Let's go HTTPS-only! - More Than Buying a Certificate

Steffen Gebert
Steffen GebertInfrastructure dude at EMnify
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 1/36
Steffen Gebert (@StGebert, first.last@typo3.org)
Available at https://github.com/StephenKing/t3cvie16-https
1 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 2/36
Intro
Getting a Certificate
Server Setup
HTTP Headers
Experience with https://typo3.org
2 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 3/36
3 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 4/36
Things that you (or your colleague) can
do to secure your / your client's users.
Optionally: saves your / your client's
butt / reputation, as it helps to prevent
data leakage.
4 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 5/36
We're always talking about the same thing, which is
(nowadays) TLS.
(and the S in HTTPS, IMAPS, LDAPS, etc.)
Older versions were called SSL
insecure/secure/draft scoresheet:
SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2,
TLS 1.3
It's the layer between TCP and the Application Layer
protocol
$ openssl s_client -connect typo3.org:443
GET / HTTP/1.1
Host: typo3.org
HTTP/1.1 200 OK
Server: nginx/1.9.9
...
This gives us an encrypted connection (with a stranger
5 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 6/36
Peer is verified using the trust chain of Certificate Authorities (CAs)
signing the peer's certificate.
Our device/software vendor dictates this CA bundle for us.
Some hundreds certificate authorities are trusted (does not mean:
trustful) by our OSs/UAs.
If a web site uses a certificate signed by any of these CAs, everything is
fine™ *
This solves the authenticity problem (we know, with whom we're talking)
* given expiration date hasn't passed, yet.
6 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 7/36
7 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 8/36
Generate a key pair (private key + public key (unsigned))
Generate a Certificate Signing Request (CSR)
Send CSR to some CA (plus some money)
Validate domain ownership by receiving an email
You get the signed certificate back
You place the private key + signed cert on your web server
So, what's wrong here?
stupid manual process (there's no API for that - as you do it once per
1/2/3 year(s))
money
CAs have failed (badly!)
8 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 9/36
A free Certificate Authority ❤
Sponsored by Mozilla, EFF, and some others
SSL for the masses
Cert lifetime of max. 90 days
Yes, you have to automate that!
API/renewal protocol for certificates (ACME)
Official Python client, tens of third-party clients available
Domain-Validation: Challenge is checked via
HTTP(S) (directory .well-known/acme/ contains challenges)
DNS (TXT record with challenge needs to be set)
Only usable for publicly reachable services (?)
9 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 10/36
Green bar with company name in your UA
Personal/company validation
Expensive
Personal presence required
10 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 11/36
older days: you need a dedicated IP for SSL
problem: it's too late to send the Host: header, once connected via
TLS
nowadays: there's Server Name Indication (SNI)
informs server about targeted virtual host during TLS handshake
server picks key corresponding to that host name
11 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 12/36
12 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 13/36
I find it convenient
Number of options available
Apache httpd, nginx, haproxy
Varnish Software's Hitch - anybody tried already?
13 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 14/36
I find it convenient
Number of options available
Apache httpd, nginx, haproxy
Varnish Software's Hitch - anybody tried already?
14 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 15/36
Will not go into detail here, but used ciphers matter
Use Mozilla SSL Configuration Generator*
* https://mozilla.github.io/server-side-tls/ssl-config-generator/
15 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 16/36
QUALYS SSL Labs' SSL Checker:
The best thing ever! ❤❤❤
Get an A+!
https://www.ssllabs.com/ssltest/
There's also a command line client (ssllabs-scan) and API clients
Include it in your CI (?!) 16 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 17/36
Supported TLS versions
Insecure ciphers (RC4 etc.)
Chain issues (missing / redundant certificates)
TLS Vulnerabilities (BEAST, POODLE, Heartbleed & friends)
(Strong) Forward Secrecy (Diffie Helman)
Good HTTP headers as bonus (for the A+)
17 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 18/36
18 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 19/36
OWASP provides List of useful HTTP headers *
Some are no-brainers (this slide), some are tough to implement
Enforce XSS filter of browsers
X-XSS-Protection: "1; mode=block"
Clickjacking protection
X-Frame-Options:
deny - no rendering within a frame
sameorigin - no rendering if origin mismatch
allow-from: DOMAIN - allow rendering if framed by frame loaded
from DOMAIN
Disable MIME-type sniffing (browser might guess that a file is executable)
X-Content-Type-Options: nosniff
* Open Web Application Security Project,
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
19 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 20/36
Defines that UA must contact the server via HTTPS for all future requests
(for 6 months)
Strict-Transport-Security: "max-age=15768000; includeSubDomains"
Why?
You follow a link to http://example.com through a public hotspot
