SlideShare a Scribd company logo

All access demystifying certs

Download as PPTX, PDF
G
Gary Williams

Explaining about certs at Spiceworks all access. Ever wondered what HSTS is or what a CSP is? Well, now you can find out.

Technology
1 of 28
#AllAccessIT #AllAccessIT Demystifying Secure certifcates Gary Williams @garyw_ www.gdwnet.com
#AllAccessIT#AllAccessIT • SEO! • Browser warnings for plaintext sites. • Provides a level of confidence in the site. • Certs are free. • They can be faster than plaintext. Why use HTTPS at all?
#AllAccessIT#AllAccessIT If the host server supports HTTP/2, yes. IIS on 2016 does, Apache, Nginx and so on does. Developer tools in Chrome will show if a site is using HTTP/2 or not Is HTTPS really faster than plaintext?
#AllAccessIT#AllAccessIT …because I’m not processing payments …because everything on the site is public domain …because I’ve only got 100 customers …because it’s too expensive …because I’m too small for hackers to attack me Hackers have been using the devops methodology for years. They’ve automated scanning and detection to a high degree. I don’t need certs…
#AllAccessIT#AllAccessIT What is the risk of a non HTTPS site? Content spoofing – ISP’s have been known to edit sites before delivery
#AllAccessIT#AllAccessIT Use Certs, don’t be this guy!
#AllAccessIT#AllAccessIT How do we get a cert?
#AllAccessIT#AllAccessIT How do we get a cert(2)? openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
#AllAccessIT#AllAccessIT Certificate Files - CSR
#AllAccessIT#AllAccessIT Certificate Files (2) Priv and Pub keys • Most of them are text • Windows has to difficult with the PFX format • PFX holds private and public keys • Keep private keys PRIVATE!
#AllAccessIT#AllAccessIT There is no magic to cert implementation but CA’s can make things more complicated than they need to be Let’s encrypt are working wonders to simplify things All certs follow the same process: • Create CSR • Submit CSR to CA • CA approves cert • Retrieve cert • Install cert The first three can be rolled into one action Cert Process
#AllAccessIT#AllAccessIT • SSL 2.0 – Vulnerable • SSL 3.0 – Vulnerable to Poodle • TLS 1.0 – Vulnerable to Poodle • TLS 1.1 – No issues? • TLS 1.2 – No issues? • TLS 1.3 – No issues TLS 1.1 and above are secure protocols, but you still need to consider ciphers and other headers TLS 1.3 was ratified in August, 2018 SSL/TLS Versions
#AllAccessIT#AllAccessIT What’s good about TLS 1.3?
#AllAccessIT#AllAccessIT SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH The above cipher suite will work for all browsers from IE7 and above and is the more secure set of ciphers available today. You can add additional ciphers as the web server will try the most secure first and then fallback to “less secure” protocols. Cipher suites are implemented in web server/browser – not in Cert Cipher Suites
#AllAccessIT#AllAccessIT Additional Headers - HSTS Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;“ HSTS sets a cookie on the connecting computer That cookie expects the site to be presented over HTTPS for ‘max-age’ (two years).
#AllAccessIT#AllAccessIT Additional Headers - CSP • Header set Content-Security-Policy "script-src 'self'; object-src 'self'“ • CSP – Content security policy • Allows you to state what content you will allow on the page • Can be fiddly but ultimately worth it
#AllAccessIT#AllAccessIT • All keys and certs should be kept outside of the website structure. • Keep copies of cert files somewhere secure like a password database. • Check that cert chains are valid. • Once a cert is installed, you’re still not fully secure. • IIS, Nginx, Apache all need further changes to make them A+ on Qualsys. • Even with A+ you can go even further. A few more things to check
#AllAccessIT#AllAccessIT • Vendors need to make installing certs a simpler process, lets encrypt are leading the way. • Last thing to do? MAKE A NOTE OF WHEN THE CERT EXPIRIES! A few things to check
#AllAccessIT#AllAccessIT • Certification Authority Authorisation Record. • This is coming, have it in place before September 2017 or renews won’t be allowed for certs needing renewing after that date. • CAA is a dedicated type of DNS record and looks like this: CAA 0 Letsencrypt.org • Doesn’t apply to internal CA’s CAA DNS Records
#AllAccessIT#AllAccessIT • Nothing bad about internal CA’s – as long as they are only used for internal services/servers. • Internal CA’s become bad when used by people who don’t automatically get the trusted root cert. • Great for testing out cert process and securing things that are often ignored. • Watch your cert validity times! Internal CA’s
#AllAccessIT#AllAccessIT • Extended Validation • Provides additional validation for the owning company, “proves” the site is legitimate • The company has to go through it’s own validation process with the CA EV Certificates
#AllAccessIT#AllAccessIT EV Certificates (2)
#AllAccessIT#AllAccessIT • Anytime a change is made to a web config or a cert, run the site through qualys free HTTPS tester. • A scan takes about 10 minutes to run. • Reports are by default, public. Qualys free cert check
#AllAccessIT#AllAccessIT Securityheaders.com • A nice tool for checking the security headers of a site
#AllAccessIT#AllAccessIT Security headers summary
#AllAccessIT#AllAccessIT Get people used to certs everywhere and to not ignore warnings. Let’s encrypt has great automation. Keep copies of secure web server configs. There are tools out there to help • Qualsys SSL analyser • Scott Helme’s securityheaders.io If possible, test sites annually and whenever a modification is made, just in case something breaks the security. Recap
#AllAccessIT#AllAccessIT Handy Links Qualys Scanner -> https://www.ssllabs.com/ssltest/ Scott Helme SecurityHeaders -> https://securityheaders.com/ Handy OpenSSL commands -> https://www.sslshopper.com/article-most-common-openssl- commands.html Apache Example Header -> https://github.com/gdwnet/apache-ssl-config/blob/master/wiki.conf
#AllAccessIT#AllAccessIT Thank you. Questions? Twitter: @garyw_ Web: www.gdwnet.com

