HTTPSThis is not HTTP over TLS

SSL is dead•HTTP = Hypertext Transfer Protocol•HTTPS = HTTP Secure• TLS = Transport Layer Security• SSL = Secure Sockets Layer• SSL v3 is effectively dead since POODLE in 2014

•X.509 Certificate

Why is HTTPS more than HTTP + TLS?• Mixed mode requests• BTW, don’t use protocol relative URLs (eg //domain/resource)

• CORS considers HTTP and HTTPS to be different origins• secure attribute on cookies• Not really• Strictly secure cookies in draft• Prefixed cookies in draft (eg __Host- or __Secure- )

• Referer HTTP request header• “Opportunistic Security for HTTP” IETF draft is just HTTP + TLS

HTTPS Verification Basics• Certificate validity period• Certificate chain trusted• Common Name, Subject Alternative Name (SAN), wildcards• Certificate Revocation List• Extended Validation Certificate• Mixed-mode resources

Further HTTPS Verification• Signature hash function• MD5 drops the connection in IE• SHA1 sunset

• OCSP Stapling and Must Staple TLS Feature Extension• Certificate Transparency• HTTP Public Key Pinning• Requires backup keys. CSRs are sufficient.

Other recent HTTPS developments• Server Name Indication (SNI)• HTTP Strict Transport Security (HSTS)• Browser preloading

• Content Security Policies• Upgrade Insecure Requests

• Referrer Policy (draft)• AWS Certificate Manager• Let’s Encrypt https://letsencrypt.org/

Why implement HTTPS well?•Security•Trust•Compliance•SEO•Performance

Security• Forward Secrecy• Diffie Hellman key exchange (EDH/DHE)

• Elliptic Curve Digital Signature Algorithm (ECDSA) • Equivalent security with smaller keys means faster operations

Security - Vulnerabilities• HeartBleed – attacks OpenSSL bug, upgrade or switch.• POODLE – attacks padding in SSL v3.0, disable it.• Logjam – attacks DHE ciphers, mitigate with 2048+ bit DH params.• BEAST – attacks CBC mode of AES, mitigated in TLS v1.1• Lucky13 – a CBC padding timing-attack, mitigated in impl.• CRIME – attacks TLS compression, disable it• BREACH – attacks HTTP compression. Various mitigations.• Don’t use RC4 – prohibited in Feb 2015 by RFC 7465

Trust• Extended Validation Certificates• Chrome Page Security Icon• Since October, HTTPS with minor errors does not show any padlock

• Qualys SSL Labs A+ Grade• Zero warnings (ie A Grade)• HSTS header valid for at least six months• Certificate must not be SHA1 signed• TLS_FALLBACK_SCSV “fake” cipher suite must be handled

Compliance• Payment Card Industry Data Security Standard (PCI DSS)• Version 3.1 from April 2015 scheduled TLS 1.0 deprecation for July 2016• Revised in December 2015 to postpone deprecation to 2018 instead

SEO• Google Page Rank• Starting August 2014, HTTPS sites are given a (slightly) higher rank.• Rank only awarded to “strong” HTTPS.

Performance• Is TLS fast yet? https://istlsfastyet.com/• Session resumption, session tickets• TLS False Start

• TLS v1.3• TCP Fast Open to send TLS ClientHello with SYN

• HTTP/2• Multiplexing• Connection sharing and the domain-sharding anti-pattern• Server push

Challenges• User-Agent support• .NET v4 is TLS v1.0 only.• .NET v4.5 can do TLS v1.1 and v1.2 if explicitly enabled.

• Different cipher naming conventions across implementations• IANA• OpenSSL• GnuTLS• NSS

• Debugging• Tooling

Thank you• Jason Stangroome• @jstangroome• https://section.io/• https://blog.stangroome.com/