SlideShare uma empresa Scribd logo

Sử dụng TLS đúng cách - Phạm Tùng Dương

Security Bootcamp
Security Bootcamp

This document summarizes a talk on using TLS (Transport Layer Security) and SSL (Secure Sockets Layer). It discusses the history and evolution of TLS protocols, vulnerabilities discovered over time like Heartbleed, and recommendations for secure TLS configuration. Key recommendations include using TLS 1.2, 2048-bit certificates, disabling insecure ciphers and SSLv3, enabling perfect forward secrecy, and verifying TLS configuration with tools like SSLyze and SSL Labs. The talk also demonstrates TLS configuration through Nginx and OpenSSL.

Apresentações e oratória
1 de 29
Baixar para ler offline
State-‐of-‐the-‐Art Using TLS @duongkai Security Bootcamp, Da Nang, 2014
/me ✓ Phạm Tùng Dương ✓ Solution Engineer @ISP ✓ Security Interested
This Talk is All About Using When I say SSL It means TLS and/or SSL
It is can be written a book Hope I can do well in this talk!
Yeah, and Some… It’s Soooo Sleepy!
Somewhere on the Earth…
SSL-‐by-‐default
It’s Important Than Ever
Protocol Attacks ✓2009: SSL Insecure Renegotiation ✓2011: BEAST ✓2012: CRIME ✓2013: RC4 biases, Lucky 13, BREACH ✓2014: POODLE
And in 2014 ✓Heartbleed and CCS in OpenSSL ✓Goto in GnuTLS ✓BERserk in Mozilla NSS ➔ 3 Biggest SSL implementations
In Pentest Industry
You Are Doing Wrong ✓It’s too complex. ✓Crypto related is often hard to understand.
SSL IN ACTION Or Your Service Should Be SSL By Default!
SSL Version ✓ First developed in Netscape ✓ SSL v2: Oldest and broken ✓ SSL v3 (﴾1996)﴿. Old and almost secure. ✓ TLS 1.0 (﴾1999)﴿. Fine protocol ✓ TLS 1.1 (﴾2006)﴿. No known practical attacks. ✓ TLS 1.2 (﴾2008)﴿. The most secure until now ✓ TLS 1.3 is being developed https://www.trustworthyinternet.org/ssl-‐pulse/
SSL Version ✓ First developed in Netscape ✓ SSL v2: Oldest and broken ✓ SSL v3 (﴾1996)﴿. Old and almost secure. It NOT SECURE NOW. ✓ TLS 1.0 (﴾1999)﴿. Fine protocol ✓ TLS 1.1 (﴾2006)﴿. No known practical attacks. ✓ TLS 1.2 (﴾2008)﴿. The most secure until now ✓ TLS 1.3 is being developed https://www.trustworthyinternet.org/ssl-‐pulse/
Protocol In A Glance
Cipher Suite DHE-‐RSA-‐AES256-‐SHA
Terms ✓CSR, Certificates, EV-‐Cert and CA. ✓Private key. ✓Block ciphers vs Stream ciphers ✓PFS (﴾Letter E)﴿: Perfect Forward Secrecy ✓Curves and Curves: Elliptic Curve ✓X509, PEM, PKCS#12 and conversion. ✓OpenSSL
Checklist 1. Updated the latest version (﴾OS, software)﴿ 2. Get an 2048-‐bit certificates from CA. Better if it supports SHA256 3. Know your legacy. 4. Configure TLS on your system. 5. Verify TLS configuration with your own hands.
Explanation 2. Get an 2048-‐bit certificates from CA. Better if it supports SHA256 ✓ 1024 bit is weak and can be broken easily.[1] [1]https://isc.sans.edu/diary/Confusion+over+SSL+and+1024+bit+keys/18775 ✓ SHA192 is on the way to be deprecated[2] [2]https://konklone.com/post/why-‐google-‐is-‐hurrying-‐the-‐web-‐to-‐kill-‐sha-‐1 ✓ 4096 is consuming CPU too much 3. Know your legacy ✓ Supported protocol version. ✓ Supported cipher suites. ✓ Your compliance.
Explanation 4. Configure TLS on your system. ✓ Avoiding insecure ciphers: RC4, DES, 3DES, MD5, SHA1,… ✓ Turn off SSLv3 support ✓ Turn off compression ✓ AES-‐128 is good enough (﴾both secure and faster)﴿. ✓ Enable PFS if supported. ✓ Switch to using Poly1350, Salsa-‐20 and EC ✓ Reference https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite https://bettercrypto.org/static/applied-‐crypto-‐hardening.pdf
Explanation ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5; ssl_prefer_server_ciphers on; CloudFlare config: https://github.com/cloudflare/sslconfig/blob/master/conf
Explanation ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5; ssl_prefer_server_ciphers on; CloudFlare config: https://github.com/cloudflare/sslconfig/blob/master/conf
24
Explanation: A+ ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_trusted_certificate /etc/nginx/ssl/AddTrustExternalCARoot.crt; ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Session Resumption ssl_session_timeout 20m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:20m; # Enable OCSP stapling (req. nginx v 1.3.7+) ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers ECDHE-­‐RSA-­‐AES256-­‐GCM-­‐SHA384:ECDHE-­‐RSA-­‐AES128-­‐SHA256:ECDHE-­‐RSA-­‐AES128-­‐SHA:DHE-­‐RSA-­‐ AES128-­‐SHA:RC4-­‐SHA; … add_header Strict-­‐Transport-­‐Security "max-­‐age=31536000; includeSubdomains"; https://gist.github.com/kennwhite/25183c3f05266ee0ad7f
Explanation 5. Verify TLS configuration with your own hands. ✓ Openssl s_client ✓ Cipherscan and some browser tools ✓ https://www.howsmyssl.com/ ✓ https://cc.dcsec.uni-‐hannover.de/ ✓ iSec Partner SSLyze ✓ SSLLabs (﴾https://www.ssllabs.com/)﴿ ✓ Make your hands dirty
If I have enough time… DEMO TIME 27
Reference [1] HTTPS Everywhere, Ilya Grigorik https://docs.google.com/presentation/d/15H8Sj-‐Zol1tcum0CSylhmXns5r7cvNFtzYrcwAzkTjM/ present#slide=id.g12f3ee71d_10 [2] SSL Pulse Project https://www.trustworthyinternet.org/ssl-‐pulse/ [3] How is my SSQL now https://www.howsmyssl.com/ [4] The Art and Science of SSL Configuration, Nick Galbreath https://speakerdeck.com/ngalbreath/the-‐art-‐and-‐science-‐of-‐ssl-‐configuration [5] Bulletproof TLS and SSL, Ivan Ristic, ISBN: 978-‐1907117046 ! Special Thanks to authors of photos about Da Nang and Hoi An (on Flickr): pierre_thach, nemesis1903 28
29 Q&A

