we will walk you through the data, the modelling, the problems that we encountered and solutions while working together with Graydon on predicting whether different kinds of companies will of relocate. For this use case, we analyzed 10 years of data for two million companies using around 100 descriptors / features, and produced a predictive model using decision trees and random forests on Google Cloud Platform.

Rahul Shetty - Corporate relocation prediction - Codemotion Amsterdam 2019

Codemotion

With the advent of media streaming, consumption of content via Smart TVs and Streaming Media Players is skyrocketing. However, designing and developing apps for the Big Screen provides unique challenges: crafting an easy-to-navigate UI, implementing a fail-proof login experience, introducing new monetization models and more. In this session you will learn: • How to implement a solid TV-centric UI/UX • Navigate through case studies and scenarios for the 10-foot experience • Developer tools and APIs that facilitate the creation of high quality TV-centric apps

Mario Viviani - Designing apps for fire TV - Codemotion Amsterdam 2019

Codemotion

The beloved chatbots are occupying a lot of IT-fields incredibly fast because they are easily customized, validated, API integrated. In short words, smart AI. In my talk, I am going to explain how to easily customize conversational sign-up forms with multiple field types to collect information through a chatbot-like experience written with React and Redux such as Name, Email, Location, and so on. Moreover, I will highlight how to recognize if the user enters the right data and how the chatbot will be making decisions and how to proceed with conversation depending on the user's replies.

Ilona Demidenko - Conversational Sign Up - Codemotion Amsterdam 2019

Codemotion

The key to finding the optimal solution to a problem is to threefold: maximise the number of tools in your ‘personal tool box’; know all their capabilities and uses; and to know which tool is best suited to fix the particular problem in front of you. This talk will enable you to grow all three aspects around load testing. It will look at what it means to ‘load test’ your application, how to get started with writing your first script and provide you with a case study and an insight as to the tools and techniques that we use here at the FT to help identify such performance issues.

Katie Koschland - Ready, steady, crash - Codemotion Amsterdam 2019

Codemotion

If you haven't read all of the docs, or you have learnt React just from experience, there's a chance you missed some gotchas, patterns, and features, thus preventing you to build more robust and performant applications. For example, when is it better to use Higher Order Components than Render Props? Why is a functional component slower than a class component? And why are hooks better than Recompose? In this talk we will uncover all of React's deepest secrets and newest features, how to use them, and especially why.

Matteo Antony Mistretta - React, the Inglorious way - Codemotion Amsterdam 2019

Codemotion

In Relay42 we need to handle real-time reprocessing of data with expiring TTLs. Due to the large amount of data that we have to store, we use Cassandra as our storage medium. The reprocessing of this data can include intensive deletion of data that results in the creation of tombstones, an issue that affected the performance of our entire platform. During this talk we will share the steps we took for fixing this issue, starting from the discovery, the monitoring, the cluster specific tweaking and the code changes that we had to do.

Andreea Marin - Our journey into Cassandra performance optimisation -

Codemotion

More from Codemotion (20)