A look at what's new, or often misunderstood, in HTTPS

1. HTTPS
Renaming the meetup to Port443

2. Why I care about HTTPS
• section.io is an agile Content Delivery Network
• We maintain a Qualys SSL Labs Grade A rating
• Our own site, blog, and portal are full HTTPS
• We help our customers transition to full HTTPS
• I’m personally passionate about security

3. Why should you care about HTTPS?
• You’re already here anyway
• A 42% increase for Alexa Top 1 Million in 6 months
• Hopefully the following presentation will help

4. SSL is dead
• HTTP = Hypertext Transfer Protocol
• HTTPS = HTTP Secure
• TLS = Transport Layer Security, now at version 1.2
• SSL = Secure Sockets Layer
• SSL v3 is effectively dead since POODLE in 2014
• SSL v2 just became even deader with DROWN this month
• X.509 Certificate

5. Mixed mode requests
• When a page served over HTTPS contains http:// URLs
• Since October 2015, Chrome removes the padlock.
• Content Security Policies can help fix the broken http:// URLs
• Protocol relative URLs reduce cache effectiveness:
• http://domain/resource => //domain/resource
• https://domain/resource => //domain/resource

6. Cross-Origin Resource Sharing
• Making an AJAX request to a different “origin”
• CORS considers HTTP and HTTPS to be different origins:
• http://example.com ≠ http://different.com
• http://example.com ≠ https://example.com
• Send CORS headers for HTTPS requests:
• Access-Control-Allow-Origin: http://example.com

7. • When the Set-Cookie header includes the secure attribute
• The browser will only send the cookie over HTTPS
• Except: a non-HTTPS resource can write to a Secure Cookie
• An IETF draft is coming to correct this
• Prefixed cookies are also in an IETF draft
• Set-Cookie: __Secure-example; Secure;
• Set-Cookie: __Host-example; Secure; Path=/
Secure Cookies

8. Referrers
• The Referer header informs the server where you’re coming from
• The header is not sent when navigating from HTTPS to HTTP
• A W3C draft is coming for “Referrer Policies” to override this
• Controlled by the source page, not the destination
• Can choose to reveal the full URL, only the domain, or neither

9. HTTPS Validation
• Has the certificate expired?
• Does my browser trust a certificate in the certificate chain?
• Has the certificate been revoked by the authority?
• and …

10. Does the name match?
• Common Name
• CN=www.example.com
• Wildcard
• CN=*.example.com
• ≠ example.com
• ≠ two.levels.example.com
• Subject Alternative Name (SAN)
• CN=*.example.com
SAN=example.com, two.levels.example.com, different.com

11. Extended Validation Certificates
• Show the fancy green address bar
• A lot more paperwork

12. Certificate Signature Hash function
• SHA256 is the current preference
• SHA1 signatures are now reporting as insecure in browsers
• Internet Explorer silently terminates the connection for MD5

13. Server Name Indication (SNI)
• Browser sends the domain name before it receives the certificate
• Normally only the IP address and port number are available
• Host request header gets sent after TLS handshake has completed
• All modern browsers and devices support SNI
• Server tools and programming frameworks often need to opt-in
• TL;DR one IP address is enough

14. HTTP Strict Transport Security (HSTS)
• HTTP response headers indicating to use only HTTPS for this site
• And optionally all subdomains too.
• Has a duration for which the browser should remember this.
• 6-month duration required to achieve Qualys Grade A+
• More secure than HTTP 30x redirection.
• Can be submitted for inclusion, hard-coded in the browser.

15. HTTP Public Key Pinning (HPKP)
• HTTP response headers fingerprinting the certificate keys to expect.
• Has a duration for which the browser should remember this.
• Only valid if the header also includes backup fingerprints.
• The backup fingerprints don’t need to be CA-signed certificates
• Preloading is possible (like HSTS)

16. Online Certificate Status Protocol Stapling
• OCSP is a modern solution to Certificate Revocation Lists
• Unfortunately OCSP implementations don’t perform well:
• At least 15% of requests fail
• Successful requests add a median of 350ms to the TLS handshake
• Instead the server can include an OCSP response with the certificate
• Must Staple TLS Feature Extension

17. HTTP/2
• Requires HTTPS in all browsers
• Multiplexing mitigates the TLS handshake costs
• Domain-sharding becomes an anti-pattern
• Connection sharing aids the transition
• Server push

18. TLS 1.0 going out, TLS 1.3 coming in
• Payment Card Industry Data Security Standard (PCI DSS)
• Version 3.1 from April 2015 scheduled TLS 1.0 deprecation for July 2016
• Revised in December 2015 to postpone deprecation to 2018 instead
• TLS v1.3
• TCP Fast Open to send TLS ClientHello with SYN
• Specification has been frozen to allow real-world testing

19. Google Says So
• Page Rank
• Starting August 2014, HTTPS sites are given a (slightly) higher rank.
• Rank only awarded to “strong” HTTPS.
• Geo-location and WebRTC only for HTTPS sites in Chrome soon

20. Let’s Encrypt
• Free certificates
• Trusted in all modern browsers and devices
• Automated Domain Control Validation
• Automated installation on the web server
• Automated renewal
• Standardised protocols
• Open source implementation
• https://letsencrypt.org/

21. Thank you
• Jason Stangroome
• @jstangroome
• https://section.io/
• https://blog.stangroome.com/
HTTPS: you cannot spell respect without an S. – Eric Lawrence