Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The first few milliseconds of HTTPS

Joshua Thijssen
January 16, 2014
Technology
1
82

The first few milliseconds of HTTPS

AmsterdamPHP meetup

Joshua Thijssen

January 16, 2014
Tweet

More Decks by Joshua Thijssen

See All by Joshua Thijssen
RAFT: A story on how clusters of computers keep your data in sync
jaytaph
0
30
The first few milliseconds of HTTPS
jaytaph
0
170
Paradoxes and theorems every developer should know
jaytaph
0
220
Paradoxes and theorems every developer should know
jaytaph
0
530
The first few milliseconds of HTTPS - PHPNW16
jaytaph
1
170
compiler_-_php010.pdf
jaytaph
0
80
Paradoxes and theorems every developer should know
jaytaph
0
190
Introduction into interpreters, compilers and JIT
jaytaph
1
230
Paradoxes and theorems every developer should know
jaytaph
1
830

Other Decks in Technology

See All in Technology
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
13
1.6k
140年の歴史あるエンタープライズ企業の内製化×マイクロサービス化への航海
yussugi
0
1.5k
Flutterによる 効率的なAndroid・iOS・Webアプリケーション開発の事例
recruitengineers
PRO
0
180
Storybook との上手な向き合い方を考える
re_taro
5
3.7k
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
130
Application Development WG Intro at AppDeveloperCon
salaboy
0
210
OCI Vault 概要
oracle4engineer
PRO
0
9.8k
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
610
The Role of Developer Relations in AI Product Success.
giftojabu1
0
160
日経電子版のStoreKit2フルリニューアル
shimastripe
2
160
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
670
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
3
380

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Ruby is Unlike a Banana
tanoku
97
11k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Scaling GitHub
holman
458
140k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Navigating Team Friction
lara
183
14k
Fireside Chat
paigeccino
34
3k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
24k

Transcript

  1. The first 200 milliseconds of HTTPS 1 Joshua Thijssen jaytaph

  2. 2 Joshua Thijssen Freelance consultant, developer and trainer @ NoxLogic

    Founder of the Dutch Web Alliance Development in PHP, Python, C, Java. Lead developer of Saffire. Blog: http://adayinthelifeof.nl Email: [email protected] Twitter: @jaytaph

  3. 3

  4. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. 3

  5. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. ➡ Give tips and hints on hardening your setup. 3

  6. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. 3

  7. ➡ What’s happening in the first 200+ milliseconds on a

    HTTPS connection. ➡ Give tips and hints on hardening your setup. ➡ Give you insights in new and upcoming technologies. ➡ Show you things to you (probably) didn’t knew. 3

  8. This talk is inspired by a blogpost from Jeff Moser

    http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html Unknown fact! 4

  9. HTTPwut? 5

  10. HTTP over TLS 6

  11. Secure Socket Layer (SSL) 7 A short and scary history

  12. then now 8

  13. then now SSL 1.0 Vaporware 1994 8

  14. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer SSL 1.0 Vaporware

    1994 8

  15. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! SSL 1.0 Vaporware 1994 8

  16. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 SSL 1.0 Vaporware 1994 8

  17. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 SSL 1.0 Vaporware 1994 8

  18. then now feb 1995 SSL 2.0 Not-so-secure-socket-layer jun 1996 SSL

    3.0 Something stable! jan 1999 TLS 1.0 SSL 3.1 apr 2006 TLS 1.1 TLS 1.2 aug 2008 SSL 1.0 Vaporware 1994 8

  19. https://www.trustworthyinternet.org/ssl-pulse/ Supported versions - november 2013 25,7% 99,6% 99,3% 18,2%

    20,7% SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 9

  20. https://www.trustworthyinternet.org/ssl-pulse/ Supported versions - november 2013 25,7% 99,6% 99,3% 18,2%

    20,7% SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 9 borked

  21. https://www.trustworthyinternet.org/ssl-pulse/ Supported versions - november 2013 25,7% 99,6% 99,3% 18,2%

    20,7% SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 9 borked meh

  22. https://www.trustworthyinternet.org/ssl-pulse/ Supported versions - november 2013 25,7% 99,6% 99,3% 18,2%

