Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understanding HTTPS and TLS

Understanding HTTPS and TLS

Google, Firefox, and the IETF are currently engaged in major initiatives to convert the web to be secure by default. Page ranking, new browser APIs, and HTTP/2 are all pushing websites to require HTTPS. An HTTPS only web is imminent. Unfortunately, according to SSL Pulse, 75% of the top 1 million websites that use HTTPS are not actually secure because of misconfiguration. Do you know how to configure HTTPS properly? In my talk, I will discuss the key aspects of HTTPS to empower developers to deploy truly secure HTTPS sites.

Zack Tollman

April 23, 2016
Tweet

More Decks by Zack Tollman

Other Decks in Technology

Transcript

  1. “Pervasive monitoring is a technical attack that should be mitigated

    in the design of IETF protocols, where possible.” — IETF https://tools.ietf.org/html/rfc7258
  2. “Today we are announcing our intent to phase out non-secure

    HTTP” — Richard Barnes, Firefox Security Lead https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
  3. HTTP/2 is TLS only in Chrome, Firefox, Opera, IE/Edge, and

    Safari https://wiki.mozilla.org/Networking/http2
  4. “misconfiguration errors are undermining the potential security” — Kranch &

    Bonneau (2015) http://www.internetsociety.org/sites/default/files/01_4_0.pdf
  5. “industry-wide configuration problem with the deployment of DHE key exchange”

    — Huang, Adhikarla, Boneh, & Jackson (2014) http://www.w2spconf.com/2014/papers/TLS.pdf
  6. SSL v2 SSL v3 TLS v1 TLS v1.1 TLS v1.2

    1995 1996 1999 2006 2008
  7. j b e q c e r f f w

    o r d p r e s s
  8. How do we establish an encryption key for 2 unknown

    parties over an insecure connection?
  9. By Alessandro Nassiri - Museo della Scienza e della Tecnologia

    "Leonardo da Vinci", CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=47910919
  10. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate /path/to/public.crt; ssl_certificate_key /path/to/private.key; ssl_ciphers ECDHE-RSA-AES128-GCM-

    SHA256:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384…; ssl_prefer_server_ciphers on; https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf
  11. The Code Book Simon Singh High Performance Browser Networking (TLS

    Chapter) Ilya Grigorik Bulletproof SSL and TLS Ivan Ristic SSL and TLS: Designing and Building Secure Systems Eric Rescorla