HTTPS deployment
Alternate title: "HTTPS is a shitshow"
AJ
he/him
Winter 2 batch
Security/privacy nerd
What we're covering
tl;dr: how HTTPS works + what to do for optimal security
- Basics
- Authenticity
- Cipher suites
- Revocation
- Performance
- Implementation
What we're not covering
- System-level stuff
- Webapp stuff
- Operational security
- Cryptography (beyond the basics)
- UX issues
Terminology
HTTPS
SSL / TLS
Key
Public key / private keys
TLS handshake
SSL termination
Attack types
Passive attack
Active attack (man-in-the-middle attack)
Three important crypto properties
Confidentiality (is my PayPal session secret)
Integrity (can anybody mess with the PayPal HTML)
Authenticity (am I talking to the real paypal.com
)
Confidentiality + integrity:
Just math (mostly)
Authenticity
Certificate Authorities + the CA system
CAs are trusted entities responsible for providing trust
Certificates bind a domain name to a keypair
Chains of trust: site certificate -> intermediate CA -> intermediate CA -> root CA
Demo
Problems
CAs can be and are compromised
CAs are vulnerable to government requests
CAs are just generally sketchy, because why not
Any CA can issue a certificate
Only as strong as the weakest link
Demo
Solutions?
DNSSEC + DANE
CAA DNS records
Convergence
Certificate Transparency
HTTP Public Key Pinning
Cipher suites
Different algorithms for encrypting data
Certain suites are better than others
Certain suites must be disabled
Security/compatibility balance
Picking cipher suites
Easiest: Mozilla's configuration generator
Otherwise prefer suites using ECDHE, disable weak cipher suites
(Perfect) Forward Secrecy
Ensures communication confidentiality even in the face of key compromise
Negotiate a shared key that doesn't hit the wire and is discarded when the session ends
Cipher suites with ECDHE negotiation
Revocation
"This certificate is no longer valid"
CRLs
OCSP
CRLs
Certificate Revocation Lists
Too much bandwidth/disk space
Don't scale well in catastrophic situations (e.g. Heartbleed)
CRLSet/OneCRL
OCSP
Online Certificate Status Protocol
Realtime query for revocation status
Certificates include OCSP responder URLs
OCSP responders return signed certificate status assertions
OCSP problems
Leaks browsing history to CAs
Induces high load on CAs
OCSP responders are unreliable
UAs can't hard-fail
OCSP stapling
Servers query OCSP responder servers
Signed OCSP response is sent along with the certificate
OCSP Must-Staple
Performance
TLS has exactly one performance problem: it is not used widely enough. Everything else can be optimized.istlsfastyet.com
Optimizing TLS handshakes
Mostly eliminating round-trips
TLS session resumption (session ids, client sends id and server queries cache)
TLS session tickets (client sends connection state encrypted to server's key; be careful about PFS)
TLS False Start (timing modification)
More optimizations
Dual RSA/EC certificate deployments
istlsfastyet.com
Dispelling myths
TLS is not computationally expensive
In order to [deploy HTTPS on Gmail] we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead.Adam Langley of Google
TLS is also not monetarily expensive
We really do want all of the web using HTTPS
Implementing - Mixed Content
HTTP content in an HTTPS page
Active Mixed Content is blocked
Passive Mixed Content is allowed (for now)
upgrade-insecure-requests
Content Security Policy directive
Client support indicated by Upgrade-Insecure-Requests
header
block-all-mixed-content
Content Security Policy directive
No-op when used with upgrade-insecure-requests
HTTP Strict Transport Security
"Never connect to this website insecurely"
Strict-Transport-Security
header
Set long durations (eventually)
includeSubdomains
Preloading to mitigate first-use attacks
HTTP Public Key Pinning
"Require these fingerprints in the trust chain"
Mitigates misissuance
You can set it to leaf certs but you gotta be careful
Pinning intermediate certs is easier
Suffers from first-use attacks
Server Name Indication (SNI)
"I'm initiating a connection to this domain name"
Lets the server present the right certificate
Eliminates the use of multiple IPs
All modern clients support this
Rough order
- Make HTTPS available
- Fix Mixed Content
- Redirect HTTP -> HTTPS (use permanent redirects)
- HTTP Strict Transport Security
- Fix your cipher suites
- HSTS preload list
- OCSP Stapling
- OCSP Must-Staple
- HTTP Public Key Pinning