5. Facts about HTTP Headers
• Headers can be used to steer browsers (and
applications) behaviour
• You can define your own headers
• If the browser does not know or support the
header, it will ignore the header
• Response headers are client side controls that
are implemented on the server side
8. TLS/SSL
• TLS is the S in HTTPS ;)
• It gives us following things:
– Confidentiality - adversary can't see unencrypted data
– Integrity - adversary can't change data undetected
– Authentication - to know which server we are connected
to
9. Why TLS?
• Because the world is cruel
„Any unencrypted traffic, visible to an adversary, is
not just an information leak, but an attack vector
they can use to exploit your systems.”
Nick Weaver
• Current state of the art: encrypt everything
10. Need to know more?
• Advanced HTTPS Defense Strategies (Jim Manico)
• Youtube: https://www.youtube.com/watch?v=uix4f45VndQ
• Presentation: http://www.slideshare.net/proidea_conferences/jim-
manico-advanced-https-defense-strategies
12. Threats addressed by HSTS
• Passive network attackers - eavesdropping of
unencrypted communication. Even more
dangerous when environment allows for non-
secure cookies.
• Active network attackers - TLS striping or
invisible proxy relying on user to accept the
flawed certificate.
• Web Site Development and Deployment Bugs -
page is loading additional resources over an
insecure connection (mixed content).
18. HSTS Header
Strict-Transport-Security : max-
age=31536000; includeSubdomains; preload
• max-age - how long insecure requests are forbiden
(in seconds)
• includeSubdomains - should sub domains be also
included (optional)
• preload - allow HSTS to be hardcoded in the
browsers. Solves the "trust on first use" (TOFU)
problem. HSTS for a domain can be registered on
hstspreload.appspot.com (optional)
19. What can go wrong?
• Want to go back to HTTP? No way...
• Your subdomains do not support HTTPS and
you turned includeSubdomains on.
20. HSTS and Security Standards
• OWASP ASVS v3.0 V10.11: Verify that HTTP Strict
Transport Security headers are included on all
requests and for all subdomains, such as
Strict-Transport-Security: max-
age=15724800; includeSubdomains
• OWASP ASVS v3.0 V10.12: Verify that production
website URL has been submitted to preloaded list
of Strict Transport Security domains maintained
by web browser vendors.
21. How many sites use HSTS?
HSTS present HSTS missing
Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug-
2016/ (August 2016)
22. Browser support for HSTS
HSTS present HSTS missing
Source: http://caniuse.com/#feat=stricttransportsecurity
25. PKI in a nutshell
you RA (CA)
Create public/private key
Fill some data
Create and send CSR
Send signed certificate
Profit
26. Question: Which CA should you buy
certificates from?
• Let’s encrypt – because it’s free, automated
and open :)
• But honestly, it does not matter. Any CA
recognized by your browser can gice you
technically the same thing – signed certificate.
27. Question: What can happen if
a CA gets hacked?
• One could fabricate certificates for EVERY
domain in the internet. (Security of the
WHOLE INTERNET is in danger)
„If a company can ‚put the entire Internet at risk’ (…)
the system is fundamentally flawed.”
https://news.ycombinator.com/item?id=9253676
28. Question: How often did CAs fail
in the past?
• 2011, Comodo got hacked
• 2011, Diginotar got hacked, got used to attack
iranian google users, went bankrupt...
• 2013, This time: French government...
• 2013, Trustwave selling an intermediate CA
cert to a private company
• 2015, MCS Holdings...
29. HPKP Header
Public-Key-Pins: pin-sha256=<hash1>;
pin-sha256=<hash2>; max-age=2592000;
report-uri=<uri>; includeSubdomains
• pin-sha256 - certificate thumbprint, can be from own
certificate or any certificate in the chain or even CSR.
• max-age - how long pinned certificate must be served
(in seconds).
• report-uri - report violations to this uri. Usually not the
same uri as the target system.
• includeSubdomains - all subdomains must use the
same pins.
30. Generate hashes
• For the certificate:
openssl rsa -pubout -in pub.key -
outform der | openssl dgst -sha256
-binary | base64
• For the CSR:
openssl req -noout -in my.csr -
pubkey | openssl rsa -pubin -
outform der | openssl dgst -sha256
-binary | base64
31. ☠ DANGER ☠
It is very easy to get HPKP wrong. And if you do it wrong,
you will run a DOS against your system.
Good practice:
• Pin at least your certificate, CSR and a backup CSR.
• If you don't ping CSRs, pin at least two certificates (one
backup) and don't forget to order and activate new
certificates at least max-age before they expire.
• NOTE: HPKP has the TOFU (trust on first use) problem
32. Good News
• There is also a Public-Key-Pins-
Report-Only header, which has the same
syntax as HPKP, but does only reporting. Good
for testing purposes.
33. HPKP and Security Standards
• OWASP ASVS v3.0 V10.10: Verify that TLS
certificate public key pinning is implemented
with production and backup public keys.
34. How many sites use HPKP?
HPKP present HPKP missing
Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug-
2016/ (August 2016)