This document discusses recommendations for improving web security in 2019. It recommends: 1) Redirecting all sites to HTTPS; 2) Using TLS protocols 1.2 or newer and disabling legacy protocols; 3) Optimizing cipher suites to use perfect forward secrecy and disable weak ciphers; and 4) Adding security headers to browsers to restrict content and functionality. Following these recommendations will help sites adopt modern encryption standards and security best practices.

1. LINUX.CONF.AU
21-25 January 2019 | Christchurch | NZ
The Linux of Things
#LCA2019 @linuxconfau
Web Security
2019
LINUX.CONF.AU
21-25 January 2019
Christchurch, NZ The Linux of Things | #LCA2019 | @linuxconfau
James Bromberger @JamesBromberger www.james.rcpt.to

2. • First paid-for web content 1995 (still online!)
• UWA Webmaster, 1997 – 2000 [1] (AusWeb Ballina 1999?)
• Debian/GNU Linux Developer 2001 – present
• Hartley’s/JDV online ShareTrading
• Linux.conf.au chair 2003 w/Linus [2]
• Fotango=Canon Europe (UK)/Vibrant Media (UK) 2003-2010
• AWS Security Soln Arch. Aus & New Zealand 2012-2014 [3]
• Modis CD National Cloud & Cyber Security Lead [4]
[1]
[2] [3]
[4]

6. https://letsencrypt.org/stats/#percent-pageloads
% HTTPS v HTTP (by Firefox)

8. Browser % Market Share according to Stat Counter
Chrome 62.28
Safari 14.69
Firefox 4.93
Total 81.9%

10. What happens (sic) on 30
June 2018?
30 June 2018 is (was) the
deadline for disabling
SSL/early TLS and
implementing a more secure
encryption protocol – TLS
1.1 or higher (TLS v1.2+ is
strongly encouraged) in
order to meet the PCI Data
Security Standard (PCI DSS)
for safeguarding payment
data.

11. The legacy browser has gone in the real world.
It only remains in locked-down SOE/MOE
environments where admin staff can’t keep up
with distribution of new browsers!

12. Given our TLS requirements
(which limits legacy client compatibility)
what can we do now to improve our security?
(With as close to
zero code changes)

13. • Current generation TLS protocols
• Strong Cipher Suites
• HTTP Security Headers
• DNS CAA record
• Sub Resource Integrity (SRI)
• Cookies: SameSite property
• HTTP/2 protocol

14. 0. Use HTTPS
Get rid of HTTP everywhere
Trusted certificates are free
(Donate to LetsEncrypt)!

15. Use HTTPS!
It’s not [just] about how much you value your content.
It’s about how much you value your visitors (customers,
staff, self) not being intercepted.
Internet, internal, everywhere.

16. Automate certificate roll over!
Leave auth tokens (secrets in DNS) for DV in place, in case
of unexpected events.
HTTPS Aside #1
https://techcrunch.com/2019/01/11/shutdown-government-websites-https-certificates-expire/

17. 1. TLS Protocols
In with the new;
Out with the old
(in that order)

18. TLS Protocol: Major components by time
Time
Bulk cipher selection
Symmetric key exchange
Up to several gigabytes
Protocol Key Exchange Bulk Encryption
Cert exchange

19. • There are just 7 TLS versions defined.
• Most are 10+ years old.
• Only 6 have been used in the wild.
• Only 3 are not yet known to be compromised.
• Do you support the use of known compromised protocols?
SSLv1
SSLv2
SSLv3
TLS 1
TLS 1.1
TLS 1.2
TLS 1.3

20. 1994
SSL 1.0
Netscape
1995
SSL 2.0
Netscape
1996
SSL 3.0
IETF
1999
TLS 1.0
IETF
2006
TLS 1.1
IETF
TLS 1.2
IETF
2008 2018
TLS 1.3
IETF
First
Chrome
release
First
Safari
release
First
Firefox
release
First
Opera
release
First
Edge
release
(last)
IE 11
release

21. • You are highly unlikely to see clients
on TLS 1.1
• Check logs; disable 1.1
• Your stack probably doesn’t support
TLS 1.3 yet
†
TLS 1.1
TLS 1.2
TLS 1.3

