https, here and now
TRANSCRIPT
HTTPS, Here and NowPhilippe De Ryck
@PhilippeDeRyck
Invited Speaker @ VDAB ICT Security Happening
https://www.websec.be
What Is this HTTPS Thing?
2
Visit website, browse public pages
Login with username and password
Consult private information
It’s for Sending Sensitive Data
3
Visit website, browse public pages
Login with username and password
Consult private information
But All Data Is Sensitive!
4
Visit website, browse public pages
Login with username and password
Consult private information
But All Data Is Sensitive!
5
Visit website, browse public pages
Login with username and password
Consult private information
About Me – Philippe De Ryck
6
§ Postdoctoral Researcher @ DistriNet (KU Leuven)§ Focus on (client-side) Web security
§ Responsible for the Web Security training program§ Dissemination of knowledge and research results§ Target audiences include industry and researchers
§ Main author of the Primer on Client-Side Web Security§ 7 attacker models, broken down in 10 capabilities§ 13 attacks and their countermeasures§ Overview of security best practices
https://www.websec.be@PhilippeDeRyck
Overview
7
§ HTTPS, under the hood§ The basics of the HTTPS protocol§ TLS, keys, certificates, …
§ Deploying HTTPS in practice§ Requesting certificates§ Server configuration
§ HTTPS on the application layer§ Interactions between TLS and the Web application§ The security risks of incorrectly deploying HTTPS
SSL and TLS – A bit of History
8
1994SSL 1.0
Invented by Netscape, but never released
1995SSL 2.0
Improvement of SSL 1.0. Quickly considered to be
flawed
1996SSL 3.0
Full rewrite, with stronger security. Will be
actively used till 2014
1999TLS 1.0
Standardization of SSL 3.0, with small
improvements
2006TLS 1.1
Update of TLS 1.0, with stronger cipher
suites
2008TLS 1.2
Update of TLS 1.1, with stronger cipher suites, and support
for extensions
…TLS 1.3
Strong push towards better security, with
removal of old algorithms and enforcement of forward secrecy
2011Backwards
compatibility with old SSL versions (< 3) removed from spec
Opinions about HTTPS
9
§ It’s really complicated, and we can not set it up§ That’s why there is CloudFlare and Let’s Encrypt
§ It’s too costly ($$$, CPU, network)§ There are free certs, and your CPU has AES instructions§ Netflix does it
10http://arstechnica.com/security/2015/04/it-wasnt-easy-but-netflix-will-soon-use-https-to-secure-video-streams/http://expandedramblings.com/index.php/netflix_statistics-facts/3/
329 gbAmount of data pushed in 2015
400 000000
Opinions about HTTPS
11
§ It’s really complicated, and we can not set it up§ That’s why there is CloudFlare and Let’s Encrypt
§ It’s too costly ($$$, CPU, network)§ There are free certs, and your CPU has AES instructions§ Netflix does it
§ It doesn’t work well with caching§ That’s why there are localized CDNs
§ You need one IP per website§ Not since Windows XP has died …
HTTPS under the Hood
12
The S in HTTPS
13
§ HTTP protocol over a secure channel§ Established by the SSL/TLS protocol§ Separate URI scheme within the browser
HTTP:// HTTPS://
Network StackTLS
HTTPS:// HTTP://
Network StackTLS
Positioning TLS in the Stack
14
Application
Transport
Internet
Network
HTTP
TCP
IP
Ethernet
Data
DataTCP Header
DataTCP Header
IP Header
DataTCP Header
IP Header
FrameHeader
FrameFooter
Positioning TLS in the Stack
15
Application
Transport
Internet
Network
TLS
TCP
IP
Ethernet
TLS Record
TLS Record
TCP Header
TLS Record
TCP Header
IP Header
TLS Record
TCP Header
IP Header
FrameHeader
FrameFooter
HTTP DataIMAPPOP…
UDP
TLS in a Nutshell
16
§ The secure channel is capable of offering …§ Data confidentiality§ Data integrity§ Mutual entity authentication
§ The handshake protocol is used to negotiate parameters§ The record protocol is the workhorse, transmitting data
TLS Record Protocol
Secure Communication Channel
TLS Handshake Protocol
A Closer Look at the TLS Record Protocol
17
Application Data
Fragment
Compress
Append Record Header
Encrypt
Add Integrity Check Data Integrity ensures that tampering will be detected
Confidentiality ensures that the data will be private
The TLS Handshake Protocol, Simplified
18
Hi some-shop.com, Give me your key please?
some-shop.com
TLS Depends on Public Key Certificates
19
§ A certificate asserts that a public key X belongs to party Y§ Issued by a Certificate Authority§ Generally for a lot of € € €§ Different levels of validation
Certificates and CAs
20
Root CAs
Intermediate CAs
Hey, I would like to be a CA. Please vouch that this is my key?
