HTTPS deployment

Alternate title: "HTTPS is a shitshow"

AJ

he/him

Winter 2 batch

Security/privacy nerd

What we're covering

tl;dr: how HTTPS works + what to do for optimal security

Basics
Authenticity
Cipher suites
Revocation
Performance
Implementation

What we're not covering

System-level stuff
Webapp stuff
Operational security
Cryptography (beyond the basics)
UX issues

Terminology

HTTPS

SSL / TLS

Key

Public key / private keys

TLS handshake

SSL termination

Attack types

Passive attack

Active attack (man-in-the-middle attack)

Three important crypto properties

Confidentiality (is my PayPal session secret)

Integrity (can anybody mess with the PayPal HTML)

Authenticity (am I talking to the real `paypal.com`)

Confidentiality + integrity:

Just math (mostly)

Authenticity

Certificate Authorities + the CA system

CAs are trusted entities responsible for providing trust

Certificates bind a domain name to a keypair

Chains of trust: site certificate -> intermediate CA -> intermediate CA -> root CA

Demo

Problems

CAs can be and are compromised

CAs are vulnerable to government requests

CAs are just generally sketchy, because why not

Any CA can issue a certificate

Only as strong as the weakest link

Demo

Solutions?

DNSSEC + DANE

CAA DNS records

Convergence

Certificate Transparency

HTTP Public Key Pinning

Cipher suites

Different algorithms for encrypting data

Certain suites are better than others

Certain suites must be disabled

Security/compatibility balance

Picking cipher suites

Easiest: Mozilla's configuration generator

Otherwise prefer suites using ECDHE, disable weak cipher suites

(Perfect) Forward Secrecy

Ensures communication confidentiality even in the face of key compromise

Negotiate a shared key that doesn't hit the wire and is discarded when the session ends

Cipher suites with ECDHE negotiation

Revocation

"This certificate is no longer valid"

CRLs

OCSP

CRLs

Certificate Revocation Lists

Too much bandwidth/disk space

Don't scale well in catastrophic situations (e.g. Heartbleed)

CRLSet/OneCRL

OCSP

Online Certificate Status Protocol

Realtime query for revocation status

Certificates include OCSP responder URLs

OCSP responders return signed certificate status assertions

OCSP problems

Leaks browsing history to CAs

Induces high load on CAs

OCSP responders are unreliable

UAs can't hard-fail

OCSP stapling

Servers query OCSP responder servers

Signed OCSP response is sent along with the certificate

OCSP Must-Staple

Performance

TLS has exactly one performance problem: it is not used widely enough. Everything else can be optimized. istlsfastyet.com

Optimizing TLS handshakes

Mostly eliminating round-trips

TLS session resumption (session ids, client sends id and server queries cache)

TLS session tickets (client sends connection state encrypted to server's key; be careful about PFS)

TLS False Start (timing modification)

More optimizations

Dual RSA/EC certificate deployments

istlsfastyet.com

Dispelling myths

TLS is not computationally expensive

In order to [deploy HTTPS on Gmail] we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Adam Langley of Google

TLS is also not monetarily expensive

We really do want all of the web using HTTPS

Implementing - Mixed Content

HTTP content in an HTTPS page

Active Mixed Content is blocked

Passive Mixed Content is allowed (for now)

`upgrade-insecure-requests`

Content Security Policy directive

Client support indicated by `Upgrade-Insecure-Requests` header

`block-all-mixed-content`

Content Security Policy directive

No-op when used with `upgrade-insecure-requests`

HTTP Strict Transport Security

"Never connect to this website insecurely"

`Strict-Transport-Security` header

Set long durations (eventually)

`includeSubdomains`

Preloading to mitigate first-use attacks

HTTP Public Key Pinning

"Require these fingerprints in the trust chain"

Mitigates misissuance

You can set it to leaf certs but you gotta be careful

Pinning intermediate certs is easier

Suffers from first-use attacks

Server Name Indication (SNI)

"I'm initiating a connection to this domain name"

Lets the server present the right certificate

Eliminates the use of multiple IPs

All modern clients support this

Rough order

Make HTTPS available
Fix Mixed Content
Redirect HTTP -> HTTPS (use permanent redirects)
HTTP Strict Transport Security
Fix your cipher suites
HSTS preload list
OCSP Stapling
OCSP Must-Staple
HTTP Public Key Pinning

HTTPS deployment

AJ

he/him

Winter 2 batch

Security/privacy nerd

What we're covering

tl;dr: how HTTPS works + what to do for optimal security

What we're not covering

Terminology

HTTPS

SSL / TLS

Key

Public key / private keys

TLS handshake

SSL termination

Attack types

Passive attack

Active attack (man-in-the-middle attack)

Three important crypto properties

Confidentiality (is my PayPal session secret)

Integrity (can anybody mess with the PayPal HTML)

Authenticity (am I talking to the real paypal.com)

Confidentiality + integrity:

Just math (mostly)

Authenticity

Certificate Authorities + the CA system

CAs are trusted entities responsible for providing trust

Certificates bind a domain name to a keypair

Chains of trust: site certificate -> intermediate CA -> intermediate CA -> root CA

Demo

Problems

CAs can be and are compromised

CAs are vulnerable to government requests

CAs are just generally sketchy, because why not

Any CA can issue a certificate

Only as strong as the weakest link

Demo

Solutions?

DNSSEC + DANE

CAA DNS records

Convergence

Certificate Transparency

HTTP Public Key Pinning

Cipher suites

Different algorithms for encrypting data

Certain suites are better than others

Certain suites must be disabled

Security/compatibility balance

Picking cipher suites

Easiest: Mozilla's configuration generator

Otherwise prefer suites using ECDHE, disable weak cipher suites

(Perfect) Forward Secrecy

Ensures communication confidentiality even in the face of key compromise

Negotiate a shared key that doesn't hit the wire and is discarded when the session ends

Cipher suites with ECDHE negotiation

Revocation

"This certificate is no longer valid"

CRLs

OCSP

CRLs

Certificate Revocation Lists

Too much bandwidth/disk space

Don't scale well in catastrophic situations (e.g. Heartbleed)

CRLSet/OneCRL

OCSP

Online Certificate Status Protocol

Realtime query for revocation status

Certificates include OCSP responder URLs

OCSP responders return signed certificate status assertions

OCSP problems

Leaks browsing history to CAs

Induces high load on CAs

OCSP responders are unreliable

UAs can't hard-fail

OCSP stapling

Servers query OCSP responder servers

Signed OCSP response is sent along with the certificate

OCSP Must-Staple

Performance

Optimizing TLS handshakes

Authenticity (am I talking to the real `paypal.com`)

`upgrade-insecure-requests`

Client support indicated by `Upgrade-Insecure-Requests` header

`block-all-mixed-content`

No-op when used with `upgrade-insecure-requests`

`Strict-Transport-Security` header

`includeSubdomains`