22. †
Apache 2.4 on Debian testing
23/Jan/2019: Apache2 2.4.37-1, openssl 1.1.1a-1
ssl.conf:
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2, TLSv1.3"

23. †
Apache 2.4 on Debian testing
23/Jan/2019: Apache2 2.4.37-1, openssl 1.1.1a-1
Screenshot @ 23/Jan/2019T10:13:00 NZDT

24. Today’s Protocols Winners:
• TLS 1.2 [RFC 5246; August 2008]
• TLS 1.3 [RFC 8446; August 2018]
You should:
• Determine TLS version and ciphers actively
used from logs (turn on this logging)
• Turn off the unused legacy protocols

25. Q: Which side of the network
am I talking about?

26. Server

27. Q: Which side of the network
am I talking about?

28. Client

29. Both!

30. Language TLS 1.2 (Aug 2008) TLS 1.3 (Aug 2018)
Java 6u121* (July 2016; limited
ciphers)
7u131 (January 2017)
8
6: Bwhahaha
7: nope
8: no
11 (September 2018; use
OpenJDK or forks, ok?;
11.0.2 GA 16/Jan/2019)
.Net 4.5 (Possible)
4.6 (default enabled)
Not yet? Watch for
schannel.dll changes
Python 2.6.9+ 3.7 (June 2018)
PHP (Check OpenSSL libs) (Check OpenSSL libs)
OpenSSL 1.0.1 (March 2012) 1.1.1 (Sept 2018)
If you have scripts/programs connecting
(eg, non-browser) then your programming
language may need an update.

31. Language TLS 1.3 (Aug 2018)
Java 6: Bwhahaha
7: nope
8: no
11 (September 2018; use
OpenJDK or forks, ok?;
11.0.2 GA 16/Jan/2019)
.Net Not yet? Watch for
schannel.dll changes
Python 3.7 (June 2018)
PHP (Check OpenSSL libs)
OpenSSL 1.1.1 (Sept 2018)
If you have scripts/programs connecting
(eg, non-browser) then your programming
language may need an update.

32. Language Debian GNU/Linux Testing TLS 1.3 (Aug 2018)
Java 11.0.2+7-1 6: Bwhahaha
7: nope
8: no
11 (September 2018; use
OpenJDK or forks, ok?;
11.0.2 GA 16/Jan/2019
.Net Not yet? Watch for
schannel.dll changes
Python 3.7.2-1 3.7 (June 2018)
PHP (Check OpenSSL libs)
OpenSSL 1.1.1a-1 1.1.1 (Sept 2018)
If you have scripts/programs connecting
(eg, non-browser) then your programming
language may need an update.

33. October 15, 2018

34. 2. Cipher Suite Optimisation

35. Key Exchange
• Historically, same RSA
keypair used for
identity (cert) and
session:
• DH (do not use now)
• Use temporary keys for
Forward Secrecy:
• DHE (ok)
• DH can now also be
replaced by Elliptical
Curve DH Key Ephemeral
• ECDHE (better)

36. X.509 Certificates
• CAs now require you to
use RSA 2048 bit keys
• Even longer keys are
better, but way slower
• Move to Elliptical Curve
Digital Signing Algorithm
(ECDSA) keys
• Still requires CAs and
Clients to upgrade to
understand this signature
algorithm

37. Bulk Encryption
• Disable DES, 3DES, RC4
• They are insecure or weak
• Enable AES 128/256,
specifically with GCM
mode
• MS IE can’t do GCM (when
not used from Windows 10)

38. Microsoft believes that it's no longer safe to
decrypt data encrypted with the Cipher-Block-
Chaining (CBC) mode of symmetric encryption when
verifiable padding has been applied without first
ensuring the integrity of the ciphertext, except
for very specific circumstances
https://docs.microsoft.com/en-us/dotnet/standard/security/vulnerabilities-cbc-mode

39. The strongest Bulk encryption
that MS Internet Explorer can do
(when not on Windows 10) is not
considered secure by its vendor.

