General overview of TLS and SSL on today's internet, with tips about how you can protect your website with strong and unbroken cipher configurations.

1. COMPATIBILITY, SECURITY & PERFORMANCE
FINDING A BALANCE WITH SSL / TLS
THAT DOESN’T EXIST
sam gammon
sam @ keen dot io

2. I AM A SECURITY ENGINEER.

3. I AM A SECURITY ENGINEER.
!
I AM A GUY WHO HAS SPENT
WAY TOO MUCH TIME WORRYING
ABOUT GIBBERISH

5. (THERE ARE NO
WORDS THERE)

6. I AM A SECURITY ENGINEER.
!
I AM A GUY WHO HAS SPENT
WAY TOO MUCH TIME WORRYING
ABOUT GIBBERISH
!
I DON’T KNOW MUCH ABOUT THE MATHS
BEHIND ENCRYPTION.

7. I AM A SECURITY ENGINEER.
!
I AM A GUY WHO HAS SPENT
WAY TOO MUCH TIME WORRYING
ABOUT GIBBERISH
!
I DON’T KNOW MUCH ABOUT THE MATHS
BEHIND ENCRYPTION.
I DO KNOW HOW YOU CAN PROTECT YOUR
APPS IN THE REAL WORLD.

8. agenda:
1) alice & bob: a short note on asymmetric
algorithms
2) intro to SSL/TLS on today’s internet
3) tour of the secure web, from the
perspective of a lowly cipher line
4) next-gen ciphers and features
5) useful tools
6) Q&A and story time
!
!
!

9. Alice & Bob
Asymmetric vs. Symmetric Encryption

10. intro to TLS

11. here is the OSI model
!

12. my protocols, let me show you
them
!
ARP/L2TP
Bluetooth/Ethernet
IP / ICMP
TCP / UDP
SOCKS / SPDY
MIME
HTTP / DNS

13. a regular HTTP request uses
these
!
IP
TCP
HTTP
GET /home HTTP/1.1!
Host: keen.io!
Connection: keep-alive!
Cache-Control: no-cache!
Accept-Encoding: gzip,deflate,sdch!
Accept-Language: en-US,en;q=0.8!
SYN
SYN-ACK!
ACK
packets!

14. OSI model
!
IP
TCP
HTTP
“request”
“response”
“connection”
“address”

15. OSI model
!
IP
TCP
HTTP
nginx /
haproxy
haproxy /!
OS (linux)
OS (linux)
1gBASEe (Ethernet)

16. OSI model
!
IP
TCP
TLS
HTTP

17. OSI model
!
IP
TCP
HTTP
nginx /
haproxy
haproxy /!
OS (linux)
OS (linux)
1gBASEe (Ethernet)
TLS openSSL

18. OSI model
!
IP
TCP
TLS
HTTP
HTTPS
{

19. TLS has its own handshake…

20. TLS has its own handshake…
1) client says hello
- passes a list of supported ciphers
- in priority order
- other capabilities like SNI
2) server says hello
- passes a list of supported ciphers
- in priority order
- passes certificate chain
- other capabilities like NPN/ALPN
n) they agree and connect
- a cipher is chosen!
- a protocol is selected!
- keys are exchanged!
… awhile later …

21. elements of a cipher spec
key
exchange standard cipher
symmetric
size
brokenness
ECDHE TLSv1.2 AES-GCM
128: fast
256: strong
“no reason to
believe it’s not
broken… yet”
DHE TLSv1 AES-GCM
128: fast
256: strong
“could be broken
if you’re not
careful”
— SSLv3 RC4
140, that’s all
you get foo
“well, fuck it.
it’s definitely broken,
at least break fast?”

23. Tools

24. Testing: Qualys
!
1) Awesome for experimenting with settings!
2) Great for detecting issues!
3) Pretty reports!

25. Testing: Qualys
!
1) Awesome for experimenting with settings!
2) Great for detecting issues!
3) Pretty reports!
4) Fantastic compatibility simulator

26. Diagnostics: OpenSSL
!
1) Tools for generating keys /
certificates!
2) openssl s_client for SSL client
testing!
3) openssl ocsp for OCSP testing
4) Benchmark your ciphers with
openssl speed

27. Diagnostics: Wireshark
!
1) Extremely powerful!
2) Kind of outside the scope of this
talk!
3) Can be configured with your
private key/cert to decrypt traffic
4) See traffic at all levels!
(ARP, IP, TCP, TLS, DNS & HTTP)

28. Always: yer favorite browser
!

29. CIPH3R$!!1!

30. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;

31. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
THIS IS A CIPHER LINE.
IT’S BASICALLY A LIST OF YOUR
FAVORITE<3 CIPHERS
AND ALSO THE ONES YOU HATE

32. ssl_ciphers “
1 ECDHE-RSA-AES128-GCM-SHA2
2 ECDHE-RSA-AES256-GCM-SHA3
3 ECDHE-RSA-AES128-SHA256
4 ECDHE-RSA-AES256-SHA384
5 ECDH-RSA-AES128-SHA256
6 ECDH-RSA-AES256-SHA384
7 DHE-RSA-AES128-GCM-SHA256
8 DHE-RSA-AES256-GCM-SHA384
9 ECDHE-RSA-RC4-SHA
10 ECDHE-RSA-AES128-SHA
11 ECDHE-RSA-AES256-SHA
12 ECDH-RSA-RC4-SHA
13 RC4-SHA
14 DHE-RSA-AES128-SHA
15 AES256-SHA
16 AES128-SHA
17 !ECDSA !DSA
18 !3DES !aNULL !eNULL !SEED
19 !MD5 !EXP !PSK !SRP !DSS
“;
IT’S RANKED FROM TOP TO BOTTOM