Everybody sees your cookies*
MITM can redirect you to arbitrary sites
MITM can inject arbitrary code / drive-by downloads
HSTS would prevent connecting via http:// and automatically ugprade
to secure connection.
Requirement: Site is reliably accessible via HTTPS
Bonus / caveat: Most UAs will refuse to permit untrusted certificates
* Hopefully, cookie is set with secure option
20 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 21/36
Cookie is sent to the UA using the Set-Cookie: cookie_data header
Set-Cookie: httponly prevents JavaScript code to access the cookie
(because XSS)
Set-Cookie: secure prevents UA to send cookie data via plaintext
(when HSTS is not used)
21 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 22/36
Specifies, which sources a browser is allowed to load
If policy is violated, UA will not load affected resource
Defined via HTTP header
Content-Security-Policy: script-src 'self'
Allows only own domain as source for <script> tags
Why?
XSS!
Name: Steffen
Comment:
Hello, my name is Steffen and I want to include
<script src="https://st-g.de/evil.js" />.
Excecute?
It should not happen, but it does!
Great intro: https://scotthelme.co.uk/content-security-policy-an-
introduction/
22 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 23/36
default-src: Define loading policy for all resources type in case of a
resource type dedicated directive is not defined (fallback),
script-src: Define which scripts the protected resource can execute,
object-src: Define from where the protected resource can load plugins,
style-src: Define which styles (CSS) the user applies to the protected
resource,
img-src: Define from where the protected resource can load images,
media-src: Define from where the protected resource can load video and
audio,
frame-src: Define from where the protected resource can embed frames,
font-src: Define from where the protected resource can load fonts,
connect-src: Define which URIs the protected resource can load using
script interfaces,
form-action: Define which URIs can be used as the action of HTML form
elements,
sandbox: Specifies an HTML sandbox policy that the user agent applies to
the protected resource,
script-nonce: Define script execution by requiring the presence of the
specified nonce on script elements,
plugin-types: Define the set of plugins that can be invoked by the
protected resource by limiting the types of resources that can be
embedded,
reflected-xss: Instructs a user agent to activate or deactivate any
23 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 24/36
CSP can kill your site
Test first!
CSP allows to specify a report URI
Violations will be reported (not like with sudo) by browsers
Header Content-Security-Policy-Report-Only:
What to use as Report URI?
https://report-uri.io, beautiful free service
Content-Security-Policy-Report-Only: default-src https:;
report-uri https://<your-account>.report-uri.io/r/default/csp/reportOnly
24 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 25/36
https://report-uri.io/account/reports/csp/
25 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 26/36
allows to identify mixed content
upgrade-insecure-requests allows to automatically load mixed
content via HTTPS
26 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 27/36
probably a tough job
test on typo3.org:
Content-Security-Policy-Report-Only:
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://piwik.typo3.org https://maps.google.com
https://*.googleapis.com https://cdn.jquerytools.org;
style-src 'self' 'unsafe-inline'
https://fonts.googleapis.com;
report-uri https://typo3org.report-uri.io/r/default/csp/reportOnly
you want to get rid of
'unsafe-inline': allows inline JS
'unsafe-eval': allows JS eval()
you want to whitelist hashes of external resources
27 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 28/36
Overrides trust relationship of CAs delivered with OS/UA.
Restricts ("pins") the certificate accepted when connecting via TLS to
specified fingerprints.
Public-Key-Pins: pin-sha256="cUPcTAZWKaASuY...oBAkE3h2+soZS7sWs=";
pin-sha256="M8HztCzM3elUxk...";
max-age=5184000;
includeSubDomains"
Again, there is Public-Key-Pins-Report-Only:
again, http://report-uri.io supports us here
Two hashes:
currently used key pair
backup key pair (key matters, doesn't have to be signed)
Backup key is successor after current key
Warning: Don't screw it up
28 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 29/36
what happened with
(few personal experiences)
29 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 30/36
few human users
many machines
PHP
PHP with cURL
curl
`wget
on new systems
on old systems
on very old systems
hopefully, your site is visited by more humans
30 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 31/36
(from HTTP to HTTPS)
were no issue!
31 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 32/36
does not trust any CA
you have to manually download CA bundle
32 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 33/36
IPv6 first (poor man's blue-green deployment)
wget on Debian 7 doesn't respect subjectAltNames
Because sh*t happens (in parallel)
33 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 34/36
Enable HTTP/2!
34 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 35/36
Enforce encrypted connections!
It makes a better world.
Use the available tools!
They help to validate your setup.
Set security-relevant headers!
on web server or in application
(only CSP & HPKP are hard to implement)
35 / 36
5/9/2016 Title
http://stephenking.github.io/t3cvie16-https/#6 36/36
36 / 36
1 of 36

