WordCamp Notes -- HTTPS is Coming: Are you Prepared?, Zack Tollman
November 12, 2015
(Zack's talk was easily the best one at all of WordCamp. He really knows his content and is an excellent presenter. I highly recommend watching this preso the next time Zack is presenting!)
as developers we do https poorly
site -- ssl pulse
monitor the top 300 alexa websites
how well have they implemented their https
results are grim
70% are insecure
misconfiguration errors are undermining this process
it's too easy to screw up https config
why? what makes use screw this up so much?
unless you're a cryptographer, this stuff is hard.
copy and pasting is easy
istlsfastyet.com
TLS basics
Transport Layer Security
between HTTP and TCP layer --
HTTP
TLS
TCP
SSL and TLS tend to mean the same thing, SSL just refers to the old Netscape-specific version but it's really the same thing nowadays. used interchangeably
provides us 4 things
authentication
integrity
encryption
key exchange
auth --
when you pick up the phone, you really HOPE the person on the end is the person you tried to call
if you type google.com, you really hope you get google's website
TLS gives you the guarantee that the server you HTINK you're talking to is really the correct site
integrity --
when they SEND their msgs to me, it hasn't been tampered with before it reaches me
encryption
take plain text -> algo and get out "cypher text"
A + 13 = N
13 is the "key" that changes the text in our algo to spit out the cipher text (N)
key exchange --
if ANY one of those 4 steps is messed up, the entire system could be compromised
cipher suites
a way to communicate the way the algos for auth, encryption, integrity and key exchange
Mozilla's Guide for TLS
https://wiki.mizilla.org/security/sever_side_tls
-- really good guide for more info. use this.
http strict transport security
ssl stripping
-- attack against https sites
attacks sites where PART of the site is http and part of it is https
http://www.thoughtcrime.org/software/sslstrip for more info
what if we eliminate the http version of the site entirely? that's the one when you're vulnerable
if you're ALWAYS on httpS, it removes that vulnerability
*** set HSTS headers in your site, so the browser won't even let you TRY to use plain http
caveat -- if you have a part of your site that IS supposed to be http-only, you're screwed, so undo all that and make sure the site all runs over httpS
More info --
The Code Book - Simon Singh
High Performance Brower Networking - TLS chapter, ilya grigorik
Bulletproof ssl and tls -- IVAN RISTIC
ssl AND tis: Designing and building secure systems, eric rescorla
@tollmanz
https://letsencrypt.org/
SSL mate -- the only GOOD process for buying SSL certificates
"content security policy headers"
-- what content will you allow on your own website
-- helps prevent XSS attacks
-- only allow JS to run on mY site that comes from MY domain, and/or Google (or whatever sites you list)