Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HTTPS and YOU

684 views

Published on

All about HTTPS. Talk given at WordCamp NYC 2015

Published in: Technology
  • Be the first to comment

HTTPS and YOU

  1. 1. HTTPS and YOU
  2. 2. What is HTTP? (or, how does the Internet work?)
  3. 3. How HTTP works HTTP request I want to see a webpage nytimes.com/index.html
  4. 4. How HTTP works HTTP request HTTP Response Here’s the content of index.html
  5. 5. Why is HTTP insecure?
  6. 6. Request data is unencrypted, and servers don’t need to provide their identity over HTTP
  7. 7. HTTP is unencrypted. The data can be read by any intermediary. HTTP request Insecure wifi Attacker can read the user’s HTTP request and response. “Hmm, looks like Eric is interested in Twitter stock…” I want to see a webpage nytimes.com/twitter- stock-plummets/
  8. 8. HTTP is unencrypted. The data can be read by any intermediary. HTTP request Insecure wifi I wonder what a jorf is… Log into my WordPress site with my username “eric” and my password “jorf”
  9. 9. HTTP request I want to see a webpage nytimes.com/index.html An attacker can catch the request (DNS Spoofing, etc) HTTP doesn’t require server identification. Any intermediary can spoof a request.
  10. 10. HTTP request The attacker returns spoofed content of index.html which says Russia bombed the U.S. HTTP Response HTTP doesn’t require server identification. Any intermediary can spoof a request.
  11. 11. What security does HTTPS provide?
  12. 12. All data in the request is encrypted, except the delivery address. HTTPS request Send to 182.23.194.39 Fwu3489fehu9fr93wehufu9ef89y3 hu9efhiufhr803 (encrypted request data) I want to see a webpage nytimes.com/index.ht ml
  13. 13. All data in the request is encrypted, except the delivery address. HTTPS request Send to 212.39.10.88 sdfj83jof83hfajnksdc83hud08duh3 8dhe8y38h383 (encrypted response data) HTTPS response Here’s the content of index.html
  14. 14. HTTPS request HTTPS is encrypted. The data can’t be read by any intermediary. Insecure wifi Attacker can eavesdrop on the encrypted conversation, but doesn’t understand it. Log into my WordPress site with my username “eric” and my password “jorf” Send to 182.23.194.39 Fwu3489fehu9fr9ufu9ef89 y3hu9efhiufhr803 (encrypted request data)
  15. 15. I want to see a webpage nytimes.com/index.html The attacker can’t spoof the server’s identification. HTTPS requires server identification. An intermediary can’t spoof a request. HTTPS request
  16. 16. Only the server with valid identification can respond to the request. HTTPS requires server identification. An intermediary can’t spoof a request. HTTPS request HTTPS request
  17. 17. “What if I don’t care about security?”
  18. 18. “What if I don’t care about security?” • Google gives an SEO boost for HTTPS sites.
  19. 19. “What if I don’t care about security?” • Google gives an SEO boost for HTTPS sites. • Your site can be faster on HTTPS with HTTP/2, which requires HTTPS.
  20. 20. “What if I don’t care about security?” • Google gives an SEO boost for HTTPS sites. • Your site can be faster on HTTPS with HTTP/2, which requires HTTPS. • New browser features and APIs limited to HTTPS sites.
  21. 21. What is HTTPS not?
  22. 22. Try logging into a WordPress site as “eric” with password “a” HTTPS does not protect from brute force attacks.
  23. 23. Now try logging into a WordPress site as “eric” with password “b” HTTPS does not protect from brute force attacks.
  24. 24. How does HTTPS work?
  25. 25. How does HTTPS work? A server needs an SSL certificate and a private key.
  26. 26. During the HTTPS handshake… Server sends SSL certificate.
  27. 27. An SSL certificate includes a digital signature to identify the server, and a public key to assist with encryption.
  28. 28. Browser and server negotiate encryption with private/public key encryption
  29. 29. Certificate Authority (CA). A trusted organization.
  30. 30. How can a server provide identity? I really am nytimes.com, not some middle-man hacker!
  31. 31. Certificate Authority verifies a server. I really am nytimes.com, not some middle-man hacker! Yes, we verified you are.
  32. 32. After verification, a Certificate Authority provides an SSL certificate. Here’s an SSL certificate.
  33. 33. The digital signature proves that the CA created the certificate.
  34. 34. Browsers trust SSL certificates created by specific Certificate Authorities.

×