HTTPS is Coming: Are you Prepared?

Transcript

1. HTTPS is Coming Zack Tollman @tollmanz

2. None

3. “Pervasive monitoring is a technical attack that should be mitigated

   in the design of IETF protocols, where possible.” — IETF https://tools.ietf.org/html/rfc7258

4. “Today we are announcing our intent to phase out non-secure

   HTTP” — Richard Barnes, Firefox Security Lead https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

5. HTTP/2 is TLS only in Chrome, Firefox, Opera, IE/Edge, and

   Safari https://wiki.mozilla.org/Networking/http2

6. Now Later Less TLS More TLS

7. TLS knowledge is now essential

8. We are bad at TLS

9. 68% of sites are not secure https://www.trustworthyinternet.org/ssl-pulse/

10. 95% do not support HSTS https://www.trustworthyinternet.org/ssl-pulse/

11. 25% do not support Perfect Forward Secrecy https://www.trustworthyinternet.org/ssl-pulse/

12. “misconfiguration errors are undermining the potential security” — Kranch &

    Bonneau (2015) http://www.internetsociety.org/sites/default/files/01_4_0.pdf

13. “industry-wide configuration problem with the deployment of DHE key exchange”

    — Huang, Adhikarla, Boneh, & Jackson (2014) http://www.w2spconf.com/2014/papers/TLS.pdf

14. We don’t seem to understand TLS

15. Let’s fix that

16. 1. Understand TLS 2. Acquire certificate 3. Configure TLS

17. Quick Note on TLS and SSL

18. SSL v2 SSL v3 TLS v1 TLS v1.1 TLS v1.2

    1995 1996 1999 2006 2008

19. Encryption Integrity Authentication Key Exchange

20. Authentication

21. Is the server the intended server?

22. Chain of “trust”

23. End Certificate example.com Signing algorithm Signature Public Key Public Exponent

24. End Intermediate Certificate CA certificate Signature

25. End Root Certificate In browser Signature Intermediate

26. End Intermediate Root Trusts Trusts

27. Integrity

28. Is the message received the message sent?

29. Data Data

30. Data Data Hash Encrypt

31. Data Data Hash Encrypt Encrypt

32. Data Data Hash Encrypt Encrypt Receiver

33. Receiver has encrypted hash and encrypted data

34. E-Hash E-Data

35. E-Hash E-Data P-Hash P-Data

36. E-Hash E-Data P-Hash P-Data Hash

37. Hash Hash =

38. Encryption

39. Converts plaintext to ciphertext

40. c u c j b e y q

41. c u c j b e y q p h

    p w o r l d

42. A B C D E F N O P Q

    R S +13

43. Algorithm: Letter + 13 = Cipher Letter

44. Substitution Cipher Caesar Cipher

45. Key

46. Key 13

47. Weak cipher

48. Secrecy in algorithm is a problem

49. Secrecy in key is better

50. Advanced Encryption Standard - Rijndael http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

51. Many rounds of substitution and permutations

52. Key Exchange

53. How do we establish an encryption key for 2 unknown

    parties over an insecure connection?

54. http://en.wikipedia.org/wiki/Enigma_machine#/media/File:Kenngruppenheft.jpg Ben Slivka

55. Couriers delivered the daily keys

56. http://en.wikipedia.org/wiki/Jeff_Bezos#/media/File:Jeff_Bezos%27_iconic_laugh.jpg

57. Doesn’t work for the modern web

58. Diffie-Hellman-Merkle key exchange

59. Each individual has a key by the time the process

    is complete

60. Demo p = 23 g = 5

61. s is a premaster secret from which the master secret

    is derived

62. Master secret is the key used for encryption

63. Trapdoor functions

64. Easy one way

65. Impossibly difficult the other way

66. If a, b, g, or p are different, s is

    different

67. Perfect forward secrecy

68. Lavabit

69. I failed to update the Lavabit SSL configuration to prefer

    ciphers that provided perfect forward secrecy. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

70. Cipher Suites

71. Combination of algorithms for authentication, integrity, encryption, and key exchange

72. ECDHE-RSA-AES128-GCM-SHA256

73. ECDHE-RSA-AES128-GCM-SHA256 Key Exchange

74. ECDHE-RSA-AES128-GCM-SHA256 Certificate signing algorithm (Authentication)

75. ECDHE-RSA-AES128-GCM-SHA256 Cipher (Encryption)

76. ECDHE-RSA-AES128-GCM-SHA256 Message authentication code (Integrity)

77. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA

78. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA

79. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA
80. None
81. None

82. TLS Handshake

83. Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec

    Finished Application Data

84. 1. Client hello Cipher suites TLS version Random bytes Client

    -> Server

85. 2. Server hello Cipher suite choice TLS version choice Server

    -> Client

86. 3. Certificate Certificate chain sent Cert signature matches auth algorithm

    Server -> Client

87. 4. Server Key Exchange Info for key exchange Server ->

    Client

88. 5. Server Hello Done Server has sent all info Server

    -> Client

89. 6. Client Key Exchange Info for key exchange Client ->

    Server

90. 7. Change Cipher Spec Enough info for encryption Switch to

    encryption Client -> Server

91. 8. Finished Signals that handshake is done Client -> Server

92. 9. Change Cipher Spec Server -> Client

93. 10. Finished Server -> Client

94. TLS Handshake demo with Wireshark

95. HTTP Strict Transport Security

96. SSL Stripping http://www.thoughtcrime.org/software/sslstrip/

97. What if HTTP variant was never accessed?

98. HSTS blocks browser from HTTP version of site

99. Set HSTS only after mixed content issues are resolved

100. add_header Strict-Transport- Security 'max-age=31536000';

101. add_header Strict-Transport- Security 'max-age=31536000; includeSubDomains';

102. Mixed Content

103. HTTP assets in HTTPS page is an attack vector

104. Content Security Policy

105. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

106. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

107. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

108. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

109. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

110. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

111. Content-Security-Policy-Report- Only: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self'

     https:; style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com; report-uri /beacon.php

112. upgrade-insecure-requests coming soon http://www.w3.org/TR/upgrade-insecure-requests/

113. Automated Certificate Management Environment (ACME)

114. Let’s Encrypt

115. TLS Configuration Needs Maintenance

116. A theoretical weakness became practical. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

117. I missed that development. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/