    20,7% SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 9 borked meh ok

  23. RFC 5246 (TLS v1.2) 10

  24. 11 * We can with openssl

  25. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* 11 *

    We can with openssl

  26. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Difficult

    algorithms and handshakes 11 * We can with openssl

  27. ➡ Binary protocol - so no quick telnet-to-see-if-it-works* ➡ Difficult

    algorithms and handshakes ➡ (Easy) extendible 11 * We can with openssl

  28. 12 https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

  29. Attention: (live) wiresharking up ahead 13

  30. 14

  31. 15

  32. Generating randomness is HARD 16

  33. entropy (uncertainty) 17

  34. TIME is NOT random thus not a very good entropy

    source 18

  35. PHP is bad when it comes to entropy 19 Unknown

    fact!

  36. srand(microtime()) 20 Unknown fact!

  37. rand() mt_rand() uniqid() 21

  38. openssl_pseudo_random_bytes() read from /dev/(u)random Use a HRNG “A million random

    digits” https://github.com/ircmaxell/RandomLib 22

  39. 23

  40. 24

  41. 24 ➡ SNI (Server Name Indication)

  42. 24 ➡ SNI (Server Name Indication) ➡ Extension 0x0000

  43. 24 ➡ SNI (Server Name Indication) ➡ Extension 0x0000 ➡

    Pretty much every decent browser / server.

  44. 24 ➡ SNI (Server Name Indication) ➡ Extension 0x0000 ➡

    Pretty much every decent browser / server. ➡ Isn’t supported by: IE6, Win XP, Blackberry, Android 2.x

  45. 24 ➡ SNI (Server Name Indication) ➡ Extension 0x0000 ➡

    Pretty much every decent browser / server. ➡ Isn’t supported by: IE6, Win XP, Blackberry, Android 2.x ➡ So no worries!

  46. 25

  47. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 26

  48. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 27

  49. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    27

  50. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information 27

  51. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information Actual cipher (and length) used for communication 27

  52. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information Actual cipher (and length) used for communication Block cipher mode 27

  53. TLS ECDHE_ECDSA WITH AES_128_GCM SHA256 Used for exchanging key information

    Used for authenticating key information Used for message authenticating Actual cipher (and length) used for communication Block cipher mode 27

  54. TLS_RSA_WITH_AES_256_CBC_SHA256 28

  55. TLS_NULL_WITH_NULL_NULL 29

  56. Client gives cipher options, Server ultimately decides on cipher! 30

  57. THIS IS WHY YOU SHOULD ALWAYS CONFIGURE YOUR CIPHERS ON

    YOUR WEBSERVER! 31 Unknown fact!

  58. SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384

    \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; Apache Nginx 32 https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

  59. https://www.ssllabs.com/ssltest/ 33

  60. 34

  61. 35

  62. 36

  63. 37

  64. 38

  65. What an SSL certificate is NOT: 39

  66. What an SSL certificate is NOT: 39 ➡ SSL certificate

    (but a X.509 certificate)

  67. What an SSL certificate is NOT: 39 ➡ SSL certificate

    (but a X.509 certificate) ➡ Automatically secure

  68. What an SSL certificate is NOT: 39 ➡ SSL certificate

    (but a X.509 certificate) ➡ Automatically secure ➡ Automatically trustworthy

  69. What an SSL certificate is NOT: 39 ➡ SSL certificate

    (but a X.509 certificate) ➡ Automatically secure ➡ Automatically trustworthy ➡ In any way better self-signed certificates

  70. What an SSL certificate is NOT: 39 ➡ SSL certificate

    (but a X.509 certificate) ➡ Automatically secure ➡ Automatically trustworthy ➡ In any way better self-signed certificates ➡ Cheap

  71. What an SSL certificate is: 40

  72. What an SSL certificate is: 40 ➡ The best way

    (but not perfect) to prove authenticity

  73. What an SSL certificate is: 40 ➡ The best way

    (but not perfect) to prove authenticity ➡ A way to bootstrap encrypted communication

