HTTPSWhat, Why and How?

Guy Podjarny (@guypod)

Web Security For Developers

Intro about me

• Guy Podjarny (@guypod)

• Founder & CEO of Snyk.io (@snyksec)

• Previously CTO at Akamai

• Author (“Responsive & Fast”, “High Perf Images”)

• 13 Years in Web Security, 6 Years in Web Performance

HTTPS = Encrypted HTTP

HTTPS = HTTP over TLS

TCP/IP

HTTP

TCP/IP

TLS

HTTP

HTTPSHTTP

SSL < TLS

What Does TLS Provide?

Identification/AuthenticationWho Am I Talking To?

IntegrityIs This Really What It Said?

ConfidentialityNobody Else Can See What’s Said

HTTPS Used for Banking

HTTPS Used for Shopping

HTTPS Elsewhere

I want

YOU To Use HTTPS

Why HTTPS? The ‘Sticks’

Protect User Privacy

HTTPS ProvidesConfidentiality

Caveat: SNI (more on that later)

Why HTTPS #1: Protect User Privacy

Attacks Aren’t Always Passive

They Can Get VERY Active

On HTTP pages, SDK loaded over HTTP

“The Great Cannon”

‘… the most severe of which could allow remote code execution…’

Who’s Behind The Curtain?With HTTP, You don’t know

HTTPS ProvidesAuthentication

Who Am I Talking To?

Why HTTPS #2: Protect Your Users

From Evil Websites

Comcast: ”We think it's a courtesy,

and it helps address some concerns that people might

not be absolutely sure they're on a hotspot from

Comcast”

Hijacking Wifi Isn’t Hard

Here’s Johnny!Or maybe some piece of malware instead

HTTPS ProvidesIntegrity

Is This Really What It Said?

Why HTTPS #3: Protect Your Business

From Manipulation and Hijacking

HTTPS On Checkout?https://www.adidas.co.uk/<checkout URL>

http://www.adidas.co.uk/tubular-x-primeknit-shoes…

SSLStrip

http://a.com/product

Client sslstrip adidas.com

SSLStrip

http://a.com/product

Client sslstrip adidas.com

http://a.com/product

SSLStrip

http://a.com/product

Client sslstrip adidas.com

http://a.com/product

<form target=

“https://a.com/checkout”>

SSLStrip

http://a.com/product

Client sslstrip adidas.com

<form target=

“http://a.com/checkout”>

http://a.com/product

<form target=

“https://a.com/checkout”>

SSLStrip

http://a.com/product

Client sslstrip adidas.com

<form target=

“http://a.com/checkout”>

http://a.com/product

http://a.com/checkout

<form target=

“https://a.com/checkout”>

http://www.adidas.co.uk/<checkout URL>

Partial HTTPS ~= No HTTPS

But, But… Bookmarks!

Deep External Links!

Option #1: Don’t support HTTP

May Reduce Access

Option #2: HTTP Strict-Transport-Security

(HSTS) Strict-Transport-Security:

max-age=31536000; includeSubDomains; preload

Browser Security IndicatorsUsing Chrome as an example

HTTP Site - No Comment

HTTPS - Green + Lock

Extra Good(?) HTTPS

Imperfect HTTPS Site

Is HTTP better than imperfect HTTPS?

> ?

Is HTTPS Secure?

Is HTTPS Secure?

Is HTTPS Secure?

HTTPS ≠ Secure

HTTP = Insecure

‘… people do not generally perceive the absence of a

warning sign…’

Marking HTTP As Insecure

‘… Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure

web…’

Deprecating Non-Secure HTTP

Indicators Already Changing

44

47

Why HTTPS #4: HTTP To Be Marked Insecure

Be Afraid. Be VERY Afraid.

Why HTTPS? The ‘Carrots’

HTTP2and SPDY

New And Improved HTTPLast Major Update over 15 years ago!

