SSL++; Tales of Transport Layer Security at Twitter

•

1 gostou•1,012 visualizações

presentation at BSides San Francisco, Feb 24 2013. corresponding video available @ https://www.brighttalk.com/webcast/7651/69207

Tecnologia Educação

SSL++
Tales of Transport-Layer Security at Twitter

@jimio | #BSidesSF

http://twitter.ie
https://twitter.com
http://twitter.com

http://twitter.ie
https://twitter.com
http://twitter.com

http://www.w3.org

http://wtf.ru

http://twitter.uz

<link rel="canonical" href="https://twitter.com/">

< X-WebKit-CSP-Report-Only: default-src https:
data: chrome-extension: 'unsafe-inline'
'unsafe-eval'; report-uri https://twitter.com/
scribes/csp_report; frame-src https://* about:
javascript: chrome-extension:
< X-Content-Security-Policy-Report-Only:
options eval-script inline-script; report-uri
https://twitter.com/scribes/csp_report; allow
https://* data: ; frame-src https://* about:
javascript:

secureheaders
Strict-Transport-Security
Content-Security-Policy
X-XSS-Protection
X-Frame-Options
X-Content-Type-Options

1. OS:
validate revocation, expiration
2. App:
check against local bundle
3. Party on

https://twitter.com/jobs
https://t.co/h4x0r
#jointheﬂock
@jimio

Mais conteúdo relacionado

Destaque

Cisco Trustsec & Security Group TaggingCisco Canada

HK VForum F5 apps centric security nov 4, 2016 - finalJuni Yan

F5 Offers Advanced Web Security With BIG-IP v10.1DSorensenCPR

Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...APNIC

VIPRION 2400 and vCMPF5 Networks

CCNA RS_ITN - Chapter 7Irsandi Hasan

Best Practice TLS for IBM DominoJared Roberts

The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks

CCNA RS_NB - Chapter 5Irsandi Hasan

Internetworking Overviewscooby_doo

Transport layer security (tls)Kalpesh Kalekar

Building the Mobile InternetKlaas Wierenga

F5 study guideshimera123

F5 BIG-IP: Secure Application and Data Security ServicesAmazon Web Services

Destaque (14)

Cisco Trustsec & Security Group Tagging

HK VForum F5 apps centric security nov 4, 2016 - final

F5 Offers Advanced Web Security With BIG-IP v10.1

Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...

VIPRION 2400 and vCMP

CCNA RS_ITN - Chapter 7

Best Practice TLS for IBM Domino

The F5 DDoS Protection Reference Architecture (Technical White Paper)

CCNA RS_NB - Chapter 5

Internetworking Overview

Transport layer security (tls)

Building the Mobile Internet

F5 study guide

F5 BIG-IP: Secure Application and Data Security Services

Último

Understanding the FAA Part 107 License ..Christopher Logan Kennedy

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh

Corporate and higher education May webinar.pptxRustici Software

TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub

Platformless Horizons for Digital AdaptabilityWSO2

Architecting Cloud Native ApplicationsWSO2

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz

Exploring Multimodal Embeddings with MilvusZilliz

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot

ICT role in 21st century education and its challengesrafiqahmad00786416

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93

How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software

SSL++; Tales of Transport Layer Security at Twitter

1. SSL++ Tales of Transport-Layer Security at Twitter @jimio | #BSidesSF

2. CRIME

3. BEAST

5. HTTP

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

21.

22.

23.

24.

25. 100% Certiﬁed SSL

26.

27. <img src="http://twitter.com"/>

28. secure;

29.

30. sslstrip

31.

32. 301

33. #!

34. #!/jimio twitter.com/

35. #!/jimio twitter.com/

36.

37. DISCLAIMER

38. DISCLAIMER we did this.

39. DISCLAIMER we did this. you can too.

40. Hello!

41. twitter Hello!

42. twitter

43. twitter

44. twitter

45.

46. http://twitter.com

47. https://twitter.com http://twitter.com

48. http://twitter.ie https://twitter.com http://twitter.com

49. http://twitter.ie https://twitter.com http://twitter.com http://www.w3.org http://wtf.ru http://twitter.uz

50. <link rel="canonical" href="https://twitter.com/">

51. %2F

52. /

53.

54.

55. <-HTTPS

56. Hello!

57. twitter.com Hello!

58. HTTP...

59. but wait!!

60.

61.

62. HSTS

63. HSTS

64. HTTP=>HTTPS 300s 0

65. HTTP=>HTTPS 300s 0

66. includeSubdomains

67. include$ubdomains

68. CSP

69. CSP

70. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

71. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

72. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

73. < X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/ scribes/csp_report; frame-src https://* about: javascript: chrome-extension: < X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

74. secureheaders

75. secureheaders Strict-Transport-Security Content-Security-Policy X-XSS-Protection X-Frame-Options X-Content-Type-Options

76. SSL

77.

78.

79.

80. 1. OS: validate revocation, expiration 2. App: check against local bundle 3. Party on

81.

82.

83.

84.

85.