Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)

12,577 views

Published on

When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust.

If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS.

This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS

Published in: Software
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)

  1. 1. HTTPS What, Why and How? Guy Podjarny (@guypod)
  2. 2. Web Security For Developers
  3. 3. Intro about me • Guy Podjarny (@guypod) • Founder & CEO of Snyk.io (@snyksec) • Previously CTO at Akamai • Author (“Responsive & Fast”, “High Perf Images”) • 13 Years in Web Security, 6 Years in Web Performance
  4. 4. HTTPS = Encrypted HTTP
  5. 5. HTTPS = HTTP over TLS TCP/IP HTTP TCP/IP TLS HTTP HTTPSHTTP
  6. 6. SSL < TLS
  7. 7. What Does TLS Provide?
  8. 8. Identification/Authentication Who Am I Talking To?
  9. 9. Integrity Is This Really What It Said?
  10. 10. Confidentiality Nobody Else Can See What’s Said
  11. 11. HTTPS Used for Banking
  12. 12. HTTPS Used for Shopping
  13. 13. HTTPS Elsewhere
  14. 14. I want YOU To Use HTTPS
  15. 15. Why
 HTTPS? The ‘Sticks’
  16. 16. Protect User Privacy
  17. 17. HTTPS Provides
 Confidentiality Caveat: SNI (more on that later)
  18. 18. Why HTTPS #1: Protect User Privacy
  19. 19. Attacks Aren’t Always Passive They Can Get VERY Active
  20. 20. On HTTP pages, SDK loaded over HTTP
  21. 21. “The Great Cannon”
  22. 22. ‘… the most severe of which could allow remote code execution…’
  23. 23. Who’s Behind The Curtain? With HTTP, You don’t know
  24. 24. HTTPS Provides
 Authentication Who Am I Talking To?
  25. 25. Why HTTPS #2: Protect Your Users From Evil Websites
  26. 26. Comcast: ”We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast”
  27. 27. Hijacking Wifi Isn’t Hard
  28. 28. Here’s Johnny! Or maybe some piece of malware instead
  29. 29. HTTPS Provides
 Integrity Is This Really What It Said?
  30. 30. Why HTTPS #3: Protect Your Business From Manipulation and Hijacking
  31. 31. HTTPS On Checkout? https://www.adidas.co.uk/<checkout URL>
  32. 32. http://www.adidas.co.uk/tubular-x-primeknit-shoes…
  33. 33. SSLStrip http://a.com/product Client sslstrip adidas.com
  34. 34. SSLStrip http://a.com/product Client sslstrip adidas.com http://a.com/product
  35. 35. SSLStrip http://a.com/product Client sslstrip adidas.com http://a.com/product <form target=
 “https://a.com/checkout”>
  36. 36. SSLStrip http://a.com/product Client sslstrip adidas.com <form target=
 “http://a.com/checkout”> http://a.com/product <form target=
 “https://a.com/checkout”>
  37. 37. SSLStrip http://a.com/product Client sslstrip adidas.com <form target=
 “http://a.com/checkout”> http://a.com/product http://a.com/checkout <form target=
 “https://a.com/checkout”>
  38. 38. http://www.adidas.co.uk/<checkout URL>
  39. 39. Partial HTTPS ~= No HTTPS
  40. 40. But, But… Bookmarks! Deep External Links!
  41. 41. Option #1: 
 Don’t support HTTP May Reduce Access
  42. 42. Option #2: HTTP Strict-Transport-Security (HSTS) Strict-Transport-Security: 
 max-age=31536000; includeSubDomains; preload
  43. 43. Browser Security Indicators Using Chrome as an example
  44. 44. HTTP Site - No Comment
  45. 45. HTTPS - Green + Lock
  46. 46. Extra Good(?) HTTPS
  47. 47. Imperfect HTTPS Site
  48. 48. Is HTTP better than 
 imperfect HTTPS? > ?
  49. 49. Is HTTPS Secure?
  50. 50. Is HTTPS Secure?
  51. 51. Is HTTPS Secure?
  52. 52. HTTPS ≠ Secure
  53. 53. HTTP = Insecure
  54. 54. ‘… people do not generally perceive the absence of a warning sign…’ Marking HTTP As Insecure ‘… Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web…’ Deprecating Non-Secure HTTP
  55. 55. Indicators Already Changing 44 47
  56. 56. Why HTTPS #4: HTTP To Be Marked Insecure
  57. 57. Be Afraid. Be VERY Afraid.
  58. 58. Why
 HTTPS? The ‘Carrots’
  59. 59. HTTP2 and SPDY
  60. 60. New And Improved HTTP Last Major Update over 15 years ago!
  61. 61. HTTP2 Multiplexing
  62. 62. HTTP/1.0 - Single Request GET /foo 200 OK Open Connection Close Connection
  63. 63. HTTP/1.1 GET /foo 200 OK GET /bar 200 OK GET /baz 200 OK
  64. 64. HTTP/1.1 Pipelining GET /foo 200 OK GET /bar 200 OK GET /baz 200 OK
  65. 65. HTTP/1.1 Pipelining GET /foo 200 OK GET /bar 200 OK GET /baz 200 OK Head of Line 
 Blocking
  66. 66. HTTP/2 Multiplexing GET /foo 200 OK GET /bar 200 OK GET /baz 200 OK GET /foo 200 OK GET /bar 200 OK GET /baz 200 OK
  67. 67. HTTP/1.1 HTTP/2
  68. 68. HTTP2 Header Compression
  69. 69. HTTP2 Server Push
  70. 70. HTTP2 Is Awesome
  71. 71. HTTP2 Is Here Today! https://caniuse.com/http2
  72. 72. HTTP2 is Binary Won’t be allowed through port 80…
  73. 73. HTTP2 is New Current Intermediaries (e.g. ISP Proxies) won’t support it
  74. 74. How Can We Keep Proxies From Inspecting & Interfering? Any Ideas?
  75. 75. HTTP/2 is a better HTTP
  76. 76. Why HTTPS #5: HTTP2 works only over TLS Works on current web + Makes the web secure!
  77. 77. HTTP/2 0-25% Faster Compared to un-encrypted HTTP/1.1 Source: Akamai
  78. 78. Service Worker
  79. 79. appCache is a Douchebag TM Source: A List Apart
  80. 80. We need Offline Web Native Apps Have It…
  81. 81. Solution: ServiceWorker • JavaScript Proxy, intercepts all requests • Programmable Cache, can store/read while offline • Can register for Push Notifications • Extensible Web Manifesto style • No-Prompt Installation, persists forever
  82. 82. No Prompt?! Persists Forever?!
  83. 83. ServiceWorker Poisoning? Feels Good In The Moment, But You Pay For It Later…
  84. 84. Why HTTPS #6: ServiceWorker requires TLS Mitigates Malicious ServiceWorker Risk
  85. 85. Upcoming TLS-Only Features: Geolocation Device Motion/Orientation Fullscreen EME (Encrypted Media Extensions) getUserMedia … Further Reading (By @metromoxie):
 https://w3c.github.io/webappsec/specs/powerfulfeatures/
  86. 86. End With Business
  87. 87. HTTPS Impacts SEO
  88. 88. ‘… we’re starting to use HTTPS as a ranking signal…’
 
