SBA Live Academy - Using HTTPS by Default: How Web Servers Can Make the Web More Secure by Matthew Holt

•

0 gostou•108 visualizações

Target Group: Developers, IT operations, DevOps Focus: technical Language: English Abstract ********* Eventually, browsers and other Web clients will require all sites to use TLS. But turning on properly-configured TLS is not as simple as flipping a switch… unless your server does it automatically and by default. This talk briefly goes over how that is possible and what kind of usable security we should expect from all web servers in this decade. About the Speaker: ********************* Matt Holt (B.S. & M.S. Computer Science, Brigham Young University) is a software engineer with special expertise in TLS deployment and automation. He is the author of the Caddy web server, the only server to use HTTPS by default, which has over 25 million downloads and has secured and served trillions of HTTPS requests since 2014. When he's not coding stuff with his bare hands, you can find him rock climbing or bicycling.

Tecnologia

HTTPS by Default
How Caddy Makes the Web More Secure
Matt Holt Go Gopher by Renee French, derivative works by Deise Misiuk

ACME
Automated Certificate Management Environment

Transport Layer Security
Confidentiality
A guarantee that the
data stays private in
transit.
Integrity
A guarantee that the
data is not modified in
transit.
Authenticity
A guarantee that your
connection is with the
intended party.
✔
self-signed
✔
self-signed
✖
self-signed✔ third-party

Generate private key
Generate CSR
Secure key
Order SSL certificate
Paste CSR into online form
Choose an email address
Wait for email
Click link in email
Wait for another email
Download certificate
Concat into bundle
Upload bundle to server
Configure server to use cert and key
Reload configuration
Don't forget to renew it... and don't mess up

Generate private key
Generate CSR
Solve ACME challenge
Download certificate bundle
Use cert and key
ACME: simpler and automated

The 3 ACME Challenges
HTTP
:80
TLS-ALPN
:443
DNS
1
2
3
ACME server (CA) DNS server Your server

HTTP Challenge
HTTP
:80
Serves resource at special URI on host
● Requires port 80
● Must be accessible from outside
● Can be done manually
✔ No config required (usually)

TLS-ALPN Challenge
Negotiates special TLS handshake
● Requires port 443
● Must be accessible from outside
● Tedious to perform manually
TLS-ALPN
:443
✔ No config required (usually)

DNS Challenge
Sets special TXT record in zone file
● No open listeners; works behind proxies & LB
● Can be done manually
● Can be automated with DNS provider's API
● Some providers are slow to apply changes
✖ Requires DNS provider credentials (easy)
DNS
1
2
3

Minimum Required Config
Required inputs
● Domain name
Optional inputs
● Email address
● A few crypto details

✅ Rate limiting
✅ Failed validations
✅ Revocations
✅ Infrastructure outages
✅ Customer domains
Production Challenges
✅ OCSP problems
✅ Misconfigured storage
✅ Fleet coordination
✅ Millions of domains
✅ = Caddy handles it
(external scripts/tools… don't)

Next Monday, probably
Thank you! :)
https://caddyserver.com

Mais conteúdo relacionado

Mais de SBA Research

"Rechtliche Risiken mit externen Mitarbeitern" Externe MitarbeiterInnen, die IT-mäßig eingebunden werden (müssen) sind kein neues Phänomen. Das Thema ist jedoch gerade jetzt besonders aktuell: Unternehmen, die keine Erfahrungen mit externer IT-Anbindung haben, mussten von einem Tag auf den anderen MitarbeiterInnen ins Home Office schicken; selbst Organisationen, die bereits Erfahrungswerte haben, stehen vor der Herausforderung, aus einer breiten Palette von Anwendungen die passendste und sicherste zu wählen. Der Vortrag informiert über die rechtlichen Risiken in Bezug auf Geheimhaltung, Systemintegrität und Datenschutz in Zeiten von Home Office. Speaker: Dr. Stefan Eder, Benn-Ibler Rechtsanwälte GmbH Talk language: German About the Speaker: ********************* Dr. Stefan Eder ist Rechtsanwalt und Partner in der Wirtschaftskanzlei Benn-Ibler Rechtsanwälte GmbH. Er hat zusätzlich Betriebsinformatik studiert und ist in diverse IT-Projekte involviert. Er trägt regelmäßig zu Themen der IT-Sicherheit vor und engagiert sich als Gründer des Österreich-Chapters der Legal Hackers für die Erforschung und Entwicklung kreativer Lösungen an der Schnittstelle zwischen IT und Recht. Er organisiert darüber hinaus die REMEP, eine Plattform für Rechtsinformatik.

SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern

SBA Research

"What the heck is secure computing?" What is “secure computing”? Why should it be important to me? Now that it is important to me, how can I use secure computing for my work? This presentation will give an overview of the two main types of secure computing. We explain the fundamental ideas behind the technology and point out important details. We also present ideas on how this technology can be used for new applications, and last but not least, we answer your questions. Speaker: Matthias Gusenbauer, Talk language: English About the Speaker: ********************* I am a researcher at SBA Research in Vienna, Austria. My research focuses on bridging people and technology to solve issues in security and privacy. In order to accomplish this I focus on usable security and privacy with an interest in applied cryptography. I have been a research fellow at the National Institute of Informatics (NII) in Tokyo to work on visualizing network traces. During a second stay with the NII as part of Echizen Laboratory I worked on visualizing the Bitcoin blockchain. Now I continue to work in the domain of usable security, cryptography and privacy.

SBA Live Academy, What the heck is secure computing

SBA Research

"Tools & Techniques from building a DevSecOps culture at Mozilla" For the past decade, security teams at Mozilla have sharpened their tools and improved their techniques to mature the security culture of the organization, and dramatically reduce vulnerabilities and risks. In this talk, Julien shows how Mozilla approaches DevSecOps and shares lessons learned from that journey. Speaker: Julien Vehent, Firefox Operations Security Talk language: English About the Speaker: ********************* Julien Vehent is a French computer security engineer who leads the Firefox Operations Security team at Mozilla. He specializes in web applications security, cloud infrastructure, cryptography and risk management. He is the author of “Security DevOps”, published at Manning in 2018.

Tools & techniques, building a dev secops culture at mozilla sba live a...

SBA Research

Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. For the first time, the 2020 Symposium took part as a full virtual conference. Our group of researchers are very greatful for the opportunity to present their work on HydRand, a distributed protocol for the secure provisioning of distributed randomness, at this prestigious event. In his talk, Philipp Schindler outlines the fundamental concepts of distributed randomness as well as the details of HydRand’s design.

HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...

SBA Research

Target Group: SysAdmins, Developer, DevOps Focus: technical Talk language: English Abstract ********** What are Containers and what makes them secure to use? Which different types of Containers are out there and how can I best use them securely? What container types are there beyond Docker? About the Speaker: ********************* Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

SBA Research

Abstract ********* SecDevOps has complex challenges: remote code execution vulnerabilities could lead to a takeover of the backend. Web hosters and Cloud providers have to deal with the extreme: remote code execution as a service by running user code (PHP, NodeJS, Go, dotnet, …). What does the Linux Kernel provide to contain successful attacks other than a firewall, user separation and permissions? Do Docker containers really contain? About the Speaker: ********************* Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...

SBA Research

Managing passwords is a critical developer task. Developers tasked with building or augmenting legacy authentication systems have a daunting task when facing modern adversaries. This talk will review some of the changes suggested in NIST SP800-63b the “Digital Identity Guideline on Authentication and Lifecycle Management regarding password policy”. We’ll discuss topics such as credential stuffing and the importance of managing common passwords found in public breaches. We’ll also discuss various strategies around storing passwords using modern algorithms and methods. * Importance of Password Storage * Credential Stuffing * Password Policy Updates from NIST[masked]b * Password Topologies * Offline Password Attacks * Password Cracking * Password Hashing Strategies * Password Keyed Protections * Hard-Coded Passwords and Backdoors Speaker: Jim Manico, Manicode Security Talk language: English About the Speaker: ********************* Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences and BitDiscovery. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from Oracle Press. Jim also volunteers for the OWASP foundation as the project co-lead for the OWASP ASVS and the OWASP Proactive Controls.

SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...

SBA Research

Zielgruppe: Architekten, Entwickler, Tester, DevOps Schwerpunkt: technisch Abstract ********** Dieser Vortrag gibt eine kurze Einführung in die Welt des Threat Modeling. Es wird erklärt was Threat Modeling eigentlich ist, welche Methoden zur Verfügung stehen und wie man es ganz pragmatisch selbst anwenden kann. About the Speaker: ********************* Daniel Schwarz ist Senior Security Analyst bei der condignum GmbH in Wien. Nach seinem Abschluss an der FH St. Pölten im Bereich IT- und Information Security startete er beruflich als Penetration Tester und fokussierte sich als Security Consultant im Laufe der letzten sieben Jahren immer stärker auf die Themen sichere Softwareentwicklung, Secure Design, Threat Modeling und Security Requirements Engineering. In seiner Rolle bei der condignum GmbH beschäftigt er sich aktuell mit der Frage, wie genau diese Themen für Organisationen jeder Größe effizient und angemessen realisierbar gemacht werden können.

SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...

SBA Research

Zielgruppe: Alle Interessierten, kein elektrotechnisches Vorwissen notwendig Schwerpunkt: strategisch Abstract ********** In diesem Vortrag gibt es einen Einblick wie man das Stromnetz durch Cyber-Angriffe lahmlegt, ganz ohne Smart-Grid-Funktionalität. Wir sprechen über das Management von Stromnetzen, optimale Strategien für den Angriff, warum Bitcoin und Ethereum nützlich sind oder auch schon einmal die Uhren um sieben Minuten nachgehen. About the Speaker: ********************* Johanna Ullrich is key researcher at SBA Research and leads the Networks and Critical Infrastructures Security Research Group. Johanna received an BSc in Electrical Engineering and Information Technology, an MSc in Automation Engineering, and an PhD sub auspiciis praesidentis in Computer Science being among the top students of Austria. In addition, she was awarded the Research Prize of the Dr. Maria Schaumayer Foundation and was nominated for the Hedy Lamarr Prize 2019 by the Austrian Research Promotion Agency (FFG). Johanna teaches graduate courses at University of Applied Sciences Wiener Neustadt, FH Technikum Wien as well as FH Campus Wien.

SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...

SBA Research

Zielgruppe: Personen die an Angriffsszenarien gegen IoT-Geräte und eingebettete Systeme interessiert sind Schwerpunkt: technisch Sprache: Deutsch Abstract: ********** Dieser Vortrag gibt einen Einblick in physische Angriffe gegen IoT-Geräte und eingebettete Systeme. Mögliche Angriffe sowie Gegenmaßnahmen werden im Überblick präsentiert. About the Speaker: ********************* Christian Kudera is researcher and security analyst at SBA Research. Christian received an MSc in Hardware & Software Security from TU Wien. Currently he is working towards his PhD degree with the focus on Internet of Things and embedded systems security. He has more than six years of experience as security analyst in the areas of hardware and software security. He teaches multiple courses at TU Wien (Internet Security, Advanced Internet Security) and at Universities of Applied Sciences (Rosenheim Technical University of Applied Sciences, FH Campus Wien, FH St. Pölten).

SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...

