HTTPSWhat, Why and How?
Guy Podjarny (@guypod)
Web Security For Developers
Intro about me
• Guy Podjarny (@guypod)
• Founder & CEO of Snyk.io (@snyksec)
• Previously CTO at Akamai
• Author (“Responsive & Fast”, “High Perf Images”)
• 13 Years in Web Security, 6 Years in Web Performance
HTTPS = Encrypted HTTP
HTTPS = HTTP over TLS
TCP/IP
HTTP
TCP/IP
TLS
HTTP
HTTPSHTTP
What Does TLS Provide?
Identification/AuthenticationWho Am I Talking To?
IntegrityIs This Really What It Said?
ConfidentialityNobody Else Can See What’s Said
HTTPS Used for Banking
HTTPS Used for Shopping
I want
YOU To Use HTTPS
Why HTTPS? The ‘Sticks’
Protect User Privacy
HTTPS ProvidesConfidentiality
Caveat: SNI (more on that later)
Why HTTPS #1: Protect User Privacy
Attacks Aren’t Always Passive
They Can Get VERY Active
On HTTP pages, SDK loaded over HTTP
“The Great Cannon”
‘… the most severe of which could allow remote code execution…’
Who’s Behind The Curtain?With HTTP, You don’t know
HTTPS ProvidesAuthentication
Who Am I Talking To?
Why HTTPS #2: Protect Your Users
From Evil Websites
Comcast: ”We think it's a courtesy,
and it helps address some concerns that people might
not be absolutely sure they're on a hotspot from
Comcast”
Hijacking Wifi Isn’t Hard
Here’s Johnny!Or maybe some piece of malware instead
HTTPS ProvidesIntegrity
Is This Really What It Said?
Why HTTPS #3: Protect Your Business
From Manipulation and Hijacking
HTTPS On Checkout?https://www.adidas.co.uk/<checkout URL>
http://www.adidas.co.uk/tubular-x-primeknit-shoes…
SSLStrip
http://a.com/product
Client sslstrip adidas.com
SSLStrip
http://a.com/product
Client sslstrip adidas.com
http://a.com/product
SSLStrip
http://a.com/product
Client sslstrip adidas.com
http://a.com/product
<form target=
“https://a.com/checkout”>
SSLStrip
http://a.com/product
Client sslstrip adidas.com
<form target=
“http://a.com/checkout”>
http://a.com/product
<form target=
“https://a.com/checkout”>
SSLStrip
http://a.com/product
Client sslstrip adidas.com
<form target=
“http://a.com/checkout”>
http://a.com/product
http://a.com/checkout
<form target=
“https://a.com/checkout”>
http://www.adidas.co.uk/<checkout URL>
Partial HTTPS ~= No HTTPS
But, But… Bookmarks!
Deep External Links!
Option #1: Don’t support HTTP
May Reduce Access
Option #2: HTTP Strict-Transport-Security
(HSTS) Strict-Transport-Security:
max-age=31536000; includeSubDomains; preload
Browser Security IndicatorsUsing Chrome as an example
HTTP Site - No Comment
HTTPS - Green + Lock
Extra Good(?) HTTPS
Imperfect HTTPS Site
Is HTTP better than imperfect HTTPS?
> ?
‘… people do not generally perceive the absence of a
warning sign…’
Marking HTTP As Insecure
‘… Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure
web…’
Deprecating Non-Secure HTTP
Indicators Already Changing
44
47
Why HTTPS #4: HTTP To Be Marked Insecure
Be Afraid. Be VERY Afraid.
Why HTTPS? The ‘Carrots’
New And Improved HTTPLast Major Update over 15 years ago!