Hey, I’m some-shop.com. Please vouch that this is my key?
The Importance of Certificates in TLS
21
?
Hi some-shop.com, Give me your key please?
Hi some-shop.com, Give me your key please?
some-shop.com
The Importance of Certificates in TLS
22
Give me your key please? Give me your key please?
?
Browser Warnings Are Scary
23http://www.slate.com/articles/technology/future_tense/2015/02/ssl_warnings_users_ignore_them_can_we_fix_that.html
But Can Easily Be Avoided
24http://www.techfor.us/2015/06/your-connection-is-not-private-er_cert_common_name_invalid/
Similar Story With Mobile Apps
25
Doing It Right Is More Effort
26https://developer.android.com/training/articles/security-ssl.html
A Closer Look at the TLS Handshake
27
Client Hello (ciphers, extensions, …)
Server Hello (cipher, extensions, …)
Client Finished
Server Finished
Server Hello DoneVerify Certificate
Generate Pre-master secret
Calculate keys Calculate keys
Pre-master secret
Putting it Together in the Handshake
28
Client Hello (ciphers, extensions, …)
Server Hello (cipher, extensions, …)
Client Finished
Server Finished
Server Hello DoneVerify Certificate
Generate Pre-master secret
Calculate keys Calculate keys
Pre-master secret
Entity Authentication
Putting it Together in the Handshake
29
Client Hello (ciphers, extensions, …)
Server Hello (cipher, extensions, …)
Client Finished
Server Finished
Server Hello DoneVerify Certificate
Generate Pre-master secret
Calculate keys Calculate keys
Pre-master secret
Key Exchange
Putting it Together in the Handshake
30
Client Hello (ciphers, extensions, …)
Server Hello (cipher, extensions, …)
Client Finished
Server Finished
Server Hello DoneVerify Certificate
Generate Pre-master secret
Calculate keys Calculate keys
Pre-master secret
Encryption / Integrity Checking
Putting it Together in the Handshake
31
Client Hello (ciphers, extensions, …)
Server Hello (cipher, extensions, …)
Client Finished
Server Finished
Server Hello DoneVerify Certificate
Generate Pre-master secret
Calculate keys Calculate keys
Pre-master secret
Cipher Suite Negotiation
Example of the TLS Handshake
32
Overview
33
§ HTTPS, under the hood§ The basics of the HTTPS protocol§ TLS, keys, certificates, …
§ Deploying HTTPS in practice§ Requesting certificates§ Server configuration
§ HTTPS on the application layer§ Interactions between TLS and the Web application§ The security risks of incorrectly deploying HTTPS
Deploying HTTPS in practice
34
Deploying TLS Can Be Complex
35
§ The administrator needs to take a lot of steps§ Create keys§ Request certificate§ Verify and complete the certificate chain§ Configure the service to use TLS
§ Often used as an argument against TLS§ But no longer valid, as we will see shortly …
Deploying HTTPS Step By Step
36
§ To request a certificate, you need a key pair
§ From which you can generate a certificate signing request
§ With this CSR, you can get a certificate from a CA
openssl genrsa –out websec_sandbox00.key 2048
openssl req –new –sha256 –key … –out ….csr
StartSSL Offers Free Certificates
37
Requesting a Certificate From StartSSL
38
Requesting a Certificate From StartSSL
39
Deploying HTTPS Step By Step
40
-----BEGIN CERTIFICATE-----MIIGQzCCBSugAwIBAgIHBkV4e/No3zANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMB4XDTE1MDkxMzExMjIwM1oXDTE2MDkxMzAyMDgzM1owUDELMAkGA1UEBhMCQkUxHDAaBgNVBAMTE3NhbmRib3gyMC53ZWJzZWMuYmUxIzAhBgkqhkiG9w0BCQEWFGhvc3RtYXN0ZXJAd2Vic2VjLmJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtC9jgaVoZiw5kiiz7E5JGWHELnlv74R2hk7Ziw9gQzcIe3HXQTjAlBePyvXCfy/wrYbrCO1coOGH3xLBQwV4UDaWB1eVo+yO50GPn6DBet7Dvk+XS1MUceOCfzeGP+FdowA8oDe0kNe49SE8NWjELvGrYDB0pugumgsz/4ww+9kvdqrltXekzpxRYFte67jmctDVi+4nYmZjkz5HT0cV4XcXKBvLqt96hjaxTJAPTqzdvF6t2gkY42M6TQecHoIFN3N3o+wVEEh+7rT7zCLP7Sw6eGj9FkF/HIDtV4EntyaKwcGbQrnqy6zIA02pcrL1AlK9oPbizXEiNE7DqMS8wIDAQABo4IC4zCCAt8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFJzCyX0Qjl8z3Ff2jLwihh36m5J+MB8GA1UdIwQYMBaAFOtCNNCYsKuf9BtrCPfMZC7vDixFMCkGA1UdEQQiMCCCE3NhbmRib3gyMC53ZWJzZWMuYmWCCXdlYnNlYy5iZTCCAVYGA1UdIASCAU0wggFJMAgGBmeBDAECATCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENsYXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVyLmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQELBQADggEBAJq45Um2ULzWpSIaK1pBGcEScEJcP9ZOZLKsZ1kV+0XV2sTXSUd5Wzha0mTkIbBLpJ0ap68je4iN8kIC0A6RjCTKYwqEgXgRM9XMC360kIyNTJ2ZqpVj+qt/ahxW7xjAhchJB293aNNrDgVLq6ms1kUGQL5LM2cSULL4kt9Tz5f88ayMWTYftKSCXtyKmDeYVbnXi/1FWGXX09hmdqxkWcIqdb1pXzD9AouSG0ZBfVgIk3vmMvghX/V7DdOIKf/2El