Recomendados

Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
Zhi Guan
 
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp
 
Rapport de-stage-supervision-nagios-et-nagvis
Rapport de-stage-supervision-nagios-et-nagvisRapport de-stage-supervision-nagios-et-nagvis
Rapport de-stage-supervision-nagios-et-nagvis
linkinx
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous docker
Nicolas Trauwaen
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS Security
Jose Manuel Ortega Candel
 
Redis fundamental
Redis fundamentalRedis fundamental
Redis fundamental
Yuhao Zhang
 
Hacking NodeJS applications for fun and profit
Hacking NodeJS applications for fun and profitHacking NodeJS applications for fun and profit
Hacking NodeJS applications for fun and profit
Jose Manuel Ortega Candel
 

Recomendados

Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
Zhi Guan
 
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp
 
Rapport de-stage-supervision-nagios-et-nagvis
Rapport de-stage-supervision-nagios-et-nagvisRapport de-stage-supervision-nagios-et-nagvis
Rapport de-stage-supervision-nagios-et-nagvis
linkinx
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous docker
Nicolas Trauwaen
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS Security
Jose Manuel Ortega Candel
 
Redis fundamental
Redis fundamentalRedis fundamental
Redis fundamental
Yuhao Zhang
 
Hacking NodeJS applications for fun and profit
Hacking NodeJS applications for fun and profitHacking NodeJS applications for fun and profit
Hacking NodeJS applications for fun and profit
Jose Manuel Ortega Candel
 
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
Cosimo Streppone
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes
Adnan Rashid
 
