HTTPS @Scale by Arvind Mani of LinkedIn discusses LinkedIn's efforts to migrate their site to default HTTPS, the challenges they faced around mixed content, site speed, scaling TLS, and session upgrades, and the security best practices they implemented. Key points include gradually rolling out default HTTPS from 2012-2014, measuring and fixing mixed content issues, optimizing TLS handshakes for performance, scaling TLS infrastructure with hardware and CDNs, securely upgrading HTTP sessions to HTTPS, and implementing security measures like HSTS, pinning, and perfect forward secrecy.
ModSecurity 3.0 and NGINX: Getting Started - EMEANGINX, Inc.
On demand version can be accessed at https://www.nginx.com/resources/webinars/modsecurity-3-0-and-nginx-getting-started-emea/
The long-awaited ModSecurity 3.0 is available now. ModSecurity 3.0 is a complete rewrite of ModSecurity, and is the first version to work natively with NGINX. ModSecurity 3.0 loads into NGINX as a dynamic module.
Watch this webinar to learn:
- A brief history of the ModSecurity project
- How ModSecurity stops Layer 7 attacks
- What’s changed with ModSecurity 3.0 and how it integrates with NGINX
- How to install and configure ModSecurity with both open source NGINX and NGINX Plus
NGINX for Application Delivery & AccelerationNGINX, Inc.
NGINX is an HTTP request and load balancing server that powers many of the world's busiest websites. Learn why NGINX is such a popular choice, and see how it improves the capacity of web applications through HTTP intelligence and caching.
Learn more at www.nginx.com.
The security experts from Cloudflare and WP Engine help you navigate the security landscape for your web infrastructure.
Register to watch the on-demand webinar: https://hs.wpengine.com/webinar-securing-web-infrastructure
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Severalnines
So, maybe you’ve been working with MySQL for a while and are now being asked to also properly maintain one or more MongoDB instances. It is not uncommon that MySQL DBAs, developers, network/system administrators or DevOps folks with general backgrounds, find themselves in this situation at some point in time. In fact, with more organisations operating polyglot environments, it’s starting to become commonplace.
With that said, we’d like to introduce a new webinar series: ‘How to Become a MongoDB DBA’ to answer the question: ‘what does a MongoDB DBA do’?
In the space of three webinars, we will walk you through the most important tasks a MongoDB DBA routinely goes through and provide you with options on how to best complete these tasks.
In this initial webinar of the series, we will go beyond the deployment phase and show you how you can automate tasks, how to monitor a cluster and how to manage MongoDB; whilst also automating and managing your MySQL and/or PostgreSQL installations.
Agenda
Introduction to becoming a MongoDB DBA
Installing & configuring MongoDB
What to monitor and how
How to perform backups
Live Demo
Speaker
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
Inside election night at The New York Times | Altitude NYCFastly
Over the past two decades, The New York Times has successfully made the transition to a digital-first company while maintaining its reputation as one of the most trusted news sources in the world. CTO Nick Rockwell discusses the latest steps in the Times’ journey: implementing Fastly in preparation for record traffic during the 2016 presidential election. He covers the impact the NYT saw to backend load and to global performance, as well as the long-term implications for their infrastructure. And of course, he also discusses the timeline of election night, and how surprise and unpredictability led to rapid shifts in reader behavior and the NYT’s response.
Running a Robust DNS Infrastructure with CloudFlare Virtual DNSCloudflare
Virtual DNS is a service from CloudFlare that provides global DNS distribution without requiring customers to manage their own authoritative name servers. It works by caching DNS responses from customers' authoritative name servers at CloudFlare's data centers, which number over 31 locations worldwide. This provides instant geographical distribution and protection from DDoS attacks. Virtual DNS only caches the most frequently requested records to minimize data transfer from customers' servers. It dynamically updates cached responses when customers make changes to their DNS records. The service aims to absorb most query volume through caching while minimizing traffic to customers' name servers. It offers cost savings and DDoS mitigation compared to customers managing their own globally distributed authoritative infrastructure.