Recommended

Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web by
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the WebCleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the Web
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the WebSteffen Gebert
1.5K views64 slides
(Declarative) Jenkins Pipelines by
(Declarative) Jenkins Pipelines(Declarative) Jenkins Pipelines
(Declarative) Jenkins PipelinesSteffen Gebert
21.7K views52 slides
sed.pdf by
sed.pdfsed.pdf
sed.pdfMaenAlWedyan
51 views31 slides
Jenkins Pipelines by
Jenkins PipelinesJenkins Pipelines
Jenkins PipelinesSteffen Gebert
10.1K views46 slides
JavaOne 2016 - Pipeline as code by
JavaOne 2016 - Pipeline as codeJavaOne 2016 - Pipeline as code
JavaOne 2016 - Pipeline as codeBert Jan Schrijver
750 views27 slides
Pipeline as code - new feature in Jenkins 2 by
Pipeline as code - new feature in Jenkins 2Pipeline as code - new feature in Jenkins 2
Pipeline as code - new feature in Jenkins 2Michal Ziarnik
2.3K views27 slides

More Related Content

What's hot

Jenkins days workshop pipelines - Eric Long by
Jenkins days workshop  pipelines - Eric LongJenkins days workshop  pipelines - Eric Long
Jenkins days workshop pipelines - Eric Longericlongtx
1.8K views44 slides
Codifying the Build and Release Process with a Jenkins Pipeline Shared Library by
Codifying the Build and Release Process with a Jenkins Pipeline Shared LibraryCodifying the Build and Release Process with a Jenkins Pipeline Shared Library
Codifying the Build and Release Process with a Jenkins Pipeline Shared LibraryAlvin Huang
1.9K views53 slides
Monitoring Akka with Kamon 1.0 by
Monitoring Akka with Kamon 1.0Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Steffen Gebert
2.4K views45 slides
7 Habits of Highly Effective Jenkins Users by
7 Habits of Highly Effective Jenkins Users7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins UsersJules Pierre-Louis
88 views36 slides
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration by
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationJenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationOleg Nenashev
1.4K views66 slides
7 Habits of Highly Effective Jenkins Users by
7 Habits of Highly Effective Jenkins Users7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins UsersJules Pierre-Louis
337 views50 slides

What's hot(20)