Nodejs Intro
Nodejs IntroNodejs Intro
Nodejs Intro
PavingWays Ltd.
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
TDC2016SP - Vamos falar sobre o futuro da web: HTTP/2
TDC2016SP - Vamos falar sobre o futuro da web: HTTP/2TDC2016SP - Vamos falar sobre o futuro da web: HTTP/2
TDC2016SP - Vamos falar sobre o futuro da web: HTTP/2
tdc-globalcode
 
HTTPS: All you need to know
HTTPS: All you need to knowHTTPS: All you need to know
HTTPS: All you need to know
OVHcloud
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
Men and Mice
 
Revealing ALLSTOCKER
Revealing ALLSTOCKERRevealing ALLSTOCKER
Revealing ALLSTOCKER
Masashi Umezawa
 
An introduction to Node.js application development
An introduction to Node.js application developmentAn introduction to Node.js application development
An introduction to Node.js application development
shelloidhq
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
Philippe De Ryck
 
PHP & MySQL: PDO x MySQLi
PHP & MySQL: PDO x MySQLiPHP & MySQL: PDO x MySQLi
PHP & MySQL: PDO x MySQLi
Marcos Marcolin
 
Hashicorp Vault Associate Certification Configuration Part 3
Hashicorp Vault Associate Certification Configuration Part 3Hashicorp Vault Associate Certification Configuration Part 3
Hashicorp Vault Associate Certification Configuration Part 3
Adnan Rashid
 
RMLL 2014 - LemonLDAP::NG - What's new under the SSOn
RMLL 2014 - LemonLDAP::NG - What's new under the SSOnRMLL 2014 - LemonLDAP::NG - What's new under the SSOn
RMLL 2014 - LemonLDAP::NG - What's new under the SSOn
Clément OUDOT
 
Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2
Adnan Rashid
 
PHP Project development with Vagrant
PHP Project development with VagrantPHP Project development with Vagrant
PHP Project development with Vagrant
Bahattin Çiniç
 
rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewicz
ZuzannaKornecka
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
BGA Cyber Security
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
Giovanni Bechis
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
Giovanni Bechis
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 
Khai thác lỗi phần mềm thi chứng chỉ của Microsoft - Phạm Đình Thắng
Khai thác lỗi phần mềm thi chứng chỉ của Microsoft - Phạm Đình ThắngKhai thác lỗi phần mềm thi chứng chỉ của Microsoft - Phạm Đình Thắng
Khai thác lỗi phần mềm thi chứng chỉ của Microsoft - Phạm Đình Thắng
Security Bootcamp
 

Mais conteúdo relacionado

Mais procurados

Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 

Mais procurados (20)

Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes
 
Nodejs Intro
Nodejs IntroNodejs Intro
Nodejs Intro
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
TDC2016SP - Vamos falar sobre o futuro da web: HTTP/2
TDC2016SP - Vamos falar sobre o futuro da web: HTTP/2TDC2016SP - Vamos falar sobre o futuro da web: HTTP/2
TDC2016SP - Vamos falar sobre o futuro da web: HTTP/2
 
HTTPS: All you need to know
HTTPS: All you need to knowHTTPS: All you need to know
HTTPS: All you need to know
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
 
Revealing ALLSTOCKER
Revealing ALLSTOCKERRevealing ALLSTOCKER
Revealing ALLSTOCKER
 
An introduction to Node.js application development
An introduction to Node.js application developmentAn introduction to Node.js application development
An introduction to Node.js application development
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
PHP & MySQL: PDO x MySQLi
PHP & MySQL: PDO x MySQLiPHP & MySQL: PDO x MySQLi
PHP & MySQL: PDO x MySQLi
 
Hashicorp Vault Associate Certification Configuration Part 3
Hashicorp Vault Associate Certification Configuration Part 3Hashicorp Vault Associate Certification Configuration Part 3
Hashicorp Vault Associate Certification Configuration Part 3
 
RMLL 2014 - LemonLDAP::NG - What's new under the SSOn
RMLL 2014 - LemonLDAP::NG - What's new under the SSOnRMLL 2014 - LemonLDAP::NG - What's new under the SSOn
RMLL 2014 - LemonLDAP::NG - What's new under the SSOn
 
Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2
 
PHP Project development with Vagrant
PHP Project development with VagrantPHP Project development with Vagrant
PHP Project development with Vagrant
 
rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewicz
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
 

