Proprietary + Confidential

Moving to HTTPS in 2017

Eric Lawrence - Chrome Security @ericlaw October 2017

Why HTTPS?

Why HTTPS?

It’s the only way to ensure that the site you’ve built is what your visitors actually experience.

Deploy HTTPS Everywhere

There are many different types of website. The only constant is that HTTPS is needed for all of them.

“Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the

benevolence of network operators.”

https.cio.gov/everything/

Meh. Are there real-world threats?

Yes.

● Ad injection● Injected “Enhancements” flight tracking, bandwidth warnings, service

notices, etc.● SSLStrip● Firesheep● DDoS attacks via script injection● Privacy concerns ($29/month)● Malware injection● Global adversaries (Snowden revelations)

The Web Platform is Powering Up

The Web Platform is growing more powerful, especially on mobile, to compete with native applications.

Richer access to sensors, devices, and sensitive information means security is even more important.

...getUserMedia(), geolocation, ServiceWorker, device motion/orientation, EME, AppCache...

#Progress

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem

Many Datapoints of interest

● Percentage of HTTPS page loads○ Absolute

○ Traffic-weighted

● Time-spent-per-page

● By country

● By platform

Up and

to the

right

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem

HTTPS Transparency Report

google.com/transparencyreport/https/

Percentage of pages loaded over HTTPS in Chrome by platform

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem

HTTPS Transparency Report

google.com/transparencyreport/https/

Percentage of HTTPS browsing time by Chrome platform

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem

Firefox too

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sembuiltwith.com

New Goodies andNew Enforcements

The Lock Icon

The newish (i) icon

Not Secure Warning in Chrome 56

chrome://flags/#mark-non-secure-as

Form Filling - Improve Conversions with autofill

Chrome 57 - Form Not Secure - On Field Warnings

Still in experimental trials

http://example.com

Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum

Login

http://example.com

Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum

Login

LoginAliceUsername

•••••••Password

Submit

Not Secure

Non-Secure login forms trigger the new Not Secure UI treatment

http://example.com

Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum

Login

https://example.com

Login

AliceUsername

•••••••Password

Submit

Instead, prefer Secure login forms

https://example.com

Login

AliceUsername

•••••••Password

Submit

Chrome 62 - “HTTPBad Phase 2”

Chrome 62 - Data Entry activates Not Secure

Developer Experience

Not Secure Warning in Chrome - Eventual

It’s not just Chrome

Content Delivery Networks● Some CDNs are great partners in getting sites on to HTTPS.

● Others advertise (misleading) pricing due to bundling

○ Best Practice: Ask about TLS pricing specifically

Ads

Once a huge issue, now much better.

● All ads that come from any Google source always support HTTPS, including AdWords, AdSense or DoubleClick Ad Exchange.

● The IAB: “we feel that broad support for HTTPS on public servers is a best practice for the industry”

● By the end of 2014, 80% of IAB member ad delivery systems supported HTTPS.

Search Engine OptimizationGoogle has released Two FAQs to help sites transition correctly, and will continue to improve our web fundamentals guidance.

https://plus.google.com/+JohnMueller/posts/PY1xCWbeDVC https://plus.google.com/+GoogleWebmasters/posts/eYmUYvNNT5J

I/O Presentation on maintaining PageRank while moving HTTP->HTTPS

HTTPS ErrorsHTTPS provides powerful security, but misconfigurations can be disastrous.

Perils to watch out for include:

● Incorrect certificate information● Expired certificates● Missing intermediates● Mixed content

Let’s Go!

Stages of a HTTPS Move

1. WhyTLS○ Understand why and where change is needed

2. TryTLS○ Acquire certs

○ Deploy initial configuration on dev

○ Test to verify performance, certificate and cipher

configuration.

Stages of a HTTPS Move - cont’d

3. SomeTLS○ Deploy TLS on dev, then in parallel on live.

○ Observe impact.

○ Tune.

4. BetterTLS○ Kill mixed content (active/passive/latent)

5. AllTLS○ Add HSTS, Probably avoid HPKP

Free and Automatic Certificates and Configuration

● LetsEncrypt.org

● Automatic certificates for many hosts, like WordPress

(even custom domains!)