uQrIXhnJze/mOm566NPdJqge6o5IC3NPGos6SLK3RtPGNttJwzg6IvEpeYPunjjuRfFAtWIvciqTC83aoRWIo=-----END CERTIFICATE-----
Deploying HTTPS Step By Step
41
§ With the keys and certificate, we can configure the server§ Define a new virtual host§ Enable the SSL engine§ Point to the private key and certificate
# Example NGINX configuration (bare essentials)server {
listen 443;server_name sandbox00.websec.be;root /site;
ssl on;ssl_certificate /etc/ssl/websec_sandbox00.pem;ssl_certificate_key /etc/ssl/websec_sandbox00.key;ssl_protocols SSLv3 TLSv1.0 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;
}
Deploying HTTPS Step By Step
42
§ With the keys and certificate, we can configure the server§ Define a new virtual host§ Enable the SSL engine§ Point to the private key and certificate
# Example Apache configuration (bare essentials)<VirtualHost *:443>
ServerName sandbox00.websec.beDocumentRoot /site
SSLEngine OnSSLCertificateFile /etc/ssl/websec_sandbox00.pemSSLCertificateKeyFile /etc/ssl/websec_sandbox00.key
</VirtualHost>
Still a Tedious Process …
43https://letsencrypt.org
Let’s Encrypt Pushes for HTTPS Everywhere
44
§ Free certificates for everyone§ Let’s Encrypt has established a CA to issue certificates§ They have built a toolchain to automate the process
git clone https://github.com/letsencrypt/letsencrypt .
./letsencrypt-auto certonly --webroot -w /var/www/ -d www.websec.be
Let’s Encrypt Automates Domain Validation
45https://letsencrypt.org/howitworks/technology/
Let’s Encrypt Automates Certificate Issuing
46https://letsencrypt.org/howitworks/technology/
Where Should a Connection Go?
47
Client Hello (ciphers, extensions, …)
Server Hello (cipher, extensions, …)
Client Finished
Server Finished
Server Hello DoneVerify Certificate
Generate Pre-master secret
Calculate keys Calculate keys
Pre-master secret
GET example.com
Server Name Indication (SNI)
48
§ SNI is a TLS extension§ Includes the hostname a client is connecting to§ Allows the server software to send it to the correct virtual host
§ SNI allows admins to run multiple TLS servers on one IP§ Which is great, since IPv4 addresses are limited anyway§ Client support has increased a lot since Windows XP died J
§ Often only one SSL configuration per Web server supported§ Because underlying stack takes care of it
SSL Termination
49
§ A single point in the network where SSL connections end§ Sensitive key material is stored in one single place§ Dedicated crypto hardware can take care of the SSL operations
§ Internal servers run interactive web sites§ Higher chance of getting compromised§ They can use self-signed certs internally§ Server software may be less trustworthy than the termination point
Overview
50
§ HTTPS, under the hood§ The basics of the HTTPS protocol§ TLS, keys, certificates, …
§ Deploying HTTPS in practice§ Requesting certificates§ Server configuration
§ HTTPS on the application layer§ Interactions between TLS and the Web application§ The security risks of incorrectly deploying HTTPS
HTTPS on the Application Layer
51
Verifying your TLS Deployment
52
§ How do you know if you deployed HTTPS correctly?§ The browser seems to be happy …
§ But the browser is very forgiving if you screw up
§ Qualys offers an SSL server test§ Checks your configuration against current best practices§ Gives you a grade based on how good/bad your setup is
https://www.ssllabs.com/ssltest/
Default Ubuntu 14.04 LTS Installationhttps://www.ssllabs.com/ssltest/
https://www.ssllabs.com/ssltest/
Want to Run Your Own Test?
