SSL++; Tales of Transport Layer Security at Twitter

Post on 24-Jun-2015

487 views 3 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

presentation at BSides San Francisco, Feb 24 2013. corresponding video available @ https://www.brighttalk.com/webcast/7651/69207

Transcript of SSL++; Tales of Transport Layer Security at Twitter

SSL++Tales of Transport-Layer Security at Twitter

@jimio | #BSidesSF

CRIME

BEAST

HTTP

100% Certified SSL

<img src="http://twitter.com"/>

http://twitter.com
http://twitter.com

secure;

sslstrip

301

#!

#!twitter.com/#!/jimio

twitter.com/#!/jimio

DISCLAIMER

DISCLAIMER

we did this.

DISCLAIMER

we did this.

you can too.

Hello!

Hello!

twitter

twitter

twitter

twitter

http://twitter.com

http://twitter.com
http://twitter.com

http://twitter.com

https://twitter.com

http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com

http://twitter.com

https://twitter.com

http://twitter.ie

http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com

http://twitter.com

https://twitter.com

http://twitter.ie

http://www.w3.org

http://wtf.ru http://twitter.uz

http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com
http://twitter.com

<link rel="canonical" href="https://twitter.com/">

https://twitter.com
https://twitter.com

%2F

/

<-HTTPS

Hello!

Hello!

twitter.com

HTTP...

but wait!!

HSTS

HSTS

HTTP=>HTTPS 300s

0

HTTP=>HTTPS 300s

0

includeSubdomains

include$ubdomains

CSP

CSP

< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:

< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report

< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:

< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report

< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:

< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report

< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:

< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report
https://twitter.com/scribes/csp_report

secureheaders

secureheadersStrict-Transport-SecurityContent-Security-Policy

X-XSS-ProtectionX-Frame-Options

X-Content-Type-Options

SSL

1. OS: validate revocation, expiration2. App: check against local bundle3. Party on

https://twitter.com/jobshttps://t.co/h4x0r

#jointheflock

@jimio

https://twitter.com/jobs
https://twitter.com/jobs

Top related

AN3967 Application note - STMicroelectronics · Note: The “SSL/TLS” protocols is referred to as “SSL” throughout this document. 3.3 SSL / TLS sub-protocols The SSL protocol
 Documents
Ssl Survey
 Documents
History SSL Organisation AGAL Organisation SSL 8 Page Brochure … · History SSL Organisation AGAL Organisation SSL 8 Page Brochure SSL News Winter 99 SSL News Spring 99 Scientific
 Documents
The Difference Between a Standard SSL and EV SSL Certificate
 Technology
GlobalSign API for SSL Certificates Implementation Guide ... · GlobalSign API for SSL Certificates v4.4 Page 3 3.4 Extended SSL ExtendedSSL, or Extended Validation (EV) SSL, is the
 Documents
ESP8266 SSL User Manual - MPJA.COM SSL User Manual v1.4.pdf · " "Espressif Systems " ESP8266 SSL User Manual 2. ESP8266 as SSL server When ESP8266 is running as a SSL server, header
 Documents
SSL Spoofing - OWASP Foundation · Man-In-The-Middle attack on SSL Duane Peifer. Summary How SSL works Common SSL misconceptions SSL Spoofing Using sslstrip Preventing SSL Spoofing
 Documents
CERTISIGN SSL EV CERTIFICATION AUTHORITY CERTIFICATION ...ctn.certisign.com.br/ssl-ev/dpc/dpc-certisign-ssl-ev-certification... · certisign ssl ev certification authority certification
 Documents
Mission https:// - My SSL Online · SSL Capabilities: Symantec offers a variety of SSL products that support various authentication mechanisms for different needs. From SSL certificates
 Documents
Ssl Atasmanlari
 Documents
SSL VPN - cisco.com · SSL VPN TheSSLVPNfeatureorWebVPNprovidessupportintheCiscoIOSsoftwareforremoteuseraccessto enterprisenetworksfromanywhereontheInternet.RemoteaccessisprovidedthroughaSecureSocket
 Documents
SSL Studio Toolssslweb.solidstatelogic.com.s3.amazonaws.com/content/SSL-Studio... · SSL Studio Tools Console grade technology for studios of all sizes.
 Documents
Extended Validation SSL Certificate(EV SSL)
 Internet
Protocolo Ssl
 Documents
SSL Spoofing - IEEE Entity Web Hosting · § SSL Spoofing § Using sslstrip § Preventing SSL Spoofing § Examples of stripped sites. How SSL works Web Server Client PC Client hello
 Documents
SSL. SSL Certificates © 2012 Citrix | Confidential – Do Not Distribute Overview Topics in this module include: SSL and Digital Certificates SSL Administration.
 Documents
SSL DOCUMENTATION2
 Documents
SonicOS 7 DPI-SSL - SonicWall · AboutDPI-SSL NOTE:DPI-SSLisaseparate,licensedfeaturethatprovidesinspectionofencryptedHTTPStrafficand otherSSL-basedIPv4andIPv6traffic. Topics: l UsingDPI-SSL
 Documents
VII. Corente Services SSL Client - docs.oracle.com€¦ · SSL Certificate.....44 SSL Certificate ..... 45 Obtaining an SSL Certificate Signed by a CA..... 46 Install an SSL Certificate
 Documents
Management Services SSL VPN Setup - SonicWall · 2020-04-15 · Management Services SSL VPN Setup Administration About SSL VPN 4 Benefits of SSL VPN NetExtender NetExtender provides
 Documents

Copyright © 2022 FDOCUMENTS