● Mozilla’s SSL Configuration Generator

Let’s Encrypt

A “free, automated, and open Certificate

Authority.”

letsencrypt.org

Automated Checkers

● SslLabs.com (SSLLabs.com)

● Mozilla [TLS] Observatory (https://observatory.mozilla.org/)

● Hardenize (Hardenize.com)

Finding Problems with SSLLabs’ Server Test

● Missing intermediates (“Extra download”)

● Unneeded certificates

● Weak ciphers and hashes

● Common configuration or deployment mistakes

Finding Problems with SSL Labs

Missing intermediates (“Extra download”) slow HTTPS

connection establishment and may fail entirely on some platforms.

Finding Problems with SSL Labs

Warnings on Weak ciphers and hash algorithms.

Hardenize

“Less than 1% of all web sites use modern security features”

hardenize.com

The Biggest Blocker? Mixed Content● Active Mixed Content - Blocked

○ Script

○ CSS

● Passive Mixed Content - Lock suppressed

○ Images

○ Audio

○ Forms

● Latent Mixed Content - No direct warning

○ Non-secure links

Mixed Content can be surprising

https://bayden.com/sandbox/FileForm.asp

Mitigating Mixed Content upgrade-insecure-requestsThe upgrade-insecure-requests Content Security Policy directive helps ensure that any requests you overlook are seamlessly upgraded to HTTPS, protecting your lock icon.

Mitigating Mixed Content

w3c.github.io/webappsec-upgrade-insecure-requests/

Allow modern clients to tattle on mixed content while the requests are upgraded silently to HTTPS, preserving your secure context (and lock icon!)

Content-Security-Policy: upgrade-insecure-requests; default-src https: 'unsafe-inline' 'unsafe-eval';

Content-Security-Policy-Report-Only: default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri /log.cgi

Strict-Transport-SecurityBenefits: Performance, security Downsides: Possible footgun (expiration, forgotten domains); mixed content still warns

Strict-Transport-Security

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

hstspreload.appspot.com

DANGER:

Possible

footguns

The MoarTLS Analyzer

Available for Chrome and Firefox

Find non-secure links and check HTTPS availability in one click

HTTPS Everything

Email tracking links are

The Worst

textslashplain.com/2016/09/22/use-https-for-all-inbound-links/

Preserving and Sanitizing ReferersReferrer Policy helps ensure that any non-secure sites you link to still recognize your site as the source of the referral.

www.w3.org/TR/referrer-policy/

Preserving and Sanitizing Referers

Referrer-Policy: origin-when-cross-origin

Referrer-Policy: origin

www.w3.org/TR/referrer-policy/

Performance Benefits of TLS

● HTTP/2

● Service Worker

● Brotli compression

● TLS/1.3

istlsfastyet.com

HTTP/2

Multiplexed streams, header compression, out-of-order delivery, push

Service Worker

Enable offline and respond to network requests using previously-cached content.

Brotli

~15-20% better compression than GZIP

TLS 1.3 - Better Performance and Security

● Chrome Canary○ chrome://flags/#ssl-version-max

● Firefox Nightly○ Enter "about:config" in the address bar

○ Set security.tls.version.max from 3 to 4

Thanks!

https://whytls.com

Eric Lawrence - Chrome Security

elawrence@chromium.org @ericlaw

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem

Appendix

● Google’s HTTPS Migration Guide● https://whytls.com● Google I/O 2017 - Getting the Green Lock, HTTPS Migration Stories from the field● Google I/O 2014 - HTTPS Everywhere (Slides) -- Includes motivations and good

step-by-step instructions for performing a migration, including fixing legacy content and maintaining SEO

● Deploying HTTPS: The Green Lock and Beyond (Chrome Dev Summit 2015) - Emily Stark

● Bulletproof SSL and TLS book

Chrome 60 restores easy access to the certificate

Outreach and Fixing Sites

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

Scenarios1. A page has a visible password field at all times. Chrome shows "Not Secure" on page load.2. A page has a hidden password field that is hidden using a supported mechanism (e.g. style="display: none" ). Chrome does not show a "Not Secure" warning until the field is unhidden using JavaScript.3. A page has a obscured or non-rendered password field that is hidden using a non-supported mechanism (e.g. style="visibility: hidden" ). Chrome 56 shows a warning on page load.