Jenkins days workshop pipelines - Eric Long by ericlongtx
Jenkins days workshop  pipelines - Eric LongJenkins days workshop  pipelines - Eric Long
Jenkins days workshop pipelines - Eric Long
ericlongtx1.8K views
Codifying the Build and Release Process with a Jenkins Pipeline Shared Library by Alvin Huang
Codifying the Build and Release Process with a Jenkins Pipeline Shared LibraryCodifying the Build and Release Process with a Jenkins Pipeline Shared Library
Codifying the Build and Release Process with a Jenkins Pipeline Shared Library
Alvin Huang1.9K views
Monitoring Akka with Kamon 1.0 by Steffen Gebert
Monitoring Akka with Kamon 1.0Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0
Steffen Gebert2.4K views
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration by Oleg Nenashev
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationJenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Oleg Nenashev1.4K views
Jenkins, pipeline and docker by AgileDenver
Jenkins, pipeline and docker Jenkins, pipeline and docker
Jenkins, pipeline and docker
AgileDenver3K views
Building an Extensible, Resumable DSL on Top of Apache Groovy by jgcloudbees
Building an Extensible, Resumable DSL on Top of Apache GroovyBuilding an Extensible, Resumable DSL on Top of Apache Groovy
Building an Extensible, Resumable DSL on Top of Apache Groovy
jgcloudbees842 views
Voxxed Luxembourd 2016 Jenkins 2.0 et Pipeline as code by Damien Duportal
Voxxed Luxembourd 2016 Jenkins 2.0 et Pipeline as codeVoxxed Luxembourd 2016 Jenkins 2.0 et Pipeline as code
Voxxed Luxembourd 2016 Jenkins 2.0 et Pipeline as code
Damien Duportal655 views
CI/CD on Android project via Jenkins Pipeline by Veaceslav Gaidarji
CI/CD on Android project via Jenkins PipelineCI/CD on Android project via Jenkins Pipeline
CI/CD on Android project via Jenkins Pipeline
Veaceslav Gaidarji2.2K views
Jenkins Shared Libraries Workshop by Julien Pivotto
Jenkins Shared Libraries WorkshopJenkins Shared Libraries Workshop
Jenkins Shared Libraries Workshop
Julien Pivotto19.7K views
Brujug Jenkins pipeline scalability by Damien Coraboeuf
Brujug Jenkins pipeline scalabilityBrujug Jenkins pipeline scalability
Brujug Jenkins pipeline scalability
Damien Coraboeuf2.9K views
Docker for Developers - php[tek] 2017 by Chris Tankersley
Docker for Developers - php[tek] 2017Docker for Developers - php[tek] 2017
Docker for Developers - php[tek] 2017
Chris Tankersley1.1K views
Jenkins Declarative Pipelines 101 by Malcolm Groves
Jenkins Declarative Pipelines 101Jenkins Declarative Pipelines 101
Jenkins Declarative Pipelines 101
Malcolm Groves545 views
Using Docker to build and test in your laptop and Jenkins by Micael Gallego
Using Docker to build and test in your laptop and JenkinsUsing Docker to build and test in your laptop and Jenkins
Using Docker to build and test in your laptop and Jenkins
Micael Gallego9K views
Enable Fig to deploy to multiple Docker servers by Willy Kuo by Docker, Inc.
Enable Fig to deploy to multiple Docker servers by Willy KuoEnable Fig to deploy to multiple Docker servers by Willy Kuo
Enable Fig to deploy to multiple Docker servers by Willy Kuo
Docker, Inc.9.3K views
Import golang; struct microservice - Codemotion Rome 2015 by Giorgio Cefaro
Import golang; struct microservice - Codemotion Rome 2015Import golang; struct microservice - Codemotion Rome 2015
Import golang; struct microservice - Codemotion Rome 2015
Giorgio Cefaro7K views
Docker for Developers - Sunshine PHP by Chris Tankersley
Docker for Developers - Sunshine PHPDocker for Developers - Sunshine PHP
Docker for Developers - Sunshine PHP
Chris Tankersley812 views

Viewers also liked

State of the Jenkins Automation by
State of the Jenkins AutomationState of the Jenkins Automation
State of the Jenkins AutomationJulien Pivotto
5.6K views74 slides
Notes from Sales Acccerleration Summit Instiute of Excellence in Sales by
Notes from Sales Acccerleration Summit Instiute of Excellence in SalesNotes from Sales Acccerleration Summit Instiute of Excellence in Sales
Notes from Sales Acccerleration Summit Instiute of Excellence in SalesCybryx
210 views9 slides
Protection And Management of Copyright and Related Rights in Thailand:Current... by
Protection And Management of Copyright and Related Rights in Thailand:Current...Protection And Management of Copyright and Related Rights in Thailand:Current...
Protection And Management of Copyright and Related Rights in Thailand:Current...Dr. Supatchara Distabanjong
664 views18 slides
アジャイル事例紹介 by
アジャイル事例紹介アジャイル事例紹介
アジャイル事例紹介hiko99
4.2K views72 slides
Automation testing on ios platform using appium by
Automation testing on ios platform using appiumAutomation testing on ios platform using appium
Automation testing on ios platform using appiumAmbreen Khan
9K views56 slides
A mozgókép születése és fejlődése by
A mozgókép születése és fejlődéseA mozgókép születése és fejlődése
A mozgókép születése és fejlődéseDiána Burgundi
317 views18 slides