Destaque

Thu 6 04 advance penetration test with armitage
Thu 6 04 advance penetration test with armitageThu 6 04 advance penetration test with armitage
Thu 6 04 advance penetration test with armitage
Security Bootcamp
 
Chu nhat 02 luu thanh tra e-prior e-trust
Chu nhat 02 luu thanh tra e-prior e-trustChu nhat 02 luu thanh tra e-prior e-trust
Chu nhat 02 luu thanh tra e-prior e-trust
Security Bootcamp
 
Thu 6 03 bootcamp 2014 - xxe injection - nguyen tang hung
Thu 6 03 bootcamp 2014 - xxe injection - nguyen tang hungThu 6 03 bootcamp 2014 - xxe injection - nguyen tang hung
Thu 6 03 bootcamp 2014 - xxe injection - nguyen tang hung
Security Bootcamp
 
Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...
Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...
Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...
Security Bootcamp
 
Performance Comparision of Dynamic Load Balancing Algorithm in Cloud Computing
Performance Comparision of Dynamic Load Balancing Algorithm in Cloud ComputingPerformance Comparision of Dynamic Load Balancing Algorithm in Cloud Computing
Performance Comparision of Dynamic Load Balancing Algorithm in Cloud Computing
Eswar Publications
 

Destaque (18)

Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
Khai thác lỗi phần mềm thi chứng chỉ của Microsoft - Phạm Đình Thắng
Khai thác lỗi phần mềm thi chứng chỉ của Microsoft - Phạm Đình ThắngKhai thác lỗi phần mềm thi chứng chỉ của Microsoft - Phạm Đình Thắng
Khai thác lỗi phần mềm thi chứng chỉ của Microsoft - Phạm Đình Thắng
 
Thu 6 04 advance penetration test with armitage
Thu 6 04 advance penetration test with armitageThu 6 04 advance penetration test with armitage
Thu 6 04 advance penetration test with armitage
 
Hướng nghiên cứu mới cho ngành mật mã nước nhà - TS Hồ Ngọc Duy
Hướng nghiên cứu mới cho ngành mật mã nước nhà - TS Hồ Ngọc DuyHướng nghiên cứu mới cho ngành mật mã nước nhà - TS Hồ Ngọc Duy
Hướng nghiên cứu mới cho ngành mật mã nước nhà - TS Hồ Ngọc Duy
 
Đặng Hải Sơn - Báo cáo tình hình An toàn thông tin trong các cơ quan nhà nước
Đặng Hải Sơn - Báo cáo tình hình An toàn thông tin trong các cơ quan nhà nướcĐặng Hải Sơn - Báo cáo tình hình An toàn thông tin trong các cơ quan nhà nước
Đặng Hải Sơn - Báo cáo tình hình An toàn thông tin trong các cơ quan nhà nước
 
Chu nhat 02 luu thanh tra e-prior e-trust
Chu nhat 02 luu thanh tra e-prior e-trustChu nhat 02 luu thanh tra e-prior e-trust
Chu nhat 02 luu thanh tra e-prior e-trust
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
 
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh ĐứcNETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
 
Xây dựng cộng đồng - Lê Trung Nghĩa - Bộ KHCN
Xây dựng cộng đồng - Lê Trung Nghĩa - Bộ KHCNXây dựng cộng đồng - Lê Trung Nghĩa - Bộ KHCN
Xây dựng cộng đồng - Lê Trung Nghĩa - Bộ KHCN
 
Thu 6 03 bootcamp 2014 - xxe injection - nguyen tang hung
Thu 6 03 bootcamp 2014 - xxe injection - nguyen tang hungThu 6 03 bootcamp 2014 - xxe injection - nguyen tang hung
Thu 6 03 bootcamp 2014 - xxe injection - nguyen tang hung
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC InfosecTình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
 
Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...
Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...
Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...
 