  74. What an SSL certificate is: 40 ➡ The best way

    (but not perfect) to prove authenticity ➡ A way to bootstrap encrypted communication ➡ Misleading

  75. What an SSL certificate is: 40 ➡ The best way

    (but not perfect) to prove authenticity ➡ A way to bootstrap encrypted communication ➡ Misleading ➡ (Too) Expensive

  76. 41

  77. 41 ➡ X.509 Certificate

  78. 41 ➡ X.509 Certificate ➡ Owner info (who is this

    owner)

  79. 41 ➡ X.509 Certificate ➡ Owner info (who is this

    owner) ➡ Domain info (for which domain(s) is this certificate valid)

  80. 41 ➡ X.509 Certificate ➡ Owner info (who is this

    owner) ➡ Domain info (for which domain(s) is this certificate valid) ➡ Expiry info (from when to when is this certificate valid)

  81. 42

  82. 43 yourdomain.com

  83. 43 yourdomain.com Intermediate CA

  84. 43 yourdomain.com Intermediate CA

  85. 43 yourdomain.com Root CA Intermediate CA

  86. 43 yourdomain.com Root CA Intermediate CA

  87. 43 yourdomain.com Root CA Intermediate CA

  88. 44 IMPLIED TRU$T

  89. ➡ (Root) Certificate Authorities ➡ They are built into your

    browser / OS and you will automatically trust them. 45

  90. 46 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer |

    sort | uniq | wc -l

  91. 46 wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer |

    sort | uniq | wc -l 174

  92. 47

  93. 48

  94. 49 Generating secrets:

  95. 49 pre master secret server rand client rand Generating secrets:

    + +

  96. 49 pre master secret server rand client rand master secret

    Generating secrets: + +

  97. 49 pre master secret server rand client rand master secret

    master secret server rand client rand Generating secrets: + + + +

  98. 49 pre master secret server rand client rand master secret

    master secret server rand client rand key buffer Generating secrets: + + + +

  99. 49 pre master secret server rand client rand master secret

    client MAC client KEY client IV server MAC server KEY server IV master secret server rand client rand key buffer Generating secrets: + + + +

  100. 50

  101. 51

  102. 52

  103. 53

  104. 54

  105. 55 Wireshark CAN decrypt your HTTPS traffic Unknown fact! SSLKEYLOGFILE

    https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

  106. 56 launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret on a mac:

  107. 57

  108. ➡ TLS has overhead in computation and transfers. But definitely

    worth it. ➡ Some ciphersuites are better, but slower ➡ Speed / Security compromise 58

  109. Are we safe yet? 59

  110. euh,.. no :/ 60

  111. 61 PRE MASTER SECRET

  112. What if somebody* got hold of the site private key?

    62

  113. 63

  114. 64

  115. 65

  116. 66 Playing the waiting game...

  117. 66 Playing the waiting game...

  118. 67

  119. 68

  120. (PERFECT) FORWARDING SECRECY 69

  121. Compromising the pre-master secret does not compromise our communication. 70

  122. PFS: Can’t compromise other keys with a compromised key. 71

  123. Unfortunately.. 72

  124. 73 PFS needs server AND browser support

  125. 74 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

  126. 75 http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

  127. All bets are of when using MS and Apple. 76

  128. Update your cipher suite list and place PFS ciphers at

    the top 77

  129. But beware: heavy computations 78

  130. 79 SSL Test https://www.ssllabs.com/ssltest/

  131. -ETOOMUCHINFO 80

  132. 81 ➡ Unless you got good reasons not to, get

    the cheapest certificate possible. ➡ Add the HTTP Strict Transport Security header. ➡ Don’t support SSLv3 or older ➡ Support PFS ➡ Check through https://ssllabs.com/ssltest

  133. 82 https://www.ssllabs.com/projects/best-practices/index.html

  134. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 83

  135. 84 Find me on twitter: @jaytaph Find me for development

    and training: www.noxlogic.nl Find me on email: [email protected] Find me for blogs: www.adayinthelifeof.nl http://joind.in/10397

  136. 85