This presentation discusses the various types of distributed denial of service attacks launched worldwide by botnets in 2014. From DNS to Layer7 attacks, this deck provides an expert analysis of botnet breakdowns by-the-numbers including where the majority of botnets came from regionally, what attack trends were most popular, and when these attacks occurred.
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...Jan Löffler
There are two main customer types in the world of WordPress: The greed-is-cool guy and the one who happily pays a premium for services that help to increase both performance and security of web projects and agility of workflows. What’s the difference between the two and who’s the one you want to go after? There are so many WordPress hosting offerings available and even we’re getting confused when trying to compare them all. So we asked experts to do it instead. In his talk Jan will not only share some of the results and introduce his vision of the best-in-class WordPress hosting. He’ll bring a surprise guest telling you how to make a WordPress user happy and let hosters stand out from the crowd. Becoming the most wanted WordPress hoster alive is easier than you think. Join in and be the first to hear about the latest product innovations from Plesk.
The document discusses improving website security by enabling HTTPS and related protocols. It outlines problems such as HTTP traffic being unencrypted and vulnerable to interception, and solutions such as enabling HTTPS, configuring it securely, using HSTS and HTTPS preloading to force encryption, and services like Let's Encrypt to easily issue certificates for free. While progress has been made, challenges remain around certificate authorities, content delivery, and dependency on third parties. Adopting standards like HTTP Public Key Pinning and Certificate Transparency can help address some challenges.
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Severalnines
To operate MongoDB efficiently, you need to have insight into database performance. And with that in mind, we’ll dive into monitoring in this second webinar in the ‘Become a MongoDB DBA’ series. MongoDB offers many metrics through various status overviews and commands, but which ones really matter to you? How do you trend and alert on them? What is the meaning behind the metrics?
We’ll discuss the most important ones and describe them in ordinary plain MySQL DBA language. And we’ll have a look at the open source tools available for MongoDB monitoring and trending. Finally, we’ll show you how to leverage ClusterControl’s MongoDB metrics, dashboards, custom alerting and other features to track and optimize the performance of your system.
AGENDA
How does MongoDB monitoring compare to MySQL
Key MongoDB metrics to know about
Trending or alerting?
Available open source MongoDB monitoring tools
How to monitor MongoDB using ClusterControl
Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
DDoS Attacks in 2017: Beyond Packet FilteringQrator Labs
This document discusses the evolution of DDoS attacks beyond simple packet filtering. It notes that modern attacks use TCP connections and HTTPS to exhaust server resources, and that effective defenses require deep packet inspection, behavioral analysis, and correlation across networks. However, implementing these defenses is very expensive. As a result, best effort mitigation services cannot guarantee service level agreements, forcing networks to protect themselves individually in an every-man-for-himself environment. The future of DDoS defense remains unclear.
The 3 Models in the NGINX Microservices Reference ArchitectureNGINX, Inc.
On-demand recording: https://nginx.webex.com/nginx/lsr.php?RCID=82f9c75402528464d3625813e313f8a4
The new NGINX Microservices Reference Architecture (MRA) goes into depth on the entire architecture. Join this webinar to explore all three models in the MRA: the Proxy Model, the Router Mesh Model, and the Fabric Model.
The Proxy Model gives you a leg up into microservices, including support for API gateways. The Router Mesh Model adds power, with a second server exclusively for microservices support. And the Fabric Model pairs an NGINX Plus instance with every microservice instance for secure SSL/TLS communications between service instances.
Check out this webinar to learn about building a secure and scalable microservices app:
* When to take the leap into deploying microservices
* Why you should consider adopting the MRA for your app
* How to choose a model that works for your app
* How to start the process of converting a monolith to microservices
HTTPS provides encryption for HTTP requests and responses to protect data from intermediaries. It encrypts all data except the destination address and uses server certificates and encryption between the browser and server to authenticate identity and enable secure communication. While HTTPS does not prevent brute force attacks, it protects against eavesdropping, content spoofing, and helps websites rank higher on search engines. Certificate Authorities verify server identities and issue signed certificates that browsers recognize to establish encrypted connections.
