Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HSTS: Improving Security Without Losing Performance

91 views

Published on

lightning talk @ CGNwebperf 2018

Published in: Technology
  • Be the first to comment

  • Be the first to like this

HSTS: Improving Security Without Losing Performance

  1. 1. HSTS: Improving Security Without Losing Performance #CGNwebperf #25 Cologne, 6 December 2018 Ingo Steinke @fraktalisman Sevenval Technologies GmbH sevenval.com wao.io
  2. 2. HSTS: Improving Security Without Losing Performance Hypertext Strict Transport Security
  3. 3. ? HSTS + HTTP/2 + TLS 1.3 + Let’s Encrypt (Ilya Grigorik, Velocity 2014) 2018 (Illustration © Jonathan Burton)
  4. 4. HSTS Reduce Round Trips 307 Internal Redirect
  5. 5. HSTS Header hstspreload.org Strict-Transport-Security: max-age=31536000 HSTS Cache: chrome://net-internals/hsts#hsts HSTS Preload List
  6. 6. HSTS Header Strict-Transport-Security: max-age=31536000 includeSubDomains http://old.legacy.domain.i.forgot.com/
  7. 7. HTTPS && B HTTPS && Brotli HTTPS && Brotli Most new performance features require HTTPS.
  8. 8. Most new performance features require HTTPS. S W Image © Microsoft
  9. 9. HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTP/2 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 HTTPS HSTS TLS 1.3 do it yourself wao.io, cloudflare, ... Just do it ! © IKEA
  10. 10. developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet hstspreload.org en.wikipedia.org/wiki/Brotli istlsfastyet.com blog.wao.io/tls-1-3 HSTS: Improving Security Without Losing Performance
  11. 11. HSTS: Improving Security Without Losing Performance #CGNwebperf sevenval.com wao.io Thanks! && Questions?

×