Let's go HTTPS

98
ROME 18-19 MARCH 2016 Let's Go ! HTTPS Simone Carle4

Transcript of Let's go HTTPS

Page 1: Let's go HTTPS

ROME 18-19 MARCH 2016

Let's Go ! HTTPSSimone Carle4

Page 2: Let's go HTTPS

! HTTPS

Page 3: Let's go HTTPS

! HTTPS

I About HTTPS

II Obtaining an SSL cer?ficate

III Deploying an SSL cer?ficate

IV Serving HTTPS

IV

III

II

I

Page 4: Let's go HTTPS

Simone Carle4@weppos

Page 5: Let's go HTTPS
Page 6: Let's go HTTPS

About HTTPS

I

IV

III

II

I

Page 7: Let's go HTTPS

What is HTTPS?

IV

III

II

I

Page 8: Let's go HTTPS

HTTPS (also called HTTP over TLS, HTTP over SSL, and HTTP Secure) is a protocol for secure communica?on over a computer network which is widely used on the Internet. HTTPS consists of communica?on over Hypertext Transfer Protocol (HTTP) within a connec?on encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. hTps://en.wikipedia.org/wiki/HTTPS

IV

III

II

I

Page 9: Let's go HTTPS

What is HTTPS?HTTPS is a secure HTTP connec?on.

IV

III

II

I

Page 10: Let's go HTTPS

HTTPS is HTTP over an encrypted connec?on secured by TLS (previously SSL).

IV

III

II

I

Page 11: Let's go HTTPS

HTTPS is how websites securely exchange informa?on.

IV

III

II

I

Page 12: Let's go HTTPS

Secure Connec@on

Encryp@on The process of encoding messages or informa?on in such a way that only authorized par?es can read it.

Authen@ca@on The process of determining whether someone or something is, in fact, who or what it is declared to be.

IV

III

II

I

Page 13: Let's go HTTPS

KEEP CALM AND

HTTP IS NOT ENCRYPTED

Page 14: Let's go HTTPS

HTTP ResponseHTTP Request

Page 15: Let's go HTTPS

! HTTPS RequestHTTP Request

Page 16: Let's go HTTPS

Authen@ca@on

Page 17: Let's go HTTPS

Authen@ca@on

Page 18: Let's go HTTPS

Authen@ca@on

Page 19: Let's go HTTPS

Authen@ca@on

Page 20: Let's go HTTPS
Page 21: Let's go HTTPS

SSL Cer@ficate

IV

III

II

I

Page 22: Let's go HTTPS

Why HTTPS?

IV

III

II

I

Page 23: Let's go HTTPS

Why HTTPS?

! Security

! Ranking factor

! HTTP/2

! HTML 5 features

! Chrome Geo loca?on

! Firefox form + HTTPSIV

III

II

I

Page 24: Let's go HTTPS

! Security

• Data integrity

• User sensible informa?on

• Unencrypted traffic can be:

• sniffed

• modified (e.g. adver?sement or script injec?on)

Page 25: Let's go HTTPS

! Ranking factorhTps://webmasters.googleblog.com/2014/08/hTps-as-ranking-signal.html

Page 26: Let's go HTTPS

! HTTP/2hTps://webmasters.googleblog.com/2014/08/hTps-as-ranking-signal.html

Page 27: Let's go HTTPS

! HTML 5 powerful featureshTps://blog.mozilla.org/security/2015/04/30/depreca?ng-non-secure-hTp/

hTps://sites.google.com/a/chromium.org/dev/Home/chromium-security/depreca?ng-powerful-features-on-insecure-origins

Page 28: Let's go HTTPS

! Chrome Geo locationhTps://codereview.chromium.org/1530403002/

Page 29: Let's go HTTPS

! Firefox form + HTTPShTps://www.fxsitecompat.com/en-CA/docs/2015/non-hTps-sites-containing-login-form-will-be-marked-insecure/

Page 30: Let's go HTTPS

" SSL Cer@ficateA cer?ficate is a digital document that contains a public key, some informa?on about the en?ty associated with it, and a digital signature from the cer?ficate issuer.