HTTP2 Multiplexing

HTTP/1.0 - Single Request

GET /foo

200 OK

Open Connection

Close Connection

HTTP/1.1GET /foo

200 OK

GET /bar

200 OK

GET /baz

200 OK

HTTP/1.1 Pipelining

GET /foo

200 OK

GET /bar

200 OK

GET /baz

200 OK

HTTP/1.1 PipeliningGET /foo

200 OK

GET /bar

200 OK

GET /baz

200 OK

Head of Line Blocking

HTTP/2 MultiplexingGET /foo

200 OK

GET /bar

200 OK

GET /baz

200 OK

GET /foo

200 OK

GET /bar

200 OK

GET /baz

200 OK

HTTP/1.1 HTTP/2

HTTP2 Header Compression

HTTP2 Server Push

HTTP2 Is Awesome

HTTP2 Is Here Today!https://caniuse.com/http2

HTTP2 is Binary Won’t be allowed through port 80…

HTTP2 is New Current Intermediaries (e.g. ISP Proxies) won’t support it

How Can We Keep Proxies From Inspecting & Interfering?

Any Ideas?

HTTP/2 is a better HTTP

Why HTTPS #5: HTTP2 works only over TLS

Works on current web + Makes the web secure!

HTTP/2 0-25% FasterCompared to un-encrypted HTTP/1.1

Source: Akamai

Service Worker

appCache is a Douchebag TM

Source: A List Apart

We need Offline WebNative Apps Have It…

Solution: ServiceWorker

• JavaScript Proxy, intercepts all requests

• Programmable Cache, can store/read while offline

• Can register for Push Notifications

• Extensible Web Manifesto style

• No-Prompt Installation, persists forever

No Prompt?! Persists Forever?!

ServiceWorker Poisoning?Feels Good In The Moment, But You Pay For It Later…

Why HTTPS #6: ServiceWorker requires TLS

Mitigates Malicious ServiceWorker Risk

Upcoming TLS-Only Features:Geolocation

Device Motion/Orientation Fullscreen

EME (Encrypted Media Extensions) getUserMedia

…

Further Reading (By @metromoxie):https://w3c.github.io/webappsec/specs/powerfulfeatures/

End With Business

HTTPS Impacts SEO

‘… we’re starting to use HTTPS as a ranking signal…’

‘… For now it's only a very lightweight signal …But over time, we may decide to strengthen it, because

we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web…’

Why HTTPS #7: Google Ranks HTTPS Higher

Handy Tools

Certificate Cost & Complexity

Hosting/Delivery Cost

Only Last Mile Protected!

Only Last Mile Protected!

Note: Requires SNI

No SNI - Single Host

DNS Resolve foo.com

foo.com=1.2.3.4

ClientDNS

Server

No SNI - Single Host

DNS Resolve foo.com

foo.com=1.2.3.4

ClientDNS

Server

TLS Client Hello

foo.com Certificate

Client1.2.3.4

(foo.com)

No SNI - Shared Host

DNS Resolve foo.com

CNAME cdn.net

ClientDNS

Server

DNS Resolve cdn.net

cdn.net=5.6.7.8

No SNI - Shared Host

DNS Resolve foo.com

CNAME cdn.net

ClientDNS

Server

TLS Client Hello

Client5.6.7.8(CDN)

No Host Name!

Which CertificateTo Return?

DNS Resolve cdn.net

cdn.net=5.6.7.8

SNI -Server Name Identifer

DNS Resolve foo.com

CNAME cdn.net

ClientDNS

ServerTLS Client Hello (foo.com)

foo.com Certificate

Client5.6.7.8(CDN)

DNS Resolve cdn.net

cdn.net=5.6.7.8

Includes Host

Not Supported on:- Windows XP (and older) - Android 2.3 (and older) - IE 7 (and older)

Implementation Details

Is Your TLS Secure?

IsTLSFastYet.com

Summary

Why HTTPS #1: Protect User Privacy

Why HTTPS #2: Protect Your Users

From Evil Websites

Why HTTPS #3: Protect Your Business

From Manipulation and Hijacking

Why HTTPS #4: HTTP To Be Marked Insecure

Why HTTPS #5: HTTP2 works only over TLS

Works on current web + Makes the web secure!

Why HTTPS #6: ServiceWorker requires TLS

Mitigates Malicious ServiceWorker Risk

Why HTTPS #7: Google Ranks HTTPS Higher

Switch (to HTTPS) Today!

Thank You!Questions?

Guy Podjarny (@guypod)