 ‘… For now it's only a very lightweight signal …
 But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web…’
  89. 89. Why HTTPS #7: Google Ranks HTTPS Higher
  90. 90. Handy Tools
  91. 91. Certificate 
 Cost & Complexity
  92. 92. Hosting/Delivery 
 Cost
  93. 93. Only Last Mile 
 Protected!
  94. 94. Only Last Mile 
 Protected! Note: Requires SNI
  95. 95. No SNI - Single Host DNS Resolve foo.com foo.com=1.2.3.4 Client DNS 
 Server
  96. 96. No SNI - Single Host DNS Resolve foo.com foo.com=1.2.3.4 Client DNS 
 Server TLS Client Hello foo.com Certificate Client 1.2.3.4 (foo.com)
  97. 97. No SNI - Shared Host DNS Resolve foo.com CNAME cdn.net Client DNS 
 Server DNS Resolve cdn.net cdn.net=5.6.7.8
  98. 98. No SNI - Shared Host DNS Resolve foo.com CNAME cdn.net Client DNS 
 Server TLS Client Hello Client 5.6.7.8
 (CDN) No Host Name! Which Certificate
 To Return? DNS Resolve cdn.net cdn.net=5.6.7.8
  99. 99. SNI -Server Name Identifer DNS Resolve foo.com CNAME cdn.net Client DNS 
 Server TLS Client Hello (foo.com) foo.com Certificate Client 5.6.7.8
 (CDN) DNS Resolve cdn.net cdn.net=5.6.7.8 Includes Host Not Supported on:
 - Windows XP (and older) - Android 2.3 (and older) - IE 7 (and older)
  100. 100. Implementation Details
  101. 101. Is Your TLS Secure?
  102. 102. IsTLSFastYet.com
  103. 103. Summary
  104. 104. Why HTTPS #1: Protect User Privacy
  105. 105. Why HTTPS #2: Protect Your Users From Evil Websites
  106. 106. Why HTTPS #3: Protect Your Business From Manipulation and Hijacking
  107. 107. Why HTTPS #4: HTTP To Be Marked Insecure
  108. 108. Why HTTPS #5: HTTP2 works only over TLS Works on current web + Makes the web secure!
  109. 109. Why HTTPS #6: ServiceWorker requires TLS Mitigates Malicious ServiceWorker Risk
  110. 110. Why HTTPS #7: Google Ranks HTTPS Higher
  111. 111. Switch (to HTTPS) Today!
  112. 112. Thank You! Questions? Guy Podjarny (@guypod)

×