IV

III

II

I

Page 31: Let's go HTTPS

x.509 SSL Cer@ficate

# Version $ Serial Number % Issuer & Validity ' Subject ( Public Key

"

) Extensions

IV

III

II

I

Page 32: Let's go HTTPS

Cer@ficate Types! Single-name cer?ficate example.com

! Wildcard-name cer?ficate *.example.com

! SAN cer?ficate example.com, www.example.com, foobar.com, …

IV

III

II

I

Page 33: Let's go HTTPS

Symmetric vs Asymmetric

*!(

encrypt

(

decrypt

Shared secret key(

+John

+Jane

*!

Jane public key

Jane private key

(

(

+John

+Jane

(

decrypt

(

encrypt

encryp@on

IV

III

II

I

Page 34: Let's go HTTPS

Symmetric encryp@on

"hello world!" "puggy eyxgr!"

"hello world!""puggy eyxgr!"

[["a", "b"],

["b", "w"],

["c", "n"],

["d", "r"],

["e", "u"],

["f", "o"],

["g", "v"],

["h", "p"],

["i", "s"],

["j", "z"],

["k", "k"],

["l", "g"],

["m", "m"],

["n", "h"],

["o", "y"],

["p", "c"],

["q", "j"],

["r", "x"],

["s", "d"],

["t", "t"],

["u", "f"],

["v", "i"],

["w", "e"],

["x", "l"],

["y", "a"],

["z", "q"]]

John encrypts John sends to Jane

Jane receives from John Jane decrypts

IV

III

II

I

Page 35: Let's go HTTPS

How does HTTPS work?

IV

III

II

I

Page 36: Let's go HTTPS

It's not a one-click setup :(yet

IV

III

II

I

Page 37: Let's go HTTPS

Handshake, -

DISCLAIMER: This schema is simplified on purpose.

IV

III

II

I

Page 38: Let's go HTTPS

HandshakeSYN

, -

DISCLAIMER: This schema is simplified on purpose.

IV

III

II

I

Page 39: Let's go HTTPS

HandshakeSYN SYN ACK

, -

DISCLAIMER: This schema is simplified on purpose.

IV

III

II

I

Page 40: Let's go HTTPS

HandshakeSYN SYN ACK

. Client Random

( Cipher suites

ClientHello

, -

DISCLAIMER: This schema is simplified on purpose.

IV

III

II

I

Page 41: Let's go HTTPS

HandshakeSYN SYN ACK

. Client Random

( Cipher suites

/ Server Random

( Cipher suite

" Cer?ficates

0 Session ID

1 Server key exchange data

ClientHello

ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone

, -

DISCLAIMER: This schema is simplified on purpose.

IV

III

II

I

Page 42: Let's go HTTPS

HandshakeSYN SYN ACK

. Client Random

( Cipher suites

/ Server Random

( Cipher suite

" Cer?ficates

0 Session ID

1 Server key exchange data

ClientHello

ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone

1 Client key exchange dataClientKeyExchange

, -

DISCLAIMER: This schema is simplified on purpose.

IV

III

II

I

Page 43: Let's go HTTPS

HandshakeSYN SYN ACK

. Client Random

( Cipher suites

/ Server Random

( Cipher suite

" Cer?ficates

0 Session ID

1 Server key exchange data

ClientHello

ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone

1 Client key exchange dataClientKeyExchange

SYMMETRIC KEY IS GENERATED

, -

DISCLAIMER: This schema is simplified on purpose.

IV

III

II

I

Page 44: Let's go HTTPS

HandshakeSYN SYN ACK

. Client Random

( Cipher suites

/ Server Random

( Cipher suite

" Cer?ficates

0 Session ID

1 Server key exchange data

ClientHello

ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone

1 Client key exchange data

! Client switches to encryp?on

! MAC of handshake

ClientKeyExchange

ChangeCipherSpec, Finished

SYMMETRIC KEY IS GENERATED

, -

DISCLAIMER: This schema is simplified on purpose.

IV

III

II

I

Page 45: Let's go HTTPS

HandshakeSYN SYN ACK

. Client Random

( Cipher suites

/ Server Random

( Cipher suite

" Cer?ficates

0 Session ID

1 Server key exchange data

ClientHello

ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone

1 Client key exchange data

! Client switches to encryp?on

! MAC of handshake

ClientKeyExchange

ChangeCipherSpec, Finished

! Server switches to encryp?on

! MAC of handshake

ChangeCipherSpec, Finished

SYMMETRIC KEY IS GENERATED

, -

DISCLAIMER: This schema is simplified on purpose.