HTTP2 Multiplexing
HTTP/1.0 - Single Request
GET /foo
200 OK
Open Connection
Close Connection
HTTP/1.1GET /foo
200 OK
GET /bar
200 OK
GET /baz
200 OK
HTTP/1.1 Pipelining
GET /foo
200 OK
GET /bar
200 OK
GET /baz
200 OK
HTTP/1.1 PipeliningGET /foo
200 OK
GET /bar
200 OK
GET /baz
200 OK
Head of Line Blocking
HTTP/2 MultiplexingGET /foo
200 OK
GET /bar
200 OK
GET /baz
200 OK
GET /foo
200 OK
GET /bar
200 OK
GET /baz
200 OK
HTTP2 Header Compression
HTTP2 Server Push
HTTP2 Is Here Today!https://caniuse.com/http2
HTTP2 is Binary Won’t be allowed through port 80…
HTTP2 is New Current Intermediaries (e.g. ISP Proxies) won’t support it
How Can We Keep Proxies From Inspecting & Interfering?
Any Ideas?
HTTP/2 is a better HTTP
Why HTTPS #5: HTTP2 works only over TLS
Works on current web + Makes the web secure!
HTTP/2 0-25% FasterCompared to un-encrypted HTTP/1.1
Source: Akamai
appCache is a Douchebag TM
Source: A List Apart
We need Offline WebNative Apps Have It…
Solution: ServiceWorker
• JavaScript Proxy, intercepts all requests
• Programmable Cache, can store/read while offline
• Can register for Push Notifications
• Extensible Web Manifesto style
• No-Prompt Installation, persists forever
No Prompt?! Persists Forever?!
ServiceWorker Poisoning?Feels Good In The Moment, But You Pay For It Later…
Why HTTPS #6: ServiceWorker requires TLS
Mitigates Malicious ServiceWorker Risk
Upcoming TLS-Only Features:Geolocation
Device Motion/Orientation Fullscreen
EME (Encrypted Media Extensions) getUserMedia
…
Further Reading (By @metromoxie):https://w3c.github.io/webappsec/specs/powerfulfeatures/
End With Business
HTTPS Impacts SEO
‘… we’re starting to use HTTPS as a ranking signal…’
‘… For now it's only a very lightweight signal …But over time, we may decide to strengthen it, because
we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web…’
Why HTTPS #7: Google Ranks HTTPS Higher
Certificate Cost & Complexity
Hosting/Delivery Cost
Only Last Mile Protected!
Only Last Mile Protected!
Note: Requires SNI
No SNI - Single Host
DNS Resolve foo.com
foo.com=1.2.3.4
ClientDNS
Server
No SNI - Single Host
DNS Resolve foo.com
foo.com=1.2.3.4
ClientDNS
Server
TLS Client Hello
foo.com Certificate
Client1.2.3.4
(foo.com)
No SNI - Shared Host
DNS Resolve foo.com
CNAME cdn.net
ClientDNS
Server
DNS Resolve cdn.net
cdn.net=5.6.7.8
No SNI - Shared Host
DNS Resolve foo.com
CNAME cdn.net
ClientDNS
Server
TLS Client Hello
Client5.6.7.8(CDN)
No Host Name!
Which CertificateTo Return?
DNS Resolve cdn.net
cdn.net=5.6.7.8
SNI -Server Name Identifer
DNS Resolve foo.com
CNAME cdn.net
ClientDNS
ServerTLS Client Hello (foo.com)
foo.com Certificate
Client5.6.7.8(CDN)
DNS Resolve cdn.net
cdn.net=5.6.7.8
Includes Host
Not Supported on:- Windows XP (and older) - Android 2.3 (and older) - IE 7 (and older)
Implementation Details
Is Your TLS Secure?
IsTLSFastYet.com
Why HTTPS #1: Protect User Privacy
Why HTTPS #2: Protect Your Users
From Evil Websites
Why HTTPS #3: Protect Your Business
From Manipulation and Hijacking
Why HTTPS #4: HTTP To Be Marked Insecure
Why HTTPS #5: HTTP2 works only over TLS
Works on current web + Makes the web secure!
Why HTTPS #6: ServiceWorker requires TLS
Mitigates Malicious ServiceWorker Risk
Why HTTPS #7: Google Ranks HTTPS Higher
Switch (to HTTPS) Today!
Thank You!Questions?
Guy Podjarny (@guypod)