WordCamp Notes -- HTTPS is Coming: Are you Prepared?, Zack Tollman

(Zack's talk was easily the best one at all of WordCamp. He really knows his content and is an excellent presenter. I highly recommend watching this preso the next time Zack is presenting!)

as developers we do https poorly

site -- ssl pulse
monitor the top 300 alexa websites
how well have they implemented their https
results are grim
70% are insecure

misconfiguration errors are undermining this process
it's too easy to screw up https config

why? what makes use screw this up so much?
unless you're a cryptographer, this stuff is hard.

copy and pasting is easy

istlsfastyet.com

TLS basics
Transport Layer Security
between HTTP and TCP layer --
HTTP
TLS
TCP

SSL and TLS tend to mean the same thing, SSL just refers to the old Netscape-specific version but it's really the same thing nowadays. used interchangeably

provides us 4 things
authentication
integrity
encryption
key exchange

auth --
when you pick up the phone, you really HOPE the person on the end is the person you tried to call
if you type google.com, you really hope you get google's website
TLS gives you the guarantee that the server you HTINK you're talking to is really the correct site

integrity --
when they SEND their msgs to me, it hasn't been tampered with before it reaches me

encryption
take plain text -> algo and get out "cypher text"

A + 13 = N
13 is the "key" that changes the text in our algo to spit out the cipher text (N)

key exchange --

if ANY one of those 4 steps is messed up, the entire system could be compromised

cipher suites
a way to communicate the way the algos for auth, encryption, integrity and key exchange

Mozilla's Guide for TLS
https://wiki.mizilla.org/security/sever_side_tls
-- really good guide for more info. use this.

http strict transport security
ssl stripping
-- attack against https sites
attacks sites where PART of the site is http and part of it is https
http://www.thoughtcrime.org/software/sslstrip for more info

what if we eliminate the http version of the site entirely? that's the one when you're vulnerable
if you're ALWAYS on httpS, it removes that vulnerability

*** set HSTS headers in your site, so the browser won't even let you TRY to use plain http

caveat -- if you have a part of your site that IS supposed to be http-only, you're screwed, so undo all that and make sure the site all runs over httpS

More info --
The Code Book - Simon Singh

High Performance Brower Networking - TLS chapter, ilya grigorik

Bulletproof ssl and tls -- IVAN RISTIC

ssl AND tis: Designing and building secure systems, eric rescorla

@tollmanz

https://letsencrypt.org/

SSL mate -- the only GOOD process for buying SSL certificates

"content security policy headers"
-- what content will you allow on your own website
-- helps prevent XSS attacks
-- only allow JS to run on mY site that comes from MY domain, and/or Google (or whatever sites you list)