IV

III

II

I

Page 46: Let's go HTTPS

HandshakeSYN SYN ACK

. Client Random

( Cipher suites

/ Server Random

( Cipher suite

" Cer?ficates

0 Session ID

1 Server key exchange data

ClientHello

ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone

1 Client key exchange data

! Client switches to encryp?on

! MAC of handshake

ClientKeyExchange

ChangeCipherSpec, Finished

! Server switches to encryp?on

! MAC of handshake

ChangeCipherSpec, Finished

SYMMETRIC KEY IS GENERATED

2 Applica?on data2 Applica?on data

, -

DISCLAIMER: This schema is simplified on purpose.

IV

III

II

I

Page 47: Let's go HTTPS

Cipher Suites

A cipher suite is a selec?on of cryptographic primi?ves and other parameters that defines exactly how security will be implemented.

Bulletproof SSL and TLS

IV

III

II

I

Page 48: Let's go HTTPS

Cryptographic primi@ves

At the lowest level, cryptography relies on various cryptographic primi0ves. Each primi?ve is designed with a par?cular useful func?onality in mind. The primi?ves alone are not very useful, but we can combine them into schemes and protocols to provide robust security. For example, we might use one primi?ve for hashing, one for encryp@on and another for integrity checking.

IV

III

II

I

Page 49: Let's go HTTPS

Obtaining an SSL cer@ficate

II

IV

III

II

I

Page 50: Let's go HTTPS

self signed vs trusted• Provides encryp?on

• Provides authen?ca?on

• Issued and signed by a publicly trusted Cer?fica?on Authority

• Suitable for produc?on environments as well for tes?ng

• Generally not free

• Provides encryp?on

• Doesn't provide authen?ca?on

• self-signed

• Generally used for tes?ng

• Free

Page 51: Let's go HTTPS

Cer?ficate AuthorityA Cer?ficate Authority (CA) is a trusted, private en?ty that issues digital cer?ficates.

IV

III

II

I

Page 52: Let's go HTTPS

Chain of trust

• Browsers and opera?ng systems include a list of trusted cer?ficates • These cer?ficates are called root cer'ficates, and they generally belong to trusted

par?es, such as cer?ficate authori?esIV

III

II

I

Page 53: Let's go HTTPS

Chain of trust

• When a cer?ficate authority issues a cer?ficate, they sign the cer?ficate with their root cer?ficate

IV

III

II

I

Page 54: Let's go HTTPS

Chain of trust

• Truthfully, in most cases cer?fica?on authori?es use sub-cer?ficates to sign your cer?ficate

• These cer?ficates are called intermediate cer'ficates, and they are signed with a root cer?ficateIV

III

II

I

Page 55: Let's go HTTPS

Chain of trust

• When the browser connects to a site via HTTPS, the browser reads the site cer?ficate

• The cer?ficate doesn't match a trusted root cer?ficateIV

III

II

I

Page 56: Let's go HTTPS

Chain of trust

• The browser aTempts to download the cer?ficate that was used to sign the current cer?ficate

• The cer?ficate doesn't match a trusted root cer?ficateIV

III

II

I

Page 57: Let's go HTTPS

Chain of trust

• The browser aTempts to download the cer?ficate that was used to sign the current cer?ficate

• The cer?ficate matches a root cer?ficate • The original cer@ficate is trusted :) • The en?re cer@ficate chain is trusted

3

IV

III

II

I

Page 58: Let's go HTTPS

Chain of trust

• The browser aTempts to download the cer?ficate that was used to sign the current cer?ficate

• The cer?ficate doesn't match a root cer?ficate, and there are no more cer?ficates • The original cer@ficate is untrusted :( • The en?re cer@ficate chain is untrusted

4

IV

III

II

I

Page 59: Let's go HTTPS

IV

III

II

I

Page 60: Let's go HTTPS

Create a Cer@ficateGenerate a

Private/Public key pair$ openssl genrsa -des3 -out private.key 2048

... Enter pass phrase for private.key: Verifying - Enter pass phrase for private.key:

IV

III

II

I

Page 61: Let's go HTTPS

Create a Cer@ficateGenerate a

Private/Public key pair

Generate a

Cer?ficate Signing Request (CSR)

$ openssl req -nodes -new -key private.key -out server.csr

... Country Name (2 letter code) [AU]:US Common Name (eg, YOUR name) []:www.example.com ...

