HTTPS deployment

Alternate title: "HTTPS is a shitshow"



Winter 2 batch

Security/privacy nerd

What we're covering

tl;dr: how HTTPS works + what to do for optimal security

What we're not covering





Public key / private keys

TLS handshake

SSL termination

Attack types

Passive attack

Active attack (man-in-the-middle attack)

Three important crypto properties

Confidentiality (is my PayPal session secret)

Integrity (can anybody mess with the PayPal HTML)

Authenticity (am I talking to the real

Confidentiality + integrity:

Just math (mostly)


Certificate Authorities + the CA system

CAs are trusted entities responsible for providing trust

Certificates bind a domain name to a keypair

Chains of trust: site certificate -> intermediate CA -> intermediate CA -> root CA



CAs can be and are compromised

CAs are vulnerable to government requests

CAs are just generally sketchy, because why not

Any CA can issue a certificate

Only as strong as the weakest link




CAA DNS records


Certificate Transparency

HTTP Public Key Pinning

Cipher suites

Different algorithms for encrypting data

Certain suites are better than others

Certain suites must be disabled

Security/compatibility balance

Picking cipher suites

Easiest: Mozilla's configuration generator

Otherwise prefer suites using ECDHE, disable weak cipher suites

(Perfect) Forward Secrecy

Ensures communication confidentiality even in the face of key compromise

Negotiate a shared key that doesn't hit the wire and is discarded when the session ends

Cipher suites with ECDHE negotiation


"This certificate is no longer valid"




Certificate Revocation Lists

Too much bandwidth/disk space

Don't scale well in catastrophic situations (e.g. Heartbleed)



Online Certificate Status Protocol

Realtime query for revocation status

Certificates include OCSP responder URLs

OCSP responders return signed certificate status assertions

OCSP problems

Leaks browsing history to CAs

Induces high load on CAs

OCSP responders are unreliable

UAs can't hard-fail

OCSP stapling

Servers query OCSP responder servers

Signed OCSP response is sent along with the certificate

OCSP Must-Staple


TLS has exactly one performance problem: it is not used widely enough. Everything else can be optimized.

Optimizing TLS handshakes

Mostly eliminating round-trips

TLS session resumption (session ids, client sends id and server queries cache)

TLS session tickets (client sends connection state encrypted to server's key; be careful about PFS)

TLS False Start (timing modification)

More optimizations

Dual RSA/EC certificate deployments

Dispelling myths

TLS is not computationally expensive

In order to [deploy HTTPS on Gmail] we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Adam Langley of Google

TLS is also not monetarily expensive

We really do want all of the web using HTTPS

Implementing - Mixed Content

HTTP content in an HTTPS page

Active Mixed Content is blocked

Passive Mixed Content is allowed (for now)


Content Security Policy directive

Client support indicated by Upgrade-Insecure-Requests header


Content Security Policy directive

No-op when used with upgrade-insecure-requests

HTTP Strict Transport Security

"Never connect to this website insecurely"

Strict-Transport-Security header

Set long durations (eventually)


Preloading to mitigate first-use attacks

HTTP Public Key Pinning

"Require these fingerprints in the trust chain"

Mitigates misissuance

You can set it to leaf certs but you gotta be careful

Pinning intermediate certs is easier

Suffers from first-use attacks

Server Name Indication (SNI)

"I'm initiating a connection to this domain name"

Lets the server present the right certificate

Eliminates the use of multiple IPs

All modern clients support this

Rough order

  1. Make HTTPS available
  2. Fix Mixed Content
  3. Redirect HTTP -> HTTPS (use permanent redirects)
  4. HTTP Strict Transport Security
  5. Fix your cipher suites
  6. HSTS preload list
  7. OCSP Stapling
  8. OCSP Must-Staple
  9. HTTP Public Key Pinning


SSL Labs

Let's Encrypt




Y'all have stamina


Access this presentation again

Or get the source code