40. MAC/Checksum
• Remove MD5, SHA1
• Consider enabling
SHA2-256, SHA2-384,
SHA2-512
• New ones are coming…

41. 3. Security Headers
Restrict/influence what the
browser can and can’t do

42. Strict-Transport Security: max-age=$seconds
“Do not make insecure requests to this hostname”

43. Strict-Transport Security: max-age=31536000
“Do not make insecure requests to this hostname”
Apache:
Header always set Strict-Transport-Security "max-age=31536000"

44. Content-Security-Policy: …
“Only load $content from $sources;
Only submit forms to these $destinations;
Only permit framing in on these $sites;
Only permit content from $sites in my frames”

45. Content-Security-Policy: default ‘none’; img-src
‘self’ data:; script-src ‘self’ ‘unsafe-inline’
https://cdn.bootstrap.com; frame-src ‘none’; font-
src ‘self’
“Only load $content from $sources;
Only submit forms to these $destinations;
Only permit framing in on these $sites;
Only permit content from $sites in my frames”

46. Referer-Policy: …
“Only send Referers under these conditions”

47. Referer-Policy: strict-origin
“Only send Referers under these conditions”

48. Feature-Policy: …
“Only permit GeoLocation/Vibrate/camera/etc
for scripts from $location”

49. Feature-Policy: geolocation ‘none’; vibrate ‘none’
“Only permit GeoLocation/Vibrate/camera/etc
for scripts from $location”

50. X-Content-Type-Options: no-sniff
“Don’t second guess incorrect mime types. If
the server gives you an image with incorrect
type application/javascript, drop it”

51. Header always set Strict-Transport-Security "max-age=31536000"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "default-src 'none’;
style-src 'self' 'unsafe-inline' https://blog.james.rcpt.to
https://fonts.googleapis.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://blog.james.rcpt.to;
font-src 'self' data: https://ajax.googleapis.com/ajax/libs/webfont/
https://fonts.gstatic.com https://www.bleepstatic.com/fonts;
img-src 'self' data: https://secure.gravatar.com/avatar/ https://ts.w.org/
https://blog.james.rcpt.to;
connect-src 'self' blob: file: data: filesystem:"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications
'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self';
magnetometer 'self'; gyroscope 'self'; speaker 'none'; vibrate 'self'; fullscreen
'none'"

52. Stop telling people what
version of Apache, IIS,
ASP.Net, PHP that you run.
server: Microsoft-IIS/10.0

53. 4. Reduce CAA mis-issuance
Tell the world who your CA(s) is (are)

54. Risk: There are ~200 publicly
trusted Certificate
Authorities, any of which
can, if presented with
sufficient evidence, issue a
certificate to their customer
in your name.

55. Solution: Publish a record in
DNS letting them all know who
you authorise to issue on your
behalf.

56. Don’t mention the lack of DNS Sec on gov.au.
BTW, well done NZ on signing [govt|co|org].nz.
in 2012
6 years ago
DNSSEC Aside #1

57. US Govt Shutdown:
DNSSEC Keys expiring!
iad.gov: part of the
National Security Agency
(NSA). It is responsible
for executing NSA's
Information Assurance
(IA) Mission
Tool: dnsviz.net
DNSSEC Aside #2

58. 5. Sub Resource Integrity*
Version-lock external dependencies
(*Requires editing HTML)

60. <img src=“https://www.someone.elses.sites.com/picture.jpeg”
integrity=“sha384-oqVuAfXRKap…”>
<script src=“https://www.someone.elses.sites.com/tracking.js”
integrity=“sha384-sha384-ho1wx4JwY8wC…”>
Generate SRI with https://www.srihash.org/
or
openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A

61. 6. Cookies!
Prevent Cross-Site Request Forgery

62. Cookies are old!
Cookies used for web comms from June 1994:
- session; state; tracking
Browsers must support
- 4k in size each
- 50 per site
- 3k in total
Flags for cookies (until 2016):
- Secure
- HttpOnly

63. New Flags for cookies (from 2016):
- SameSite
Values:
• SameSite=Strict
• SameSite=Lax

64. Set-Cookie: <cookie-name>=<cookie-value>;
Secure;
HttpOnly;
SameSite=Lax
“Strict” will prevent the cookie from being sent by the
browser to the target site in all cross-site browsing
context, even when following a regular link. “Lax”
(default) will do the similar, but only for POST.

