Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting TLS Right

Getting TLS Right

Not all TLS deployments are created equal. Poorly configured TLS can can trick users into thinking their browsing experience is safe, yet leave them vulnerable to devastating man in the middle attacks, surveillance, and identity theft. Not to mention, a janky TLS setup can slow your otherwise performant site to a halt. In my talk, I will provide a primer on how to set up TLS for strong security and excellent performance. Additionally, I will discuss the TLS protocol to better familiarize the audience about the way that certificate and public key cryptography works to provide a secure web experience.

Zack Tollman

March 14, 2015
Tweet

More Decks by Zack Tollman

Other Decks in Technology

Transcript

  1. SSL Pulse Reviews SSL/TLS sites in Alexa’s Top 300k sites

    https://www.trustworthyinternet.org/ssl-pulse/
  2. “misconfiguration errors are undermining the potential security” Kranch & Bonneau

    (2015) http://www.internetsociety.org/sites/default/files/01_4_0.pdf
  3. “developers who should be in the best position to understand

    these new tools” Kranch & Bonneau (2015) http://www.internetsociety.org/sites/default/files/01_4_0.pdf
  4. “industry-wide configuration problem with the deployment of DHE key exchange"

    Huang, Adhikarla, Boneh, & Jackson (2014) http://www.w2spconf.com/2014/papers/TLS.pdf
  5. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate /path/to/public.crt; ssl_certificate_key /path/to/private.key; ssl_prefer_server_ciphers on;

    ssl_ciphers ECDHE-RSA-AES128-GCM- SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE- RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256- GCM-SHA384…; https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf
  6. SSLv2 1995 PHP Tools SSLv3 1996 PHP/FI (2.0) TLSv1.0 1999

    PHP 3.0 TLSv1.1 2006 PHP 5.2 TLSv1.2 2008 PHP 5.2.8
  7. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  8. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  9. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  10. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  11. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  12. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

    style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com
  13. Content-Security-Policy-Report- Only: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self'

    https:; style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com; report-uri /beacon.php
  14. The Code Book Simon Singh High Performance Browser Networking (TLS

    Chapter) Ilya Grigorik Bulletproof SSL and TLS Ivan Ristic SSL and TLS: Designing and Building Secure Systems Eric Rescorla