56
https://www.ssllabs.com/ssltest/
Great TLS Score, but what with Security?
57https://www.ssllabs.com/ssltest/
Deploying Sites over HTTP is a Bad Idea
58some-shop.com
Visit http://some-shop.com
Welcome, please log in
Login as Philippe to http://some-shop.com/login
Welcome Philippe
Visit http://some-shop.com/catalog
Here you go Philippe, please buy lots of stuff
…
Deploying Sites over HTTP is a Bad Idea
59
§ Eavesdropping attacks are trivial nowadays
§ But nobody cares …§ Take the BEL20 ...
Only 2 sites use HTTPS for their main page
2 sites even submit login forms over HTTP
http://deredactie.be/cm/vrtnieuws/binnenland/1.2163105http://www.clickx.be/nieuws/134342/telenet-laat-je-surfen-via-de-modem-van-je-buren/
HTTPS to the Rescue
60some-shop.com
Visit http://some-shop.com
Welcome, please log in
Login as Philippe to https://some-shop.com/login
Welcome Philippe
Visit http://some-shop.com/catalog
Here you go Philippe, please buy lots of stuff
Session Hijacking
61some-shop.com
Visit http://some-shop.com
Welcome, please log in
Login as Philippe to https://some-shop.com/login
Welcome Philippe
Visit http://some-shop.com/catalog
Here you go Philippe, please buy lots of stuff
Visit http://some-shop.com/catalog
Here you go Philippe, please buy lots of stuff
Man in the Middle Attacks
62some-shop.com
Visit http://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Send items to address X
Items will be sent to X
Visit http://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Send items to address A
Items will be sent to A
Stripping HTTPS from Login Forms
63some-shop.com
Visit http://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Send items to address X
Items will be sent to X
Visit http://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Send items to address A
Items will be sent to A
Rewrite HTTPS
to HTTP
Demo Time
64
§ Demo with the Wifi Pineapple§ Wireless honeypot
§ Can be configured as a hotspot§ Can also mimic other hotspots
Our Setup
65
§ We control the wireless access point§ Full man-in-the-middle attack
some-shop.com
Stripping HTTPS from Login Forms
66some-shop.com
Visit http://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Send items to address X
Items will be sent to X
Visit http://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Send items to address A
Items will be sent to A
Rewrite HTTPS
to HTTP
HTTPS Prevents Man in the Middle Attacks
67some-shop.com
Visit https://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Send items to address X
Items will be sent to X
Visit https://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Send items to address A
Items will be sent to A
Bootstrapping the HTTPS Site
68
GET http://some-shop.com
some-shop.com
301 Moved PermanentlyLocation: https://some-shop.com
GET https://some-shop.com
200 OKResponse page
SSL Stripping
69
GET http://some-shop.com
200 OKResponse page
POST http://some-shop.com
GET http://…
301 Moved
GET https://…
200 OK
Rewrite HTTPS URLs
User: philippe & pass: pazzw0rd
POST https://…
some-shop.com
HTTP Strict Transport Security (HSTS)
70
§ Instruct the browser to only visit a site over HTTPS§ Once-enabled no HTTP requests will be sent anymore§ Prevents SSL stripping attacks§ Prevents cookie stealing over HTTP
GET https://websec.be
websec.be
200 OKResponse page
Diving into HSTS
71
§ HSTS is a server-driven browser-enforced security policy§ Server sends the Strict-Transport-Security response header§ Browser enforces this for the lifetime specified in the header§ Effectively prevents SSL stripping attacks
§ HSTS originates from a research proposal: ForceHTTPS§ First proposed in 2008, standardized in 2012
Strict-Transport-Security: max-age=31536000
Specifying the HSTS header
72
§ Configuration is straightforward§ max-age specifies the duration for forcing the use of HTTPS§ includeSubdomains specifies whether subdomains are included
§ The protection is only applied for the duration of max-age§ Make sure this value covers non-frequent visitors§ The value 0 disables the HSTS policy for this particular host
• Only if received over an error-free channel
4 4 7 11From version … 4.4.4 7.1
Strict-Transport-Security: max-age=31536000; includeSubdomains
HSTS Best Practices