Viewers also liked(20)

State of the Jenkins Automation by Julien Pivotto
State of the Jenkins AutomationState of the Jenkins Automation
State of the Jenkins Automation
Julien Pivotto5.6K views
Notes from Sales Acccerleration Summit Instiute of Excellence in Sales by Cybryx
Notes from Sales Acccerleration Summit Instiute of Excellence in SalesNotes from Sales Acccerleration Summit Instiute of Excellence in Sales
Notes from Sales Acccerleration Summit Instiute of Excellence in Sales
Cybryx210 views
Protection And Management of Copyright and Related Rights in Thailand:Current... by Dr. Supatchara Distabanjong
Protection And Management of Copyright and Related Rights in Thailand:Current...Protection And Management of Copyright and Related Rights in Thailand:Current...
Protection And Management of Copyright and Related Rights in Thailand:Current...
アジャイル事例紹介 by hiko99
アジャイル事例紹介アジャイル事例紹介
アジャイル事例紹介
hiko994.2K views
Automation testing on ios platform using appium by Ambreen Khan
Automation testing on ios platform using appiumAutomation testing on ios platform using appium
Automation testing on ios platform using appium
Ambreen Khan9K views
A mozgókép születése és fejlődése by Diána Burgundi
A mozgókép születése és fejlődéseA mozgókép születése és fejlődése
A mozgókép születése és fejlődése
Diána Burgundi317 views
201605 fa勉強会スライド by 秀平 高橋
201605 fa勉強会スライド201605 fa勉強会スライド
201605 fa勉強会スライド
秀平 高橋655 views
SeleniumIDEとSelenium WebDriver × Node.js Seleniumで業務効率化する15分 by 松田 千尋
SeleniumIDEとSelenium WebDriver × Node.js Seleniumで業務効率化する15分SeleniumIDEとSelenium WebDriver × Node.js Seleniumで業務効率化する15分
SeleniumIDEとSelenium WebDriver × Node.js Seleniumで業務効率化する15分
松田 千尋11.1K views
Practical Tips & Tricks for Selenium Test Automation by Sauce Labs
Practical Tips & Tricks for Selenium Test AutomationPractical Tips & Tricks for Selenium Test Automation
Practical Tips & Tricks for Selenium Test Automation
Sauce Labs8.2K views
Seleniumのモバイル版「Appium」を使ってみた by yamapy black
Seleniumのモバイル版「Appium」を使ってみたSeleniumのモバイル版「Appium」を使ってみた
Seleniumのモバイル版「Appium」を使ってみた
yamapy black3.2K views
認試軟體測試的世界 & TDD/BDD 入門 by wantingj
認試軟體測試的世界 & TDD/BDD 入門認試軟體測試的世界 & TDD/BDD 入門
認試軟體測試的世界 & TDD/BDD 入門
wantingj11.9K views
kintoneチームを支えるSeleniumテスト by Jumpei Miyata
kintoneチームを支えるSeleniumテストkintoneチームを支えるSeleniumテスト
kintoneチームを支えるSeleniumテスト
Jumpei Miyata10.3K views
Investigating the Impact of Network Topology on the Processing Times of SDN C... by Steffen Gebert
Investigating the Impact of Network Topology on the Processing Times of SDN C...Investigating the Impact of Network Topology on the Processing Times of SDN C...
Investigating the Impact of Network Topology on the Processing Times of SDN C...
Steffen Gebert1.4K views
Jenkins Bootcamp Premiumのご紹介 in デブサミ2016冬 by Masanori Satoh
Jenkins Bootcamp Premiumのご紹介 in デブサミ2016冬Jenkins Bootcamp Premiumのご紹介 in デブサミ2016冬
Jenkins Bootcamp Premiumのご紹介 in デブサミ2016冬
Masanori Satoh1.6K views
Node.js and Selenium Webdriver, a journey from the Java side by Mek Srunyu Stittri
Node.js and Selenium Webdriver, a journey from the Java sideNode.js and Selenium Webdriver, a journey from the Java side
Node.js and Selenium Webdriver, a journey from the Java side
Mek Srunyu Stittri25.9K views
20161218 selenium study4 by Naoya Kojima
20161218 selenium study420161218 selenium study4
20161218 selenium study4
Naoya Kojima2.8K views
Selenium, Appium, and Robots! by hugs
Selenium, Appium, and Robots!Selenium, Appium, and Robots!
Selenium, Appium, and Robots!
hugs35K views
開発者を支える生産性向上チームの取り組み -CI, Browser Test, Tools and Infrastructure- by Jumpei Miyata
開発者を支える生産性向上チームの取り組み -CI, Browser Test, Tools and Infrastructure-開発者を支える生産性向上チームの取り組み -CI, Browser Test, Tools and Infrastructure-
開発者を支える生産性向上チームの取り組み -CI, Browser Test, Tools and Infrastructure-
Jumpei Miyata3.3K views
BDD with JBehave and Selenium by Nikolay Vasilev
BDD with JBehave and SeleniumBDD with JBehave and Selenium
BDD with JBehave and Selenium
Nikolay Vasilev61.7K views
手機自動化測試和持續整合 by Carl Su
手機自動化測試和持續整合手機自動化測試和持續整合
手機自動化測試和持續整合
Carl Su6.1K views