33. THEY COME IN ALL SHAPES AND SIZES
ciphers AES:ALL:!aNULL:!eNULL
ssl_ciphers
SSL_RSA_WITH_RC4_128_MD5
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128__SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA;
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
tls.createServer({
!
ciphers: “AES128-GCM-SHA256:RC4:HIGH:!
MD5:!aNULL:!EDH”
!
}, …);
<cipherSpecList>
<cipherSpec>
<cipher>RC4</cipher>
<hash>SHA256</hash>
<exchange>ECDHE</exchange>
…

34. EVERY HTTPS SERVER HAS ONE
ciphers AES:ALL:!aNULL:!eNULL
ssl_ciphers
SSL_RSA_WITH_RC4_128_MD5
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128__SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA;
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
tls.createServer({
!
ciphers: “AES128-GCM-SHA256:RC4:HIGH:!
MD5:!aNULL:!EDH”
!
}, …);
<cipherSpecList>
<cipherSpec>
<cipher>RC4</cipher>
<hash>SHA256</hash>
<exchange>ECDHE</exchange>
…

35. THE SECURITY OF YOUR SITE
DEPENDS LARGELY ON"
THE ORDER OF THESE
ARBITRARY
TOKENS."
!
:(

37. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;

38. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;

39. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
DO NOT WANT
MD5 is broken
eNULL means no encryption at all!!
aNULL means good luck no auth
LOW is like 40-bit only! gross
LOW is like 40-bit only! gross

40. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;

41. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
these ones are chill*
but usually there’s no support for them
client… or server side
*the NSA invented them though so if you!
are paranoid don’t use ‘em

42. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
instead, we’ll be talking
about RSA stuff today!
(mostly)*
*RSA algos were made by a corporation!
of the same name paid by the NSA to!
weaken their algorithms.!
so if you’re paranoid, write your own
encryption because all of them have"
the NSA’s fingerprints

43. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;

44. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
these are for old!
browsers
specifically, SSLv3
all of them are “broken”
some are more broken!
than others, though

45. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
old versions of AES expose!
you to the BEAST attack,!
because of CBC mode
that’s why these ciphers!
are the least desired
if you can get away with it,!
turn them off

46. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
these are for old!
browsers
RC4 is broken too, but!
only by the NSA

47. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
these are for old!
browsers
RC4 is broken too, but!
only by the NSA
since it’s less likely the NSA!
will be after your data!
(compared to some rando!
with knowledge of BEAST),!
RC4 is slightly less bad

48. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
THERE IS ONLY!
ONE GIFT YOU GET
WITH TLS!
ON TODAY’S INTERNET

49. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
Forward Secrecy! :)

50. without forward secrecy…

51. with forward secrecy…
1) client says hello
- passes a list of supported ciphers
- in priority order
- other capabilities like SNI
2) server says hello
- passes a list of supported ciphers
- in priority order
- passes certificate chain
- other capabilities like NPN/ALPN
n) they agree and connect
- a cipher is chosen!
- a protocol is selected!
- keys are exchanged!
… awhile later …
… awhile later …
3) Generate ephemeral forward secrecy key

52. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;

53. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
these are for TLS 1.0
RC4 is still prioritized
AES is still broken :(
BEAST, CRIME, BREACH
(mostly compression attacks)

54. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;

55. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
GCM is unbroken! Yay!

56. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;
AES is unbroken in
TLS 1.2, but only because
of compression, explicit IV,
and forward secrecy

57. ssl_ciphers “
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
RC4-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
!ECDSA !DSA
!3DES !aNULL !eNULL !SEED
!MD5 !EXP !PSK !SRP !DSS !LOW
“;

58. The future!

59. OCSP Stapling
!
1) OCSP is a way to verify certificate
validity and health
2) Certs can be “invalidated” by providers
when they are breached!
!
3) “Stapling” a verifiably-valid OCSP
response to an HTTP response
can optimize the process significantly!

60. ECC & DSA Certificates
!
1) ECC is an alternate key structure to RSA or DSA
2) ECC keys are “faster” to compute/sign/verify, and!
“stronger” than RSA and DSA at “smaller” key sizes!
!
3) Almost nobody supports it (CA’s and browsers both)
CA’s: Symantec is the only one I’ve found
Browsers: the usual modern suspects
(Webkit/Blink/SpiderMonkey/barely any Trident)!

61. ECC & DSA Certificates
!
structure
security vs.
complexity factor
AES-128
equivalent
maths
ECC linear 256-bit elliptic curves
DSA exponential 3,072-bit finite fields
RSA exponential 3,072-bit integer factorization

62. Salsa20 / Poly1305
!
1) These are new ciphers from Google
2) They haven’t been chill enough to share ‘em yet*!
!
3) Salsa20 is a new stream cipher (replaces RC4!) that is fast"
!
4) Poly1305 is a MAC algorithm that can wrap any reliable!
symmetric cipher (AES being broken won’t fail us again)
5) Would be great to have server-side but only Chrome supports
this stuff yet
*there might be some patches for OpenSSL
that may or may not work in the Chromium
source tree… :)

63. AES-GCM Support
!
1) GCM-based algorithms were only introduced in TLSv1.2
2) Chrome (>=31) is all good, so are Firefox and Safari
3) IE 11 is all good (sometimes)!
!
3) >=iOS 5 should have it, Android "
!
4) Java support is spotty

64. Q&A / Experiences

65. @beepbeepboop
sam@keen.io