Phan Phú Thuận - VNCERT
Phan Phú Thuận - VNCERTPhan Phú Thuận - VNCERT
Phan Phú Thuận - VNCERT
 
Võ Nhân Văn - Tối ưu hóa hạ tầng và đảm bảo attt trong ngành ngân hàng
Võ Nhân Văn - Tối ưu hóa hạ tầng và đảm bảo attt trong ngành ngân hàngVõ Nhân Văn - Tối ưu hóa hạ tầng và đảm bảo attt trong ngành ngân hàng
Võ Nhân Văn - Tối ưu hóa hạ tầng và đảm bảo attt trong ngành ngân hàng
 
Performance Comparision of Dynamic Load Balancing Algorithm in Cloud Computing
Performance Comparision of Dynamic Load Balancing Algorithm in Cloud ComputingPerformance Comparision of Dynamic Load Balancing Algorithm in Cloud Computing
Performance Comparision of Dynamic Load Balancing Algorithm in Cloud Computing
 
Load Balancing in Cloud
Load Balancing in CloudLoad Balancing in Cloud
Load Balancing in Cloud
 
A Journey To The Cloud - An Introduction To Cloud Computing
A Journey To The Cloud - An Introduction To Cloud Computing A Journey To The Cloud - An Introduction To Cloud Computing
A Journey To The Cloud - An Introduction To Cloud Computing
 

Semelhante a Sử dụng TLS đúng cách - Phạm Tùng Dương

SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
Deploy360 Programme (Internet Society)
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
Deploy360 Programme (Internet Society)
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Traffic
dkaya
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets
 

Semelhante a Sử dụng TLS đúng cách - Phạm Tùng Dương (20)

Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
 
Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Go paranoid
Go paranoidGo paranoid
Go paranoid
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Traffic
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013
 
Seven Grades of Perfect Forward Secrecy
Seven Grades of Perfect Forward SecrecySeven Grades of Perfect Forward Secrecy
Seven Grades of Perfect Forward Secrecy
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
Large Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLLarge Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQL
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 

Mais de Security Bootcamp

GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
Security Bootcamp
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
Security Bootcamp
 

Mais de Security Bootcamp (20)

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
 
Deception change-the-game
Deception change-the-gameDeception change-the-game
Deception change-the-game
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdr
 
Sbc2019 luong-cyber startup
Sbc2019 luong-cyber startupSbc2019 luong-cyber startup
Sbc2019 luong-cyber startup
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
 
Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - public
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cu
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Build SOC
Build SOC Build SOC
Build SOC
 
AD red vs blue
AD red vs blueAD red vs blue
AD red vs blue
 
Securitybox
SecurityboxSecuritybox
Securitybox
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
 
Api security-present
Api security-presentApi security-present
Api security-present
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018
 

Último

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Delhi Call girls
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
amilabibi1
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
 

Último (18)

Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 

Sử dụng TLS đúng cách - Phạm Tùng Dương

  • 1. State-‐of-‐the-‐Art Using TLS @duongkai Security Bootcamp, Da Nang, 2014
  • 2. /me ✓ Phạm Tùng Dương ✓ Solution Engineer @ISP ✓ Security Interested
  • 3. This Talk is All About Using When I say SSL It means TLS and/or SSL
  • 4. It is can be written a book Hope I can do well in this talk!
  • 5. Yeah, and Some… It’s Soooo Sleepy!
  • 6. Somewhere on the Earth…
  • 9. Protocol Attacks ✓2009: SSL Insecure Renegotiation ✓2011: BEAST ✓2012: CRIME ✓2013: RC4 biases, Lucky 13, BREACH ✓2014: POODLE
  • 10. And in 2014 ✓Heartbleed and CCS in OpenSSL ✓Goto in GnuTLS ✓BERserk in Mozilla NSS ➔ 3 Biggest SSL implementations
  • 12. You Are Doing Wrong ✓It’s too complex. ✓Crypto related is often hard to understand.
  • 13. SSL IN ACTION Or Your Service Should Be SSL By Default!
  • 14. SSL Version ✓ First developed in Netscape ✓ SSL v2: Oldest and broken ✓ SSL v3 (﴾1996)﴿. Old and almost secure. ✓ TLS 1.0 (﴾1999)﴿. Fine protocol ✓ TLS 1.1 (﴾2006)﴿. No known practical attacks. ✓ TLS 1.2 (﴾2008)﴿. The most secure until now ✓ TLS 1.3 is being developed https://www.trustworthyinternet.org/ssl-‐pulse/
  • 15. SSL Version ✓ First developed in Netscape ✓ SSL v2: Oldest and broken ✓ SSL v3 (﴾1996)﴿. Old and almost secure. It NOT SECURE NOW. ✓ TLS 1.0 (﴾1999)﴿. Fine protocol ✓ TLS 1.1 (﴾2006)﴿. No known practical attacks. ✓ TLS 1.2 (﴾2008)﴿. The most secure until now ✓ TLS 1.3 is being developed https://www.trustworthyinternet.org/ssl-‐pulse/
  • 16. Protocol In A Glance
  • 18. Terms ✓CSR, Certificates, EV-‐Cert and CA. ✓Private key. ✓Block ciphers vs Stream ciphers ✓PFS (﴾Letter E)﴿: Perfect Forward Secrecy ✓Curves and Curves: Elliptic Curve ✓X509, PEM, PKCS#12 and conversion. ✓OpenSSL
  • 19. Checklist 1. Updated the latest version (﴾OS, software)﴿ 2. Get an 2048-‐bit certificates from CA. Better if it supports SHA256 3. Know your legacy. 4. Configure TLS on your system. 5. Verify TLS configuration with your own hands.
  • 20. Explanation 2. Get an 2048-‐bit certificates from CA. Better if it supports SHA256 ✓ 1024 bit is weak and can be broken easily.[1] [1]https://isc.sans.edu/diary/Confusion+over+SSL+and+1024+bit+keys/18775 ✓ SHA192 is on the way to be deprecated[2] [2]https://konklone.com/post/why-‐google-‐is-‐hurrying-‐the-‐web-‐to-‐kill-‐sha-‐1 ✓ 4096 is consuming CPU too much 3. Know your legacy ✓ Supported protocol version. ✓ Supported cipher suites. ✓ Your compliance.
  • 21. Explanation 4. Configure TLS on your system. ✓ Avoiding insecure ciphers: RC4, DES, 3DES, MD5, SHA1,… ✓ Turn off SSLv3 support ✓ Turn off compression ✓ AES-‐128 is good enough (﴾both secure and faster)﴿. ✓ Enable PFS if supported. ✓ Switch to using Poly1350, Salsa-‐20 and EC ✓ Reference https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite https://bettercrypto.org/static/applied-‐crypto-‐hardening.pdf
  • 22. Explanation ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5; ssl_prefer_server_ciphers on; CloudFlare config: https://github.com/cloudflare/sslconfig/blob/master/conf
  • 23. Explanation ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5; ssl_prefer_server_ciphers on; CloudFlare config: https://github.com/cloudflare/sslconfig/blob/master/conf
  • 24. 24
  • 25. Explanation: A+ ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_trusted_certificate /etc/nginx/ssl/AddTrustExternalCARoot.crt; ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Session Resumption ssl_session_timeout 20m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:20m; # Enable OCSP stapling (req. nginx v 1.3.7+) ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers ECDHE-­‐RSA-­‐AES256-­‐GCM-­‐SHA384:ECDHE-­‐RSA-­‐AES128-­‐SHA256:ECDHE-­‐RSA-­‐AES128-­‐SHA:DHE-­‐RSA-­‐ AES128-­‐SHA:RC4-­‐SHA; … add_header Strict-­‐Transport-­‐Security "max-­‐age=31536000; includeSubdomains"; https://gist.github.com/kennwhite/25183c3f05266ee0ad7f
  • 26. Explanation 5. Verify TLS configuration with your own hands. ✓ Openssl s_client ✓ Cipherscan and some browser tools ✓ https://www.howsmyssl.com/ ✓ https://cc.dcsec.uni-‐hannover.de/ ✓ iSec Partner SSLyze ✓ SSLLabs (﴾https://www.ssllabs.com/)﴿ ✓ Make your hands dirty
  • 27. If I have enough time… DEMO TIME 27
  • 28. Reference [1] HTTPS Everywhere, Ilya Grigorik https://docs.google.com/presentation/d/15H8Sj-‐Zol1tcum0CSylhmXns5r7cvNFtzYrcwAzkTjM/ present#slide=id.g12f3ee71d_10 [2] SSL Pulse Project https://www.trustworthyinternet.org/ssl-‐pulse/ [3] How is my SSQL now https://www.howsmyssl.com/ [4] The Art and Science of SSL Configuration, Nick Galbreath https://speakerdeck.com/ngalbreath/the-‐art-‐and-‐science-‐of-‐ssl-‐configuration [5] Bulletproof TLS and SSL, Ivan Ristic, ISBN: 978-‐1907117046 ! Special Thanks to authors of photos about Da Nang and Hoi An (on Flickr): pierre_thach, nemesis1903 28