SBA Research

Target Group: Anyone interested in resilience and cyber security Focus: organizational Talk language: English Abstract ********* "Cyber Resilience – Failure is not an option" This lecture is dedicated to the topic of cyber-resilience and presents the basics and the differentiation from cyber-security as well as current standards and best practices. About the Speaker: ********************* Simon Tjoa is professor at St. Pölten University of Applied Sciences and has worked for 15 years in the information security domain. He is the academic director of the master programs Information Security and Applied Research and Innovation in Computer Science. Before joining St. Pölten University of Applied Sciences, he worked as security consultant and research at various organizations. He received his doctoral degree in informatics from University of Vienna. His research interests include critical infrastructure protection, digital forensics, cyber resilience and business process security. He is program committee and organizing committee member of several security related international workshops and conferences. Furthermore, he currently serves as secretary of IEEE SMC Austria Chapter and holds professional security certifications such as AMBCI, CISA or CISM.

SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa

SBA Research

Zielgruppe: “Neigungsgruppe Datenschutz”, Datenschutzverantwortliche etc, “Alle” Schwerpunkt: Grundlagen/Hintergrund/Awareness Sprache: Deutsch Abstract: ********* Wer hätte gedacht, dass Oracle einer der weltgrößten Datenhändler ist und etwa 2 Millionen Personenprofile mit tausenden personenbezogenen Attributen verwaltet? Wem ist bewusst, wie sich die Anwendung eines Personenprofils auswirken könnte? Wir alle kennen die DSGVO. Nicht jeder findet sie gut. Das Wissen darüber, warum es dennoch wichtig war, eine verbindliche und in Europa weitgehend einheitliche Rechtsgrundlage für die kommerzielle Vewendung von Daten zu erlassen, ist – abgesehen von Buzzwords wie Facebook und Cambridge Analytica – wenig verbreitet. About the Speaker: ********************* Gerald Sendera is Data Protection Supervisor and Legal Counsel for SBA Research. His consulting activities are focused on data protection management and GDPR-compliance, in which he combines legal knowledge with hands-on experience in information technology. Gerald graduated in law at the University of Vienna (Mag.iur) in 2001 and has been working in IT since 2004 in different functions. During his career he completed technical certification trainings for vendor solutions such as Avaya, Cisco or Oracle. He is CIS-certified “Data Protection Officer” and was awarded the “Privacy Professional” certification at Sigmund Freud University Vienna’s Training Academy.

SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera

SBA Research

Target Audience: Everyone involved in software development (developers and team leaders in software-oriented companies) Focus: technical Talk language: English Abstract ********** Single Page Application frameworks have brought us a boost in clean application architecture and also security, mainly because of a better separation of concerns. But using an SPA framework alone does not automatically get you bullet-proof security. There is still a lot to look out for, and, for example, XSS is not a fully solved problem yet. In this talk, we’ll explore the most important security pitfalls SPA frameworks and how to solve them. We’ll also compare some of the security features of the most common SPA frameworks Angular, React and Vue.js. About the Speaker: ********************* Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.

SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad

SBA Research

Target Audience: Everyone involved in software development (developers, team leaders, CISOs in software-oriented companies) Focus: technical Talk language: English Abstract ********* Let’s face it: There is no such thing as a big-bang launch any more. We all want to be agile and react quickly to the wishes and demands of our customers in software development. The downside of this approach is that security has a hard time keeping pace, thereby often being completely neglected. That’s why we need to bridge the gap between security and agility. In this talk, we’ll have a look at how security can become an integral part of the development process, and more than just a penetration test at the end. We’ll see how we can overcome immediate pain and get strategic focus in software security. About the Speaker: ********************* Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...

SBA Research

Zielgruppe: Admins, CISOs Schwerpunkt: organisatorisch & technisch Sprache: Deutsch Abstract: ********** An Hand von typischen Audit-Findings diskutieren wir entlang der „Dreifaltigkeit“ People – Processes – Technology die wichtigsten Sicherheitsaspekte zum Thema Remote Access und Telearbeit. Nachdem wir im ersten Termin bereits die Bereiche People und Processes behandelt haben, werden wir in diesem Talk auf den Bereich Technoloy eingehen und auch einen kurzen Ausblick auf einige fortgeschrittenere Ideen wie Zero Trust Architekturen geben. About the Speaker: ********************* Philipp Reisinger is consultant in the Information Security Management team. He received his master’s degree in “Information Security” at the St. Pölten University of Applied Sciences and is CISSP and CISA certified. His consulting activities are focused on the organizational aspects of information security such as: Information security management systems (ISMS), ISO27001 gap and business impact analyses, IT/IS audit, Information risk management and Security Awareness Günther Roat is consultant and team lead of the Information Security Management team at SBA Research. He is a Microsoft Certified Technology Specialist and received his degree in Business Informatics at the University of Applied Sciences Technikum Vienna. His consulting activities are focused on the organizational aspects of information security.

SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...

SBA Research

Target Group: SysAdmins, anyone interested in PKI Focus: technical Language: English Abstract: ********** Revocation of TLS certificates used by web browsers has been broken for years. Why is that, and can the newly proposed CRLite technology solve the problem? About the Speaker: ********************* Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.

SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...

SBA Research

Zielgruppe: CEOs, CIOs, CTOs, CISOs, Supply Chain Manager Schwerpunkt: organisatorisch Sprache: Deutsch Abstract ********** Können Sie diese Frage mit „gut“ beantworten? Digitale und Cyber-Risiken werden mittlerweile als Top-Risiken für Unternehmen betrachtet. Aktuelle Entwicklungen wie Industrie 4.0, Digitalisierung, Internet of Things oder Smart Home werden diesen Trend weiter verstärken. Aber verstehen wir diese Risiken auch entlang unserer Wertschöpfungskette? Weltweit gibt es vermehrt Angriffe auf Unternehmen und deren Supply-Chain-Partner, bei denen entweder heikle (Kunden-) Daten gestohlen oder die Produktionsabläufe beeinträchtigt werden – in manchen Fällen bis hin zum Produktionsstopp. About the Speaker: *********************** Stefan Jakoubi ist Geschäftsleiter für den Bereich „Professional Services“ bei SBA Research. Er ist seit über 13 Jahren im Großraum der Informationssicherheit tätig und "Sicherheits-Architekt" für Kunden und Forschungspartner. Hierbei liegt sein spezieller Fokus auf dem balancierten Zusammenspiel geschäftlicher Anforderungen und erforderlicher Sicherheitsmaßnahmen, um Entscheidungsträger in der Erfüllung ihrer Sorgfaltspflichten entsprechend zu unterstützen. Am liebsten hält er allerdings Security Awareness Vorträge, um komplexe Themengebiete zielgruppengerecht "zu übersetzen".

SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...

SBA Research

Zielgruppe: Admins, CIO Schwerpunkt: technisch Sprache: Deutsch Abstract ********** In Unternehmen werden Vertrauensbeziehungen zwischen Active Directory Forests angelegt. Ist damit die eigene Domäne in Gefahr? Der Talk zeigt exotischere Angriffe innerhalb von Active Directory und über Forest-Grenzen hinweg. Und warum wir durch Drucker dem Untergang geweiht sind. About the Speaker: ********************* Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.

SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...

SBA Research

Abstract: Remote Access – Top Security Challenges An Hand von typischen Audit-Findings diskutieren wir entlang der „Dreifaltigkeit“ People – Processes – Technology die wichtigsten Sicherheitsaspekte zum Thema Remote Access und Telearbeit. Speaker: Günther Roat, SBA Research Philipp Reisinger, SBA Research Talk language: German About the Speaker: ********************* Günther Roat is consultant and team lead of the Information Security Management team at SBA Research. He is a Microsoft Certified Technology Specialist and received his degree in Business Informatics at the University of Applied Sciences Technikum Vienna. His consulting activities are focused on the organizational aspects of information security. Philipp Reisinger is consultant in the Information Security Management team. He received his master’s degree in “Information Security” at the St. Pölten University of Applied Sciences and is CISSP and CISA certified. His consulting activities are focused on the organizational aspects of information security such as: Information security management systems (ISMS), ISO27001 gap and business impact analyses, IT/IS audit, Information risk management and Security Awareness

SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...

SBA Research

Mais de SBA Research (19)