Similar to Let's go HTTPS-only! - More Than Buying a Certificate

Linux confau 2019: Web Security 2019 by
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
304 views80 slides
HTTP Security Headers Every Java Developer Must Know by
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
2.3K views52 slides
HTTP Security Headers by
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
532 views43 slides
Web Browsers And Other Mistakes by
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
3.3K views70 slides
Cross Context Scripting attacks & exploitation by
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
3.5K views69 slides
Cabeçalhos de Segurança HTTP by
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPIsmael Goncalves
73 views43 slides

Similar to Let's go HTTPS-only! - More Than Buying a Certificate(20)

Linux confau 2019: Web Security 2019 by James Bromberger
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
James Bromberger304 views
HTTP Security Headers Every Java Developer Must Know by Ayoma Wijethunga
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga2.3K views
Web Browsers And Other Mistakes by guest2821a2
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
guest2821a23.3K views
OpenStack and serverless - long shot or sure thing by Cloudify Community
OpenStack and serverless - long shot or sure thingOpenStack and serverless - long shot or sure thing
OpenStack and serverless - long shot or sure thing
20190516 web security-basic by MksYi
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi 94 views
[Wroclaw #2] Web Application Security Headers by OWASP
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP1K views
Browser Wars 2019 - Implementing a Content Security Policy by George Boobyer
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer423 views
V2 peter-lubbers-sf-jug-websocket by brent bucci
V2 peter-lubbers-sf-jug-websocketV2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocket
brent bucci2.1K views
Rails security: above and beyond the defaults by Matias Korhonen
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen438 views
Javascript issues and tools in production for developers by Michael Haberman
Javascript issues and tools in production for developersJavascript issues and tools in production for developers
Javascript issues and tools in production for developers
Michael Haberman121 views
Browser security by Uday Anand
Browser securityBrowser security
Browser security
Uday Anand110 views
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today by Heroku
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Heroku245.3K views
Securing TodoMVC Using the Web Cryptography API by Kevin Hakanson
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson3.2K views
Opening up the Social Web - Standards that are bridging the Islands by Bastian Hofmann
Opening up the Social Web - Standards that are bridging the IslandsOpening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands
Bastian Hofmann9.3K views