Recommended

Webinar: Security Mindset for WordPress
Webinar: Security Mindset for WordPressWebinar: Security Mindset for WordPress
Webinar: Security Mindset for WordPressWP Engine
 
Protect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS ProtectionProtect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS ProtectionImperva Incapsula
 
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...Imperva Incapsula
 
Serverless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 millisecondsServerless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 millisecondsJames Wickett
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionImperva Incapsula
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
 
Is Wi-Fi Enterprise so perfect?
Is Wi-Fi Enterprise so perfect?Is Wi-Fi Enterprise so perfect?
Is Wi-Fi Enterprise so perfect?Aleksandr Demchenko
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...Otto Kekäläinen
 

Recommended

Webinar: Security Mindset for WordPress
Webinar: Security Mindset for WordPressWebinar: Security Mindset for WordPress
Webinar: Security Mindset for WordPressWP Engine
 
Protect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS ProtectionProtect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS ProtectionImperva Incapsula
 
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...Imperva Incapsula
 
Serverless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 millisecondsServerless Security: Doing Security in 100 milliseconds
Serverless Security: Doing Security in 100 millisecondsJames Wickett
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionImperva Incapsula
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
 
Is Wi-Fi Enterprise so perfect?
Is Wi-Fi Enterprise so perfect?Is Wi-Fi Enterprise so perfect?
Is Wi-Fi Enterprise so perfect?Aleksandr Demchenko
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...Otto Kekäläinen
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAarno Aukia
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018Brecht Ryckaert
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Guy Podjarny
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017CodeOps Technologies LLP
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?Daniel Kanchev
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingAPNIC
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival GuideKen Johnson
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Why Every Engineer Needs WLAN Packet Analysis
Why Every Engineer Needs WLAN Packet AnalysisWhy Every Engineer Needs WLAN Packet Analysis
Why Every Engineer Needs WLAN Packet AnalysisSavvius, Inc
 
