2. SSL is dead
• HTTP = Hypertext Transfer Protocol
• HTTPS = HTTP Secure
• TLS = Transport Layer Security
• SSL = Secure Sockets Layer
• SSL v3 is effectively dead since POODLE in 2014
• X.509 Certificate
3. Why is HTTPS more than HTTP + TLS?
• Mixed mode requests
• BTW, don’t use protocol relative URLs (eg //domain/resource)
• CORS considers HTTP and HTTPS to be different origins
• secure attribute on cookies
• Not really
• Strictly secure cookies in draft
• Prefixed cookies in draft (eg __Host- or __Secure- )
• Referer HTTP request header
• “Opportunistic Security for HTTP” IETF draft is just HTTP + TLS
4. HTTPS Verification Basics
• Certificate validity period
• Certificate chain trusted
• Common Name, Subject Alternative Name (SAN), wildcards
• Certificate Revocation List
• Extended Validation Certificate
• Mixed-mode resources
5. Further HTTPS Verification
• Signature hash function
• MD5 drops the connection in IE
• SHA1 sunset
• OCSP Stapling and Must Staple TLS Feature Extension
• Certificate Transparency
• HTTP Public Key Pinning
• Requires backup keys. CSRs are sufficient.
6. Other recent HTTPS developments
• Server Name Indication (SNI)
• HTTP Strict Transport Security (HSTS)
• Browser preloading
• Content Security Policies
• Upgrade Insecure Requests
• Referrer Policy (draft)
• AWS Certificate Manager
• Let’s Encrypt https://letsencrypt.org/
8. Security
• Forward Secrecy
• Diffie Hellman key exchange (EDH/DHE)
• Elliptic Curve Digital Signature Algorithm (ECDSA)
• Equivalent security with smaller keys means faster operations
9. Security - Vulnerabilities
• HeartBleed – attacks OpenSSL bug, upgrade or switch.
• POODLE – attacks padding in SSL v3.0, disable it.
• Logjam – attacks DHE ciphers, mitigate with 2048+ bit DH params.
• BEAST – attacks CBC mode of AES, mitigated in TLS v1.1
• Lucky13 – a CBC padding timing-attack, mitigated in impl.
• CRIME – attacks TLS compression, disable it
• BREACH – attacks HTTP compression. Various mitigations.
• Don’t use RC4 – prohibited in Feb 2015 by RFC 7465
10. Trust
• Extended Validation Certificates
• Chrome Page Security Icon
• Since October, HTTPS with minor errors does not show any padlock
• Qualys SSL Labs A+ Grade
• Zero warnings (ie A Grade)
• HSTS header valid for at least six months
• Certificate must not be SHA1 signed
• TLS_FALLBACK_SCSV “fake” cipher suite must be handled
11. Compliance
• Payment Card Industry Data Security Standard (PCI DSS)
• Version 3.1 from April 2015 scheduled TLS 1.0 deprecation for July 2016
• Revised in December 2015 to postpone deprecation to 2018 instead
12. SEO
• Google Page Rank
• Starting August 2014, HTTPS sites are given a (slightly) higher rank.
• Rank only awarded to “strong” HTTPS.
13. Performance
• Is TLS fast yet? https://istlsfastyet.com/
• Session resumption, session tickets
• TLS False Start
• TLS v1.3
• TCP Fast Open to send TLS ClientHello with SYN
• HTTP/2
• Multiplexing
• Connection sharing and the domain-sharding anti-pattern
• Server push
14. Challenges
• User-Agent support
• .NET v4 is TLS v1.0 only.
• .NET v4.5 can do TLS v1.1 and v1.2 if explicitly enabled.
• Different cipher naming conventions across implementations
• IANA
• OpenSSL
• GnuTLS
• NSS
• Debugging
• Tooling
15. Thank you
• Jason Stangroome
• @jstangroome
• https://section.io/
• https://blog.stangroome.com/
Notas do Editor
A little terminology
TLS not caching is a fallacy
Cookies (secure cookies HTTPS only but HTTP can set them)
Strict cookies to prevent HTTP origins writing cookies with secure attribute https://datatracker.ietf.org/doc/draft-west-leave-secure-cookies-alone/
Prefixed cookies to ensure particular cookies with `__Host` or `__Secure` or only used this way https://datatracker.ietf.org/doc/draft-west-cookie-prefixes/
Opportunistic Security for HTTP https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2-encryption/
Wildcards are single level
Mixed-mode impacts the address bar padlock
Must Staple http://tools.ietf.org/html/rfc7633
OCSP fails at least 15% of the time and take median 350ms on success https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
SNI not supported by IE on XP. Apache complains if SNI server_name conflicts with Host HTTP request header.
https://w3c.github.io/webappsec-referrer-policy/
DH key exchange may include RSA in the name and still offer forward secrecy. Avoid pure RSA key exchange.
Mitigate BREACH through CSRF token randomisation, disabling compression, using random chunked encoding, and other techniques.
There is no padlock with warning icon anymore https://googleonlinesecurity.blogspot.com.au/2015/10/simplifying-page-security-icon-in-chrome.html
Mozilla just redid padlock, still has warning icon https://blog.mozilla.org/tanvi/2016/01/26/updated-firefox-security-indicators/