65. 7. Enable HTTP/2

66. • Binary wire protocol (not text)
• slightly more efficient transmission
• Header compression
• did you see the size of some of these
headers? Think of AJAX req/JSON
response overhead
• True multiplexing
• HTTP/1.1 keep-alives was serial

67. HTTP Version Connection reuse
HTTP/1 No
HTTP/1.1 Yes, in series (keep-alive)
HTTP/2 Yes, in parallel (multiplex)

68. https://http2.akamai.com/demo

69. †
Apache 2.4 on Debian
23/Jan/2019: testing=Apache2 2.4.37-1
stable=Apache2 2.4.25-3+deb9u6
(actually, from Apache 2.4.15 onwards)
apache2.conf:
Protocols h2 h2c http/1.1

70. †
Apache 2.4 on Debian testing
Furthermore… (Apache 2.4.18+).
apache2.conf:
H2ModernTLSOnly on
…protocol is at least TLSv1.2 and that none of the ciphers listed in RFC 7540, Appendix A is
used. These checks will be extended once new security requirements come into place…

71. †
Apache 2.4 on Debian testing
23/Jan/2019: libapache-mod-svn=1.10.3-1+b1
SegFault on requests to Subversion (mod_dav)

72. †
Apache 2.4 on Debian testing
23/Jan/2019: libapache-mod-svn=1.10.3-1+b1
Fixed in Subversion 1.10.4, 1.11.1
(11 January 2019)
Debian Bug#919767: subversion: SVN Bug 4782:
upstream fix for mod_dav and http2 (h2) segfault

73. 8. And a hell of a lot more…

74. • New compression algorithms (br)
• Network Error Logging (NEL): Browser
reports errors to a URL you specify
• New key exchange mechanisms…

75. 3rd January 2019: Feisty Duck TLS News

76. 1.HTTP redirect to HTTPS on main web site (consider preload)
2.TLS Protocols: TLS 1.2 and/or newer (Apache: 2.4.36+, OpenSSL 1.1.1+)
3.Cipher suites:
1.Server Order Preference enabled
2.ECDHE-AES{128,256}-GCM-SHA{256,384,512} at or near the top
3.remove RC4, DES, 3DES bulk ciphers
4.remove DH (non ephemeral) key exchanges
5.remove SHA1, MD5 MAC
6.check with https://ssllabs.com
4.Browser Security Headers:
1.add Strict-Transport-Security (preload?)
2.add Content-Security-Policy
3.add Referer-Policy
4.add Feature-Policy
5.add X-Content-Type-Options
6.check with https://securityheaders.com;
https://observatory.mozilla.org
5.DNS: Add CAA record (low TTL, eg, 10 seconds)
6.Content: Add Sub Resource Integrity for stuff you don’t control
7.Content: Change Set-Cookie to add/inject: SameSite=Lax/Strict
8.Server: Enable HTTP/2 (Apache: a2enmod h2 – watch out for SVN<=1.10.4)

77. [US] Emergency Directive 19-01
• Date: Wed 23/Jan/2019
• Reason: Iran takeover of six [6] US govt dept DNS
domains
• Issued by: US Cybersecurity and Infrastructure
Security Agency director Chris Krebs (no, not that
Krebs)
• Actions demanded of US agencies:
1. Audit DNS Records
2. Change DNS Account Passwords
3. Add Multi-Factor Authentication to DNS Accounts
4. Monitor Certificate Transparency Logs
• https://developers.facebook.com/tools/ct/

78. Sysadmins: Go do the same TLS tuning for Mail
(exim), IMAP (courier/dovecot), corporate outbound
proxy, etc… (review TLS on hardware devices)
Developers: Restrict your client socket requests to
>=TLS 1.2
DevOps Engineers: all of the above!

79. On Twitter, follow:
@scotthelme
@troyhunt
@hardenize
@ivanristic
On Web, visit:
https://scotthelme.co.uk
https://troyhunt.com
https://hardenize.com

80. LINUX.CONF.AU
21-25 January 2019 | Christchurch | NZ
The Linux of Things
#LCA2019 @linuxconfau
LINUX.CONF.AU
21-25 January 2019
Christchurch, NZ The Linux of Things | #LCA2019 | @linuxconfau
James Bromberger @JamesBromberger www.james.rcpt.to
E: james@nephology.net.au / james.bromberger@modis.com
T: @JamesBromberger
L: /in/JamesBromberger (speak to me IRL first!)
W: nephology.net.au -or- www.james.rcpt.to -or- www.modis.com
GPG: rsa4096/0xAEC828749D85C53C