Embed Size (px)
Citation preview
HTTPSAll you need to know
Vincent Cassé @vcasse
Webhosting lead techOVH
Why HTTPS?
To protect your data
To protect your data
To protect your data
To protect your data
To protect your data
To authenticate the source
To authenticate the source
Check integrity of the data Don’t change the HTTP protocol
Why HTTPS too?
How HTTPSworks?
Crypto basics: symmetric encryption
Crypto basics: asymmetric encryption
Crypto basics: asymmetric encryption
Crypto basics: asymmetric encryption
Crypto basics: asymmetric encryption
Crypto basics: digital signature
Crypto basics: digital signature
Crypto basics: digital signature
$ echo "OVH" | sha1sum3b4e44a27f4652afa4490c300e35b320f0849a96
$ echo "OV H" | sha1sum7d916134d9c1ce2ecce3326ffb39ac1612535366
$ curl "https://ovh.com/fr" | sha1sum479855683ee2249a9e6be690805ff29d04bdcb95
Crypto basics: digital signature with key
Crypto basics: digital signature with key
Crypto basics
HTTPS: how does it work?
HTTPS: how does it work?
HTTPS: how does it work?
HTTPS: how does it work?
openssl req new sha256 \newkey rsa:2048 \keyout mydomain.com.key \out mydomain.com.csr \subj /countryName="FR"/commonName="mydomain.com"/
HTTPS: how does it work?
HTTPS: how does it work?
CA: can you trust it?
Certification Authority can have issues (bugs / hacks) ~1800 CAs around the world (government, firms...) Each CA can generate certificates for all domains CA can cheat (StartSSL & SHA-1 certificate)
DANE: solution for CA issues?
RFC 6698 Publish certificate into the DNS With DNSSEC, attack perimeter reduced
But: no browser check it
Certificates types
Single: contains only one domain SAN: can contain multiple domains (subdomain or multidomain) Wildcard: can contain one domain and validate all their subdomains
DV: Domain validation
Check ownership of domain Validation method: HTTP / DNS / email Green lock in browsers Doesn’t block typosquatting
OV: Organisation validation
DV validation Check if your organization is real (siret) Same green lock as DV in browsers
EV: Extended validation
DV validation + OV validation Contact multiple people inside your entreprise Green bar in browser Customer can trust this certificate to pay online
How useHTTPS?
SNI
RFC 6066 Allow multiple certificates by IP Some browsers don’t handle it
Android 2.xx Java 6 IE on Windows XP
Protocol
Define exchange between server and browser From SSLv2 in 1994 to TLS1.3 (work in progress) SSLv2 and v3 are deprecated. TLS1.0 is end of life
Protocol: browser compatibility
SSLv2, SSLv3, TLS1.0: all browser understand TLS1.1: All without IE ≤ 8 and Android ≤ 4.4.4 TLS1.2: All without IE ≤ 8 and Android ≤ 4.4.4 ChaCha20-Poly1305 : Only firefox, chrome and android > 5.0
Protocol: hacking
SSLv3 vulnerable to POODLE attack TLS is attacked on weak algo : RC4 / SHA-1 TLS is attacked on renegotiation to SSLv2
Cipher suites
TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_DES_CBC_SHA
Cipher suites: hacking
DES / 3DES too weak RC4 / MD5 / SHA-1 too weak RSA < 2048bits too weak
https://wiki.mozilla.org/Security/Server_Side_TLS
Mixed Content
Browser alerts about HTTP « passive content » (images/video…) Browser blocks HTTP « active content » (css/javascript)
HSTS
Header set StrictTransportSecurity "maxage=10886400; includeSubDomains;" env=HTTPS
Why do I needHTTPS?
Protect your customers
No account thef No credit card thef Your customers trust you
SEO
Google prefers HTTPS websites And other search engines too
Browsers will kill HTTP
HTTP will be flagged as unsecure In the next years, customer will stop going to your website
HTML5
Browsers had to use HTTPS to enable some HTML5 APIs
getUserMediaservice workersencrypted Media Extension
HTTP2
Browsers had to use HTTPS to enable HTTP2 Multiplex HTTP requests and responses Compress TCP stream
Just fastest than HTTPS
OVHcan help me?
WebHosting
SSL included with all offers DV / EV validated by Comodo as an option
Validation / Type / Installation / Renew handled for you
SSL gateway
Validation / Installation / Renew handled for your servers No more maintenance Just update your domain then add your server as backend and you
will be SSL compliant
Some links
https://paulgreg.me/https-slides/?full#html5-seo https://www.feistyduck.com/ssl-tls-and-pki-history/ http://www.flaticon.com https://www.ssllabs.com/
Vincent Cassé
@vcasse