73
§ HSTS Header processing§ HSTS response headers must be sent over a secure channel§ Headers received on an insecure channel are ignored§ Incorrectly formatted headers are ignored§ Only the first header will be processed
§ HSTS does not care about TCP ports§ Matches only on hostname§ Port 80 is translated to 443, other ports are preserved
HSTS Overview
74
GET https://websec.be
websec.be
200 OKResponse page
Strict-Transport-Security: max-age=31536000;includeSubdomains
GET https://websec.be
200 OKResponse page
Strict-Transport-Security: max-age=31536000;includeSubdomains
www.websec.beGET https://www.websec.be
200 OKResponse page
Strict-Transport-Security: max-age=31536000;includeSubdomains
The Bootstrapping Problem … Again
75
GET https://websec.be
websec.be
200 OKResponse page
Strict-Transport-Security: max-age=31536000;includeSubdomains
GET https://websec.be
200 OKResponse page
Strict-Transport-Security: max-age=31536000;includeSubdomains
www.websec.beGET https://www.websec.be
200 OKResponse page
Strict-Transport-Security: max-age=31536000;includeSubdomains
Preloading HSTS
76
§ The bootstrapping problem is solved by a preloaded list§ Contains all sites that have explicitly subscribed to HSTS§ Distributed along with the browsers§ Available on https://hstspreload.appspot.com/
Conditions for making the preload list
77
§ Having a valid certificate (no SHA1 allowed after 2016)
§ Redirect all HTTP traffic to HTTPS
§ Serve all subdomains over HTTPS (especially www if it exists)
§ Serve HSTS on the base domain (e.g. websec.be)§ Max-age of at least 18 weeks§ includeSubdomains must be specified§ preload must be specified§ In case of a redirect, specify HSTS on the redirect, not the destination
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Inspecting HSTS in the Browser
78
§ Available through chrome://net-internals/#hsts
Inspecting HSTS in the Browser
79
§ Available through chrome://net-internals/#hsts
Inspecting HSTS in the Browser
80
§ Available through chrome://net-internals/#hsts
How to Get an A+ Rating?
82
ssl on;ssl_certificate /etc/letsencrypt/live/www.websec.be/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/www.websec.be/privkey.pemssl_dhparam /etc/ssl/dhparams.pem;
ssl_session_timeout 5m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31556926";}
Conclusion
83
Things Will Get Worse …
84
§ More SSL/TLS failures will be discovered§ CAs misbehaving or getting hacked§ Server administrators deploying imperfect configurations§ Client software being clueless about SSL
http://www.pentestpartners.com/blog/hacking-defcon-23s-iot-village-samsung-fridge/http://www.zdnet.com/article/hundreds-of-android-apps-open-to-ssl-linked-intercept-fail/
The Push for HTTPS Will Become Stronger
85
§ Browser vendors and corporations are pushing for HTTPS§ Google already uses HTTPS as a ranking signal for search§ Mozilla will mark HTTP sites with password fields as insecure
§ The US government mandates the use of HTTPS§ All publicly accessible sites§ By the end of 2016
§ The use of HTTPS is gaining widespread attention§ Mainstream media pick up an HTTPS story now and then§ Remember the article about Belgian banks
Wrapping Up
86
§ The time of closed networks is over§ Networks are available everywhere, to all kinds of devices§ Do not put explicit trust in the network infrastructure
§ HTTPS effectively prevents passive and active attacks§ New security policies push security even further (HSTS, HPKP)§ For the first time, we can defend against very powerful attacks
§ Only awareness is standing in the way of HTTPS deployment
Week-long application security course
https://www.secappdev.org
Progressive Web Security course
1. Why simply deploying HTTPS will not get you an A+ grade
2. How to avoid common pitfalls in authentication and authorization
3. Why modern security technologies will eradicate XSS
4. Four new browser communication mechanisms, and how they affect you
State-of-the-arttechnologies
Hands-on labs included
3rd edition starts on April 12th 2016https://www.websec.be
HTTPS, Here and NowAcknowledgements
Icons by Visual Pharm (https://icons8.com)
HTTPS, Here and NowPhilippe De Ryck
/in/philippederyck
https://www.websec.be
@PhilippeDeRyck