2. Why I care about HTTPS
• section.io is an agile Content Delivery Network
• We maintain a Qualys SSL Labs Grade A rating
• Our own site, blog, and portal are full HTTPS
• We help our customers transition to full HTTPS
• I’m personally passionate about security
3. Why should you care about HTTPS?
• You’re already here anyway
• A 42% increase for Alexa Top 1 Million in 6 months
• Hopefully the following presentation will help
4. SSL is dead
• HTTP = Hypertext Transfer Protocol
• HTTPS = HTTP Secure
• TLS = Transport Layer Security, now at version 1.2
• SSL = Secure Sockets Layer
• SSL v3 is effectively dead since POODLE in 2014
• SSL v2 just became even deader with DROWN this month
• X.509 Certificate
5. Mixed mode requests
• When a page served over HTTPS contains http:// URLs
• Since October 2015, Chrome removes the padlock.
• Content Security Policies can help fix the broken http:// URLs
• Protocol relative URLs reduce cache effectiveness:
• http://domain/resource => //domain/resource
• https://domain/resource => //domain/resource
6. Cross-Origin Resource Sharing
• Making an AJAX request to a different “origin”
• CORS considers HTTP and HTTPS to be different origins:
• http://example.com ≠ http://different.com
• http://example.com ≠ https://example.com
• Send CORS headers for HTTPS requests:
• Access-Control-Allow-Origin: http://example.com
7. • When the Set-Cookie header includes the secure attribute
• The browser will only send the cookie over HTTPS
• Except: a non-HTTPS resource can write to a Secure Cookie
• An IETF draft is coming to correct this
• Prefixed cookies are also in an IETF draft
• Set-Cookie: __Secure-example; Secure;
• Set-Cookie: __Host-example; Secure; Path=/
Secure Cookies
8. Referrers
• The Referer header informs the server where you’re coming from
• The header is not sent when navigating from HTTPS to HTTP
• A W3C draft is coming for “Referrer Policies” to override this
• Controlled by the source page, not the destination
• Can choose to reveal the full URL, only the domain, or neither
9. HTTPS Validation
• Has the certificate expired?
• Does my browser trust a certificate in the certificate chain?
• Has the certificate been revoked by the authority?
• and …
10. Does the name match?
• Common Name
• CN=www.example.com
• Wildcard
• CN=*.example.com
• ≠ example.com
• ≠ two.levels.example.com
• Subject Alternative Name (SAN)
• CN=*.example.com
SAN=example.com, two.levels.example.com, different.com
12. Certificate Signature Hash function
• SHA256 is the current preference
• SHA1 signatures are now reporting as insecure in browsers
• Internet Explorer silently terminates the connection for MD5
13. Server Name Indication (SNI)
• Browser sends the domain name before it receives the certificate
• Normally only the IP address and port number are available
• Host request header gets sent after TLS handshake has completed
• All modern browsers and devices support SNI
• Server tools and programming frameworks often need to opt-in
• TL;DR one IP address is enough
14. HTTP Strict Transport Security (HSTS)
• HTTP response headers indicating to use only HTTPS for this site
• And optionally all subdomains too.
• Has a duration for which the browser should remember this.
• 6-month duration required to achieve Qualys Grade A+
• More secure than HTTP 30x redirection.
• Can be submitted for inclusion, hard-coded in the browser.
15. HTTP Public Key Pinning (HPKP)
• HTTP response headers fingerprinting the certificate keys to expect.
• Has a duration for which the browser should remember this.
• Only valid if the header also includes backup fingerprints.
• The backup fingerprints don’t need to be CA-signed certificates
• Preloading is possible (like HSTS)
16. Online Certificate Status Protocol Stapling
• OCSP is a modern solution to Certificate Revocation Lists
• Unfortunately OCSP implementations don’t perform well:
• At least 15% of requests fail
• Successful requests add a median of 350ms to the TLS handshake
• Instead the server can include an OCSP response with the certificate
• Must Staple TLS Feature Extension
17. HTTP/2
• Requires HTTPS in all browsers
• Multiplexing mitigates the TLS handshake costs
• Domain-sharding becomes an anti-pattern
• Connection sharing aids the transition
• Server push
18. TLS 1.0 going out, TLS 1.3 coming in
• Payment Card Industry Data Security Standard (PCI DSS)
• Version 3.1 from April 2015 scheduled TLS 1.0 deprecation for July 2016
• Revised in December 2015 to postpone deprecation to 2018 instead
• TLS v1.3
• TCP Fast Open to send TLS ClientHello with SYN
• Specification has been frozen to allow real-world testing
19. Google Says So
• Page Rank
• Starting August 2014, HTTPS sites are given a (slightly) higher rank.
• Rank only awarded to “strong” HTTPS.
• Geo-location and WebRTC only for HTTPS sites in Chrome soon
20. Let’s Encrypt
• Free certificates
• Trusted in all modern browsers and devices
• Automated Domain Control Validation
• Automated installation on the web server
• Automated renewal
• Standardised protocols
• Open source implementation
• https://letsencrypt.org/
21. Thank you
• Jason Stangroome
• @jstangroome
• https://section.io/
• https://blog.stangroome.com/
HTTPS: you cannot spell respect without an S. – Eric Lawrence
Notes de l'éditeur
section.io is a CDN designed to integrate into the agile practices of a website’s development and operations teams.
It is the kind of CDN you put in front of your primary domain to handle all requests and resources, not just statics.
We ensure our CDN edge is configured to pass the Qualys SSL Labs with at least a Grade A.
Grade A, not A+, because A+ requires website changes (eg HSTS) and not just well-configured protocols.
There is no padlock with warning icon anymore https://googleonlinesecurity.blogspot.com.au/2015/10/simplifying-page-security-icon-in-chrome.html
Strict cookies to prevent HTTP origins writing cookies with secure attribute https://datatracker.ietf.org/doc/draft-west-leave-secure-cookies-alone/
Prefixed cookies to ensure particular cookies with `__Host` or `__Secure` or only used this way https://datatracker.ietf.org/doc/draft-ietf-httpbis-cookie-prefixes/
__Host- prefixed cookies do not allow the Domain attribute and must have Secure and Path attributes
https://w3c.github.io/webappsec-referrer-policy/
Must Staple http://tools.ietf.org/html/rfc7633
OCSP fails at least 15% of the time and take median 350ms on success https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/