IV

III

II

I

Page 62: Let's go HTTPS

Create a Cer@ficateGenerate a

Private/Public key pair

Generate a

Cer?ficate Signing Request (CSR)

for a self-signed cer?ficate

Sign the cer?ficate

$ openssl x509 -req -days 365 -in server.csr -signkey private.key -out certificate.pem

hTps://devcenter.heroku.com/ar?cles/ssl-cer?ficate-self

IV

III

II

I

Page 63: Let's go HTTPS

Request a trusted Cer@ficateGenerate a

Private/Public key pair

Generate a

Cer?ficate Signing Request (CSR)

for a trusted cer?ficate

Request the Cer?ficate (*)

Request generally means purchase.

You can purchase an SSL cer?ficate either from a CA, or a reseller.

Some providers offer visual tools that help you with the request process (e.g. by genera?ng the CSR)

(*)

IV

III

II

I

Page 64: Let's go HTTPS

Request a trusted Cer@ficateGenerate a

Private/Public key pair

Generate a

Cer?ficate Signing Request (CSR)

for a trusted cer?ficate

Request the Cer?ficate (*)

• Select the cer?ficate type

• Submit the CSR

• Validate the request

• Obtain the cer?ficate

(*)

IV

III

II

I

Page 65: Let's go HTTPS

! (DV) Domain Validated asserts control of a domain

! (OV) Organiza?on Validated asserts control of a domain as well basic organiza?onal vepng

! (EV) Extended Valida?on asserts control of a domain as well extended organiza?onal vepng

Cer@ficate Types

IV

III

II

I

Page 66: Let's go HTTPS

5 Now you should have

1. A CSR file

2. A cer?ficate file

3. A private key file

4. (op0onally) A list of

intermediate cer?ficate files

-----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE-----IV

III

II

I

Page 67: Let's go HTTPS

Deploying an SSL cer@ficate

IV

III

II

I

III

Page 68: Let's go HTTPS

Install the cer@ficate on the server along with the private key, and intermediate cer?ficate chain.

Configure HTTPS configure protocol version, cypher suite and cypher sepngs.

To deploy HTTPS you need to:

IV

III

II

I

Page 69: Let's go HTTPS

History of secure protocolsSSL 1 Never released

SSL 2 1996 A number of security flaws

SSL 3 1995 Broken. Vulnerable to POODLE aTack

TLS 1.0 1999

TLS 1.1 2006

TLS 1.2 2008IV

III

II

I

Page 70: Let's go HTTPS

Example configserver { listen 443 ssl http2; listen [::]:443 ssl http2;

# ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key;

# ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off;

# protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; }

IV

III

II

I

Page 71: Let's go HTTPS

Example configserver { listen 443 ssl http2; listen [::]:443 ssl http2;

# ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key;

# ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off;

# protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; }

IV

III

II

I

Page 72: Let's go HTTPS

Example configserver { listen 443 ssl http2; listen [::]:443 ssl http2;

# ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key;

# ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off;

# protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; }

IV

III

II

I

Page 73: Let's go HTTPS

Example configserver { listen 443 ssl http2; listen [::]:443 ssl http2;

# ssl certificate config ssl_certificate /path/to/certificate_and_intermediates; ssl_certificate_key /path/to/private_key;

# ssl session config ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off;

# protocol and cipher config ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; }

IV

III

II

I

Page 74: Let's go HTTPS

hTps://mozilla.github.io/server-side-tls/ssl-config-generator/hTps://cipherli.st/

IV

III

II

I

Page 75: Let's go HTTPS

Heroku$ heroku addons:create ssl:endpoint Adding ssl:endpoint on example... done, v1 ($20/mo)