Adventures in a Microservice world at REA Group
Adventures in a Microservice world at REA GroupAdventures in a Microservice world at REA Group
Adventures in a Microservice world at REA Groupevanbottcher
 
From Monoliths to Microservices at Realestate.com.au
From Monoliths to Microservices at Realestate.com.auFrom Monoliths to Microservices at Realestate.com.au
From Monoliths to Microservices at Realestate.com.auevanbottcher
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
presentation
presentationpresentation
presentationaaron bishop
 
Nethawk installation
Nethawk installationNethawk installation
Nethawk installationShaharyar Rao nethawk.com.pk
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceImperva Incapsula
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...Imperva Incapsula
 
SeattleFall1
SeattleFall1SeattleFall1
SeattleFall1Victor Angelbeat
 
Rugged DevOps Will help you build ur cloudz
Rugged DevOps Will help you build ur cloudzRugged DevOps Will help you build ur cloudz
Rugged DevOps Will help you build ur cloudzJames Wickett
 
Demystfying secure certs
Demystfying secure certsDemystfying secure certs
Demystfying secure certsGary Williams
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...Peter LaFond
 

More Related Content

What's hot

Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAarno Aukia
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018Brecht Ryckaert
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Guy Podjarny
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017CodeOps Technologies LLP
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?Daniel Kanchev
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingAPNIC
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival GuideKen Johnson
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Why Every Engineer Needs WLAN Packet Analysis
Why Every Engineer Needs WLAN Packet AnalysisWhy Every Engineer Needs WLAN Packet Analysis
Why Every Engineer Needs WLAN Packet AnalysisSavvius, Inc
 
Adventures in a Microservice world at REA Group
Adventures in a Microservice world at REA GroupAdventures in a Microservice world at REA Group
Adventures in a Microservice world at REA Groupevanbottcher
 
From Monoliths to Microservices at Realestate.com.au
From Monoliths to Microservices at Realestate.com.auFrom Monoliths to Microservices at Realestate.com.au
From Monoliths to Microservices at Realestate.com.auevanbottcher
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceImperva Incapsula
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...Imperva Incapsula
 
Rugged DevOps Will help you build ur cloudz
Rugged DevOps Will help you build ur cloudzRugged DevOps Will help you build ur cloudz
Rugged DevOps Will help you build ur cloudzJames Wickett
 

What's hot (20)

Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOps
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijacking
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Why Every Engineer Needs WLAN Packet Analysis
Why Every Engineer Needs WLAN Packet AnalysisWhy Every Engineer Needs WLAN Packet Analysis
Why Every Engineer Needs WLAN Packet Analysis
 
Adventures in a Microservice world at REA Group
Adventures in a Microservice world at REA GroupAdventures in a Microservice world at REA Group
Adventures in a Microservice world at REA Group
 
From Monoliths to Microservices at Realestate.com.au
From Monoliths to Microservices at Realestate.com.auFrom Monoliths to Microservices at Realestate.com.au
From Monoliths to Microservices at Realestate.com.au
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
presentation
presentationpresentation
presentation
 
Nethawk installation
Nethawk installationNethawk installation
Nethawk installation
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
 
SeattleFall1
SeattleFall1SeattleFall1
SeattleFall1
 
Rugged DevOps Will help you build ur cloudz
Rugged DevOps Will help you build ur cloudzRugged DevOps Will help you build ur cloudz
Rugged DevOps Will help you build ur cloudz
 

Similar to All access demystifying certs

Demystfying secure certs
Demystfying secure certsDemystfying secure certs
Demystfying secure certsGary Williams
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...Peter LaFond
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
In headers / Padlocks / Certificate authorities / site seals we trust
In headers / Padlocks / Certificate authorities / site seals we trustIn headers / Padlocks / Certificate authorities / site seals we trust
In headers / Padlocks / Certificate authorities / site seals we trustpipasnacave
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
Demystifying Web Application Security - JSFoo 2018
Demystifying Web Application Security - JSFoo 2018Demystifying Web Application Security - JSFoo 2018
Demystifying Web Application Security - JSFoo 2018shyamsesh
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!Wilco Alsemgeest
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
DevOps and AWS - Code PaLOUsa 2017
DevOps and AWS - Code PaLOUsa 2017DevOps and AWS - Code PaLOUsa 2017
DevOps and AWS - Code PaLOUsa 2017James Strong
 
