Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HTTPS
Renaming the meetup to Port443
Why I care about HTTPS
• section.io is an agile Content Delivery Network
• We maintain a Qualys SSL Labs Grade A rating
• ...
Why should you care about HTTPS?
• You’re already here anyway
• A 42% increase for Alexa Top 1 Million in 6 months
• Hopef...
SSL is dead
• HTTP = Hypertext Transfer Protocol
• HTTPS = HTTP Secure
• TLS = Transport Layer Security, now at version 1....
Mixed mode requests
• When a page served over HTTPS contains http:// URLs
• Since October 2015, Chrome removes the padlock...
Cross-Origin Resource Sharing
• Making an AJAX request to a different “origin”
• CORS considers HTTP and HTTPS to be diffe...
• When the Set-Cookie header includes the secure attribute
• The browser will only send the cookie over HTTPS
• Except: a ...
Referrers
• The Referer header informs the server where you’re coming from
• The header is not sent when navigating from H...
HTTPS Validation
• Has the certificate expired?
• Does my browser trust a certificate in the certificate chain?
• Has the ...
Does the name match?
• Common Name
• CN=www.example.com
• Wildcard
• CN=*.example.com
• ≠ example.com
• ≠ two.levels.examp...
Extended Validation Certificates
• Show the fancy green address bar
• A lot more paperwork
Certificate Signature Hash function
• SHA256 is the current preference
• SHA1 signatures are now reporting as insecure in ...
Server Name Indication (SNI)
• Browser sends the domain name before it receives the certificate
• Normally only the IP add...
HTTP Strict Transport Security (HSTS)
• HTTP response headers indicating to use only HTTPS for this site
• And optionally ...
HTTP Public Key Pinning (HPKP)
• HTTP response headers fingerprinting the certificate keys to expect.
• Has a duration for...
Online Certificate Status Protocol Stapling
• OCSP is a modern solution to Certificate Revocation Lists
• Unfortunately OC...
HTTP/2
• Requires HTTPS in all browsers
• Multiplexing mitigates the TLS handshake costs
• Domain-sharding becomes an anti...
TLS 1.0 going out, TLS 1.3 coming in
• Payment Card Industry Data Security Standard (PCI DSS)
• Version 3.1 from April 201...
Google Says So
• Page Rank
• Starting August 2014, HTTPS sites are given a (slightly) higher rank.
• Rank only awarded to ...
Let’s Encrypt
• Free certificates
• Trusted in all modern browsers and devices
• Automated Domain Control Validation
• Aut...
Thank you
• Jason Stangroome
• @jstangroome
• https://section.io/
• https://blog.stangroome.com/
HTTPS: you cannot spell r...
Upcoming SlideShare
Loading in …5
×

