All access demystifying certs

#AllAccessIT
#AllAccessIT
Demystifying Secure certifcates
Gary Williams
@garyw_
www.gdwnet.com

#AllAccessIT#AllAccessIT
• SEO!
• Browser warnings for plaintext sites.
• Provides a level of confidence in the site.
• Certs are free.
• They can be faster than plaintext.
Why use HTTPS at all?

If the host server supports HTTP/2, yes. IIS on 2016 does,
Apache, Nginx and so on does.
Developer tools in Chrome will show if a site is using HTTP/2
or not
Is HTTPS really faster than plaintext?

…because I’m not processing payments
…because everything on the site is public domain
…because I’ve only got 100 customers
…because it’s too expensive
…because I’m too small for hackers to attack me
Hackers have been using the devops methodology for years.
They’ve automated scanning and detection to a high degree.
I don’t need certs…

What is the risk of a non HTTPS site?
Content spoofing – ISP’s have been known to edit sites before delivery

Use Certs, don’t be this guy!

How do we get a cert?

How do we get a cert(2)?
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Certificate Files - CSR

Certificate Files (2)
Priv and Pub keys
• Most of them are text
• Windows has to difficult with the PFX format
• PFX holds private and public keys
• Keep private keys PRIVATE!

There is no magic to cert implementation but CA’s can make things
more complicated than they need to be
Let’s encrypt are working wonders to simplify things
All certs follow the same process:
• Create CSR
• Submit CSR to CA
• CA approves cert
• Retrieve cert
• Install cert
The first three can be rolled into one action
Cert Process

• SSL 2.0 – Vulnerable
• SSL 3.0 – Vulnerable to Poodle
• TLS 1.0 – Vulnerable to Poodle
• TLS 1.1 – No issues?
• TLS 1.2 – No issues?
• TLS 1.3 – No issues
TLS 1.1 and above are secure protocols, but you still need to
consider ciphers and other headers
TLS 1.3 was ratified in August, 2018
SSL/TLS Versions

What’s good about TLS 1.3?

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
The above cipher suite will work for all browsers from IE7 and above
and is the more secure set of ciphers available today.
You can add additional ciphers as the web server will try the most
secure first and then fallback to “less secure” protocols.
Cipher suites are implemented in web server/browser – not in Cert
Cipher Suites

Additional Headers - HSTS
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;“
HSTS sets a cookie on the connecting computer
That cookie expects the site to be presented over HTTPS for ‘max-age’ (two years).

Additional Headers - CSP
• Header set Content-Security-Policy "script-src 'self'; object-src 'self'“
• CSP – Content security policy
• Allows you to state what content you will allow on the page
• Can be fiddly but ultimately worth it

• All keys and certs should be kept outside of the website structure.
• Keep copies of cert files somewhere secure like a password
database.
• Check that cert chains are valid.
• Once a cert is installed, you’re still not fully secure.
• IIS, Nginx, Apache all need further changes to make them A+ on
Qualsys.
• Even with A+ you can go even further.
A few more things to check

• Vendors need to make installing certs a simpler process, lets encrypt
are leading the way.
• Last thing to do? MAKE A NOTE OF WHEN THE CERT EXPIRIES!
A few things to check

• Certification Authority Authorisation Record.
• This is coming, have it in place before September 2017 or renews
won’t be allowed for certs needing renewing after that date.
• CAA is a dedicated type of DNS record and looks like this:
CAA 0 Letsencrypt.org
• Doesn’t apply to internal CA’s
CAA DNS Records

• Nothing bad about internal CA’s – as long as they are only used for
internal services/servers.
• Internal CA’s become bad when used by people who don’t
automatically get the trusted root cert.
• Great for testing out cert process and securing things that are
often ignored.
• Watch your cert validity times!
Internal CA’s

• Extended Validation
• Provides additional validation for the owning company, “proves”
the site is legitimate
• The company has to go through it’s own validation process with
the CA
EV Certificates

EV Certificates (2)

• Anytime a change is made to a web config or a cert, run the site
through qualys free HTTPS tester.
• A scan takes about 10 minutes to run.
• Reports are by default, public.
Qualys free cert check

Securityheaders.com
• A nice tool for checking the security headers of a site

Security headers summary

Get people used to certs everywhere and to not ignore
warnings.
Let’s encrypt has great automation.
Keep copies of secure web server configs.
There are tools out there to help
• Qualsys SSL analyser
• Scott Helme’s securityheaders.io
If possible, test sites annually and whenever a modification is
made, just in case something breaks the security.
Recap

Handy Links
Qualys Scanner -> https://www.ssllabs.com/ssltest/
Scott Helme SecurityHeaders -> https://securityheaders.com/
Handy OpenSSL commands -> https://www.sslshopper.com/article-most-common-openssl-
commands.html
Apache Example Header -> https://github.com/gdwnet/apache-ssl-config/blob/master/wiki.conf

Thank you.
Questions?
Twitter: @garyw_
Web: www.gdwnet.com

All access demystifying certs

More Related Content

What's hot

Similar to All access demystifying certs

Recently uploaded

All access demystifying certs

Editor's Notes