$ heroku certs:add server.crt server.key Adding SSL Endpoint to example... done example now served by example-2121.herokussl.com. Certificate details: Expires At: 2012-10-31 21:53:18 GMT Issuer: C=US; ST=CA; L=SF; O=Heroku; CN=www.example.com Starts At: 2011-11-01 21:53:18 GMT

hTps://devcenter.heroku.com/ar?cles/ssl-endpoint

hTps://devcenter.heroku.com/ar?cles/ssl-cer?ficate-dnsimpleIV

III

II

I

Page 76: Let's go HTTPS

Caddy server

hTps://caddyserver.com/

IV

III

II

I

Page 77: Let's go HTTPS

Caddy server

IV

III

II

I

Page 78: Let's go HTTPS

Caddy server

IV

III

II

I

Page 79: Let's go HTTPS

hTps://www.ssllabs.com/ssltest/

IV

III

II

I

Page 80: Let's go HTTPS

Lifecycle of a Cer@ficate

6 Requested

! Issued

& Expired

4 Revoked

7 Rekeyed

Page 81: Let's go HTTPS

Serving HTTPS

IV

III

II

I

IV

Page 82: Let's go HTTPS

Cookie security$ curl -I https://dnsimple.com

HTTP/1.1 200 OK Server: nginx Date: Tue, 15 Mar 2016 15:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive ETag: W/"f2d21600cdff911b9ee6a44dabcda234" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5 X-Runtime: 0.016254 Strict-Transport-Security: max-age=31536000

IV

III

II

I

Page 83: Let's go HTTPS

Cookie security$ curl -I https://dnsimple.com

HTTP/1.1 200 OK Server: nginx Date: Tue, 15 Mar 2016 15:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive ETag: W/"f2d21600cdff911b9ee6a44dabcda234" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5 X-Runtime: 0.016254 Strict-Transport-Security: max-age=31536000

IV

III

II

I

Page 84: Let's go HTTPS

Mixed Content security error

IV

III

II

I

Page 85: Let's go HTTPS

Mixed Content security error

IV

III

II

I

Page 86: Let's go HTTPS

Mixed Content security error

IV

III

II

I

Page 87: Let's go HTTPS

Mixed Content security error

IV

III

II

I

Page 88: Let's go HTTPS

Mixed Content security error

IV

III

II

I

Page 89: Let's go HTTPS

Chrome security debugger

IV

III

II

I

Page 90: Let's go HTTPS

HSTS Header$ curl -I https://dnsimple.com

HTTP/1.1 200 OK Server: nginx Date: Tue, 15 Mar 2016 15:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive ETag: W/"f2d21600cdff911b9ee6a44dabcda234" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _session=eccefb19761929d668000056d1b2; path=/; HttpOnly; secure X-Request-Id: 9d77f4c5-ab6b-443e-91bd-76a0383d8ab5 X-Runtime: 0.016254 Strict-Transport-Security: max-age=31536000

IV

III

II

I

Page 91: Let's go HTTPS

HSTS Header

The first ?me your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this informa?on, so that future aTempts to load the site using HTTP will automa?cally use HTTPS instead.

When the expira?on ?me specified by the Strict-Transport-Security header elapses, the next aTempt to load the site via HTTP will proceed as normal instead of automa?cally using HTTPS.

Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

IV

III

II

I

Page 92: Let's go HTTPS

HSTS Header

The first ?me your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this informa?on, so that future aTempts to load the site using HTTP will automa?cally use HTTPS instead.

When the expira?on ?me specified by the Strict-Transport-Security header elapses, the next aTempt to load the site via HTTP will proceed as normal instead of automa?cally using HTTPS.

Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

IV

III

II

I

Page 93: Let's go HTTPS

HSTS HeaderStrict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

hTps://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

hTps://hstspreload.appspot.com/

IV

III

II

I

Page 94: Let's go HTTPS

Public Key Pinning

hTps://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning

Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][; report-uri="reportURI"]

Public-Key-Pins: max-age=5184000; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg="

IV

III

II

I

Page 95: Let's go HTTPS

SecurityHeaders.io

IV

III

II

I

Page 96: Let's go HTTPS

Let's Encrypt

Page 97: Let's go HTTPS

Bulletproof SSL and TLS

hTp://bit.ly/codemo?on2016-sslbook

⋆⋆⋆⋆⋆

Page 98: Let's go HTTPS

Simone Carle4! hTps://simonecarlep.com

@weppos

Thanks!