HTTPS presentation at Port80 Sydney meetup March 2016

260 views

Published on

A look at what's new, or often misunderstood, in HTTPS

Published in: Internet
  • Be the first to comment

HTTPS presentation at Port80 Sydney meetup March 2016

  1. 1. HTTPS Renaming the meetup to Port443
  2. 2. Why I care about HTTPS • section.io is an agile Content Delivery Network • We maintain a Qualys SSL Labs Grade A rating • Our own site, blog, and portal are full HTTPS • We help our customers transition to full HTTPS • I’m personally passionate about security
  3. 3. Why should you care about HTTPS? • You’re already here anyway • A 42% increase for Alexa Top 1 Million in 6 months • Hopefully the following presentation will help
  4. 4. SSL is dead • HTTP = Hypertext Transfer Protocol • HTTPS = HTTP Secure • TLS = Transport Layer Security, now at version 1.2 • SSL = Secure Sockets Layer • SSL v3 is effectively dead since POODLE in 2014 • SSL v2 just became even deader with DROWN this month • X.509 Certificate
  5. 5. Mixed mode requests • When a page served over HTTPS contains http:// URLs • Since October 2015, Chrome removes the padlock. • Content Security Policies can help fix the broken http:// URLs • Protocol relative URLs reduce cache effectiveness: • http://domain/resource => //domain/resource • https://domain/resource => //domain/resource
  6. 6. Cross-Origin Resource Sharing • Making an AJAX request to a different “origin” • CORS considers HTTP and HTTPS to be different origins: • http://example.com ≠ http://different.com • http://example.com ≠ https://example.com • Send CORS headers for HTTPS requests: • Access-Control-Allow-Origin: http://example.com
  7. 7. • When the Set-Cookie header includes the secure attribute • The browser will only send the cookie over HTTPS • Except: a non-HTTPS resource can write to a Secure Cookie • An IETF draft is coming to correct this • Prefixed cookies are also in an IETF draft • Set-Cookie: __Secure-example; Secure; • Set-Cookie: __Host-example; Secure; Path=/ Secure Cookies
  8. 8. Referrers • The Referer header informs the server where you’re coming from • The header is not sent when navigating from HTTPS to HTTP • A W3C draft is coming for “Referrer Policies” to override this • Controlled by the source page, not the destination • Can choose to reveal the full URL, only the domain, or neither
  9. 9. HTTPS Validation • Has the certificate expired? • Does my browser trust a certificate in the certificate chain? • Has the certificate been revoked by the authority? • and …
  10. 10. Does the name match? • Common Name • CN=www.example.com • Wildcard • CN=*.example.com • ≠ example.com • ≠ two.levels.example.com • Subject Alternative Name (SAN) • CN=*.example.com SAN=example.com, two.levels.example.com, different.com
  11. 11. Extended Validation Certificates • Show the fancy green address bar • A lot more paperwork
  12. 12. Certificate Signature Hash function • SHA256 is the current preference • SHA1 signatures are now reporting as insecure in browsers • Internet Explorer silently terminates the connection for MD5
  13. 13. Server Name Indication (SNI) • Browser sends the domain name before it receives the certificate • Normally only the IP address and port number are available • Host request header gets sent after TLS handshake has completed • All modern browsers and devices support SNI • Server tools and programming frameworks often need to opt-in • TL;DR one IP address is enough
  14. 14. HTTP Strict Transport Security (HSTS) • HTTP response headers indicating to use only HTTPS for this site • And optionally all subdomains too. • Has a duration for which the browser should remember this. • 6-month duration required to achieve Qualys Grade A+ • More secure than HTTP 30x redirection. • Can be submitted for inclusion, hard-coded in the browser.
  15. 15. HTTP Public Key Pinning (HPKP) • HTTP response headers fingerprinting the certificate keys to expect. • Has a duration for which the browser should remember this. • Only valid if the header also includes backup fingerprints. • The backup fingerprints don’t need to be CA-signed certificates • Preloading is possible (like HSTS)
  16. 16. Online Certificate Status Protocol Stapling • OCSP is a modern solution to Certificate Revocation Lists • Unfortunately OCSP implementations don’t perform well: • At least 15% of requests fail • Successful requests add a median of 350ms to the TLS handshake • Instead the server can include an OCSP response with the certificate • Must Staple TLS Feature Extension
  17. 17. HTTP/2 • Requires HTTPS in all browsers • Multiplexing mitigates the TLS handshake costs • Domain-sharding becomes an anti-pattern • Connection sharing aids the transition • Server push
  18. 18. TLS 1.0 going out, TLS 1.3 coming in • Payment Card Industry Data Security Standard (PCI DSS) • Version 3.1 from April 2015 scheduled TLS 1.0 deprecation for July 2016 • Revised in December 2015 to postpone deprecation to 2018 instead • TLS v1.3 • TCP Fast Open to send TLS ClientHello with SYN • Specification has been frozen to allow real-world testing
  19. 19. Google Says So • Page Rank • Starting August 2014, HTTPS sites are given a (slightly) higher rank. • Rank only awarded to “strong” HTTPS. • Geo-location and WebRTC only for HTTPS sites in Chrome soon
  20. 20. Let’s Encrypt • Free certificates • Trusted in all modern browsers and devices • Automated Domain Control Validation • Automated installation on the web server • Automated renewal • Standardised protocols • Open source implementation • https://letsencrypt.org/
  21. 21. Thank you • Jason Stangroome • @jstangroome • https://section.io/ • https://blog.stangroome.com/ HTTPS: you cannot spell respect without an S. – Eric Lawrence

×