More from Steffen Gebert

Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr... by
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...Steffen Gebert
53 views71 slides
Feature Management Platforms by
Feature Management PlatformsFeature Management Platforms
Feature Management PlatformsSteffen Gebert
44 views34 slides
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT Devices by
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT DevicesServerless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT DevicesSteffen Gebert
252 views51 slides
How our Cloudy Mindsets Approached Physical Routers by
How our Cloudy Mindsets Approached Physical RoutersHow our Cloudy Mindsets Approached Physical Routers
How our Cloudy Mindsets Approached Physical RoutersSteffen Gebert
137 views63 slides
Jenkins vs. AWS CodePipeline (AWS User Group Berlin) by
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)Steffen Gebert
454 views64 slides
Jenkins vs. AWS CodePipeline by
Jenkins vs. AWS CodePipelineJenkins vs. AWS CodePipeline
Jenkins vs. AWS CodePipelineSteffen Gebert
2.6K views68 slides

More from Steffen Gebert(20)

Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr... by Steffen Gebert
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungspr...
Steffen Gebert53 views
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT Devices by Steffen Gebert
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT DevicesServerless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Serverless Networking - How We Provide Cloud-Native Connectivity for IoT Devices
Steffen Gebert252 views
How our Cloudy Mindsets Approached Physical Routers by Steffen Gebert
How our Cloudy Mindsets Approached Physical RoutersHow our Cloudy Mindsets Approached Physical Routers
How our Cloudy Mindsets Approached Physical Routers
Steffen Gebert137 views
Jenkins vs. AWS CodePipeline (AWS User Group Berlin) by Steffen Gebert
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Jenkins vs. AWS CodePipeline (AWS User Group Berlin)
Steffen Gebert454 views
Jenkins vs. AWS CodePipeline by Steffen Gebert
Jenkins vs. AWS CodePipelineJenkins vs. AWS CodePipeline
Jenkins vs. AWS CodePipeline
Steffen Gebert2.6K views
SDN interfaces and performance analysis of SDN components by Steffen Gebert
SDN interfaces and performance analysis of SDN componentsSDN interfaces and performance analysis of SDN components
SDN interfaces and performance analysis of SDN components
Steffen Gebert2.3K views
The Development Infrastructure of the TYPO3 Project by Steffen Gebert
The Development Infrastructure of the TYPO3 ProjectThe Development Infrastructure of the TYPO3 Project
The Development Infrastructure of the TYPO3 Project
Steffen Gebert881 views
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung by Steffen Gebert
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-EntwicklungDer Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Der Weg zu TYPO3 CMS 6.0 und Einblicke in die TYPO3-Entwicklung
Steffen Gebert6.7K views
Official typo3.org infrastructure &
the TYPO3 Server Admin Team by Steffen Gebert
Official typo3.org infrastructure &
the TYPO3 Server Admin TeamOfficial typo3.org infrastructure &
the TYPO3 Server Admin Team
Official typo3.org infrastructure &
the TYPO3 Server Admin Team
Steffen Gebert1.4K views
Neuigkeiten aus dem TYPO3-Projekt by Steffen Gebert
Neuigkeiten aus dem TYPO3-ProjektNeuigkeiten aus dem TYPO3-Projekt
Neuigkeiten aus dem TYPO3-Projekt
Steffen Gebert1.4K views
*.typo3.org - Dienste von und für die Community by Steffen Gebert
*.typo3.org - Dienste von und für die Community*.typo3.org - Dienste von und für die Community
*.typo3.org - Dienste von und für die Community
Steffen Gebert602 views
Git & Gerrit: Verteilte Softwareentwicklung und -reviews in der TYPO3-Community by Steffen Gebert
Git & Gerrit: Verteilte Softwareentwicklung und -reviews in der TYPO3-CommunityGit & Gerrit: Verteilte Softwareentwicklung und -reviews in der TYPO3-Community
Git & Gerrit: Verteilte Softwareentwicklung und -reviews in der TYPO3-Community
Steffen Gebert932 views
Git & Gerrit: Verteilte Softwareentwicklung und -reviews in der TYPO3-Community by Steffen Gebert
Git & Gerrit: Verteilte Softwareentwicklung und -reviews in der TYPO3-CommunityGit & Gerrit: Verteilte Softwareentwicklung und -reviews in der TYPO3-Community
Git & Gerrit: Verteilte Softwareentwicklung und -reviews in der TYPO3-Community
Steffen Gebert2.3K views
Secure password storing with saltedpasswords in TYPO3 by Steffen Gebert
Secure password storing with saltedpasswords in TYPO3Secure password storing with saltedpasswords in TYPO3
Secure password storing with saltedpasswords in TYPO3
Steffen Gebert9.6K views