GPSTEC318-IoT Security from Manufacturing to Maintenance
GPSTEC318-IoT Security from Manufacturing to MaintenanceGPSTEC318-IoT Security from Manufacturing to Maintenance
GPSTEC318-IoT Security from Manufacturing to MaintenanceAmazon Web Services
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Real-Time Innovations (RTI)
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLZoompf
 
Are we security yet
Are we security yetAre we security yet
Are we security yetCristian Vat
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Why You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudWhy You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudAmazon Web Services
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLSAvi Networks
 

Similar to All access demystifying certs (20)

Demystfying secure certs
Demystfying secure certsDemystfying secure certs
Demystfying secure certs
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
In headers / Padlocks / Certificate authorities / site seals we trust
In headers / Padlocks / Certificate authorities / site seals we trustIn headers / Padlocks / Certificate authorities / site seals we trust
In headers / Padlocks / Certificate authorities / site seals we trust
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
 
Wi-Fi Security Fundamentals
Wi-Fi Security FundamentalsWi-Fi Security Fundamentals
Wi-Fi Security Fundamentals
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
Demystifying Web Application Security - JSFoo 2018
Demystifying Web Application Security - JSFoo 2018Demystifying Web Application Security - JSFoo 2018
Demystifying Web Application Security - JSFoo 2018
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
DevOps and AWS - Code PaLOUsa 2017
DevOps and AWS - Code PaLOUsa 2017DevOps and AWS - Code PaLOUsa 2017
DevOps and AWS - Code PaLOUsa 2017
 
GPSTEC318-IoT Security from Manufacturing to Maintenance
GPSTEC318-IoT Security from Manufacturing to MaintenanceGPSTEC318-IoT Security from Manufacturing to Maintenance
GPSTEC318-IoT Security from Manufacturing to Maintenance
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Why You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudWhy You Are Secure in the AWS Cloud
Why You Are Secure in the AWS Cloud
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLS
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

All access demystifying certs

Editor's Notes

  1. The background – I’ve put this together because I’m an IT person who enjoys messing with tech but I want that tech to be secure. Putting a secure cert on a site isn’t hard, there are a few things to be aware of that help secure a site properly. Sadly, the days of putting a cert on a server and walking away are long gone.
  2. Google recently announced that they will be giving higher page rankings to sites with SSL over plaintext. Going forward there will be increasing confidence with SSL/TLS enabled sites, browser warnings will be more prominent and harder to click past.
  3. Talk about logwatch on linux and the port 22 attacks.
  4. TLS 1.2 – Vulnerable to Sloth (https://access.redhat.com/articles/2112261) CVE-2015-7575 – Jan 18th 2016 – fixed in patch This is the first thing that confuses people. TLS 1.0 is newer, better, faster than SSL 3.0 Interesting story about TLS. IIS crypto will disable TLS 1 which didn’t please our devs as they use that for deployments due to an older version of the .net framework only supporting up to TLS 1.0 Glouster city council found themselves in trouble due to heartbleed. Heartbleed can be defeated by upgrading OpenSSL. Secure certs don’t obviate the need for patching.
  5. EECDH – used for "Forward Secrecy" (or sometimes "Perfect Forward Secrecy") is used to describe security protocols in which the confidentiality of past traffic is not compromised when long-term keys used by either or both sides are later disclosed. Last line is important, it means that both “military grade” and “bank grade” security is just marketing hype
  6. There are many other headers and the list is growing. Each one provides additional protection
  7. The background – I’ve put this together because I’m an IT person who enjoys messing with tech but I want that tech to be secure. Putting a secure cert on a site isn’t hard, there are a few things to be aware of that help secure a site properly. Sadly, the days of putting a cert on a server and walking away are long gone.