Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPS & TLS in 2016: Security practices from th...

Kenn White
October 13, 2016

HTTPS & TLS in 2016: Security practices from the front lines

AppSecUSA Washington, DC
October 13, 2016

Kenn White

October 13, 2016
Tweet

More Decks by Kenn White

Other Decks in Technology

Transcript

  1. HTTPS & TLS in 2016 Security prac6ces from the front

    lines Kenneth White, opencryptoaudit.org/people Eric Mill, [email protected] AppSecUSA, Washington October 13, 2016
  2. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs (201) •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  3. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  4. Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

    tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity
  5. Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

    tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity
  6. Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

    tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity
  7. If you encrypt app data on your network, but don’t

    authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity
  8. If you encrypt app data on your network, but don’t

    authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity
  9. If you encrypt app data on your network, but don’t

    authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity
  10. Integrity Anyone on the network can freely modify a website

    that isn’t using HTTPS. Using plain HTTP voids any strong privacy or security guarantees a website claims to offer.
  11. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  12. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  13. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  14. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  15. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  16. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  17. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  18. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  19. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  20. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  21. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  22. Highly Recommended Qualys SSL Labs hVps://www.ssllabs.com/ssltest/ Bulletproof SSL & TLS

    hVps://www.feistyduck.com/books/bulletproof-ssl-and-tls/ Mirage TLS handshake interac6ve server hVps://tls.openmirage.org/ Adam Langley: Matching primi6ve strengths hVps://www.imperialviolet.org/2014/05/25/strengthmatching.html
  23. Highly Recommended Mozilla Server-Side TLS/SSL Config Generator hVps://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Security/Server-Side

    TLS Wiki hVps://wiki.mozilla.org/Security/Server_Side_TLS ScoV Helme: Windows TLS config hVps://scoVhelme.co.uk/gecng-an-a-on-the-qualys-ssl-test-windows-edi6on/ ScoV Helme: Let’s Encrypt ECDSA cer6ficates hVps://scoVhelme.co.uk/ecdsa-cer6ficates/
  24. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  25. OpenSSL 1.1 Audit Directed by the Open Crypto Audit Project

    (opencryptoaudit.org) Commissioned by Linux Founda6on’s Core Infrastructure IniVaVve (CII) Ambi6ous Scope Independent review Coordina6ng closely with OpenSSL core team Delayed for v. 1.1 maturity (significant refactor) Diverse, complex codebase: Linux, BSDs, Windows, OSX, SRV5 (AIX, HP-UX, Solaris) Intel x86 (incl. AES-NI), ARM6/7, MIPS, PowerPC, Alpha… FIPS module
  26. OpenSSL 1.1 Audit Major Goals –  Thorough public security analysis

    of the core code in the next major release of OpenSSL –  Demonstrate viability of a reusable open source test harness framework –  Foster web-scale peer-reviewed public tools & data sets for protocol & nego6a6on analysis
  27. OpenSSL 1.1 Audit Phase 1 Goals •  BigNum: multiprecision ints,

    constant time, blinding •  BIO (focus on composition & file functions) •  ASN.1 & x509 (cert & key parsing, DER/PEM decoding, structs, subordinate chains) •  93M cert corpus, “Frankencert” fuzzing
  28. OpenSSL 1.1 Audit Phase 2 Goals •  TLS state machine

    •  EVP (PKI constructions, H/MACs, envelopes) •  Protocol flows, core engine implementation •  Memory management •  Crypto core (RSA, SHA-2, DH/ECDH, CBC, GGM…)
  29. OpenSSL 1.1 Audit Refactored: BIO networking library (full support for

    IPv6) EVP Bignum Core data structures Record Layer rewrite SSL/TLS state machine Version nego6a6on
  30. OpenSSL 1.1 Audit Removed: SSLv2 40- and 56-bit cipher support

    FIPS 140-2 module (but coming soon: hVps://www.openssl.org/blog/blog/2016/07/20/fips/) Kerberos ciphersuite support Removed from DEFAULT ciphersuites: RC4
  31. OpenSSL 1.1 Audit Added: AFALG engine (Linux userspace hardware crypto

    via netlink: hVps://lwn.net/Ar6cles/410763/) Asynchronous crypto opera6ons (libcrypto and libssl) CCM (authen6cated) block cipher mode ChaCha/Poly (see: hVps://news.ycombinator.com/item?id=10710140) HKDF (HMAC-based Extract-and-Expand Key Deriva6on Func6on) OCB (authen6cated) block cipher mode Pipelining, Threading API Scrypt Curve25519: (see: hVps://www.ieo.org/mail-archive/web/cfrg/current/msg04996.html)
  32. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A