Recently uploaded

MVP and prioritization.pdf by
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdfrahuldharwal141
39 views8 slides
This talk was not generated with ChatGPT: how AI is changing science by
This talk was not generated with ChatGPT: how AI is changing scienceThis talk was not generated with ChatGPT: how AI is changing science
This talk was not generated with ChatGPT: how AI is changing scienceElena Simperl
32 views13 slides
Discover Aura Workshop (12.5.23).pdf by
Discover Aura Workshop (12.5.23).pdfDiscover Aura Workshop (12.5.23).pdf
Discover Aura Workshop (12.5.23).pdfNeo4j
15 views55 slides
Qualifying SaaS, IaaS.pptx by
Qualifying SaaS, IaaS.pptxQualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptxSachin Bhandari
1.1K views8 slides
Cencora Executive Symposium by
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposiummarketingcommunicati21
160 views14 slides
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell by
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell
"Node.js vs workers — A comparison of two JavaScript runtimes", James M SnellFwdays
14 views30 slides

Recently uploaded(20)

This talk was not generated with ChatGPT: how AI is changing science by Elena Simperl
This talk was not generated with ChatGPT: how AI is changing scienceThis talk was not generated with ChatGPT: how AI is changing science
This talk was not generated with ChatGPT: how AI is changing science
Elena Simperl32 views
Discover Aura Workshop (12.5.23).pdf by Neo4j
Discover Aura Workshop (12.5.23).pdfDiscover Aura Workshop (12.5.23).pdf
Discover Aura Workshop (12.5.23).pdf
Neo4j15 views
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell by Fwdays
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell
Fwdays14 views
Innovation & Entrepreneurship strategies in Dairy Industry by PervaizDar1
Innovation & Entrepreneurship strategies in Dairy IndustryInnovation & Entrepreneurship strategies in Dairy Industry
Innovation & Entrepreneurship strategies in Dairy Industry
PervaizDar135 views
Deep Tech and the Amplified Organisation: Core Concepts by Holonomics
Deep Tech and the Amplified Organisation: Core ConceptsDeep Tech and the Amplified Organisation: Core Concepts
Deep Tech and the Amplified Organisation: Core Concepts
Holonomics17 views
Transcript: Redefining the book supply chain: A glimpse into the future - Tec... by BookNet Canada
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...Transcript: Redefining the book supply chain: A glimpse into the future - Tec...
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...
BookNet Canada41 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays36 views
"Package management in monorepos", Zoltan Kochan by Fwdays
"Package management in monorepos", Zoltan Kochan"Package management in monorepos", Zoltan Kochan
"Package management in monorepos", Zoltan Kochan
Fwdays34 views
Cocktail of Environments. How to Mix Test and Development Environments and St... by Aleksandr Tarasov
Cocktail of Environments. How to Mix Test and Development Environments and St...Cocktail of Environments. How to Mix Test and Development Environments and St...
Cocktail of Environments. How to Mix Test and Development Environments and St...
PCCC23:日本AMD株式会社 テーマ2「AMD EPYC™ プロセッサーを用いたAIソリューション」 by PC Cluster Consortium
PCCC23:日本AMD株式会社 テーマ2「AMD EPYC™ プロセッサーを用いたAIソリューション」PCCC23:日本AMD株式会社 テーマ2「AMD EPYC™ プロセッサーを用いたAIソリューション」
PCCC23:日本AMD株式会社 テーマ2「AMD EPYC™ プロセッサーを用いたAIソリューション」
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... by ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue108 views
The Power of Heat Decarbonisation Plans in the Built Environment by IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE84 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays58 views
Mobile Core Solutions & Successful Cases.pdf by IPLOOK Networks
Mobile Core Solutions & Successful Cases.pdfMobile Core Solutions & Successful Cases.pdf
Mobile Core Solutions & Successful Cases.pdf
IPLOOK Networks14 views

Let's go HTTPS-only! - More Than Buying a Certificate