In this webinar we discuss new features in NGINX Plus R15, which includes support for gRPC, HTTP/2 Server Push, enhanced clustering, and OpenID Connect SSO integration.
Watch this webinar to learn:
- About new HTTP/2 enhancements: gRPC and HTTP/2 server push support
- About new state sharing and clustering support in NGINX Plus, with support for Sticky Learn session persistence
- How to integrate with Okta, OneLogin, and other identity providers to provide single sign on (SSO) for your applications
- How to initiate subrequests with the NGINX JavaScript module, new variables, and other great new enhancements in this release
https://www.nginx.com/resources/webinars/whats-new-nginx-plus-r15/
This document summarizes the top ten web hacking techniques of 2013 as identified by WhiteHat Security. It provides brief descriptions of each technique, including Mutation XSS, BREACH, Pixel Perfect Timing Attacks with HTML5, Lucky 13, weaknesses in the RC4 encryption algorithm, XML Out of Band Data Retrieval, creating a million browser botnet, large-scale detection of DOM-based XSS, Tor Hidden Service passive decloaking, and HTML5 hard disk filler attacks. The document also provides background on the individuals and organization presenting this information.
The document discusses server architecture and different types of servers. It describes common server roles like web servers, application servers, and proxy servers. It provides examples of simple web servers written in Node.js and Ruby. Popular web servers mentioned include Nginx and Apache. Different hosting options for servers are also covered, such as virtual dedicated servers (VDS), virtual private servers (VPS), and cloud servers hosted on platforms like Amazon AWS, Google Cloud, and Microsoft Azure.
This document discusses various HTTP security headers and the W3C Content Security Policy. It provides an overview of headers like X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, cookies, HTTP Strict Transport Security (HSTS), and the Content Security Policy. It also demonstrates how to configure these headers and gives examples of policies for different browsers and sites.
Wilson Rogério Lopes presented on the evolution of DDoS attacks and mitigation options. He discussed how amplification attacks have grown in size using protocols like NTP and SSDP. IoT botnets using CCTV cameras conducted large DDoS attacks in 2016. Mitigation options discussed include using clean pipe providers, cloud DDoS services, BGP routing, and homemade tools like iptables and ModSecurity. The presentation recommended a hybrid mitigation strategy using both on-premise and cloud-based solutions.
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureNGINX, Inc.
On Demand Link - https://www.nginx.com/resources/webinars/mra-ama-part-10-kubernetes-and-the-microservices-reference-architecture/
The NGINX Microservices Reference Architecture (MRA) has been a major contributor to the discussion of microservices architectures. Kubernetes has now emerged as the leading container orchestration platform, and NGINX has developed the NGINX Kubernetes Ingress controller.
In this webinar, we describe and demonstrate how to use NGINX Open Source and NGINX Plus with Kubernetes and the NGINX Kubernetes Ingress controller. We relate the use of NGINX tools and Kubernetes to the MRA’s Proxy Model, Router Mesh Model, and the Fabric Model. We also briefly compare these to full-service mesh implementations such as Istio.
On the eve of what was hoped to be of the biggest traffic days for New York Magazine’s sites, the company was the target of a DDoS attack that caused their sites to go dark. New York quickly turned to Fastly to deflect and overcome the attack. Larry discusses how New York Mag went from zero page views per second to getting back online and recording one of their biggest traffic days of the year with the aid of Fastly’s team and tech. In addition he discusses how New York is leveraging Fastly as part of a larger strategy of performance improvements to deliver the build a better web and deliver the best premium content experience in the context of alternative distribution and consumption channels, such as Google Amp and FB Instant Article.
This document summarizes a presentation on debugging front-end performance related to TLS and HTTPS. It discusses optimizing the TLS handshake to reduce round trips, using session resumption, OCSP stapling, TLS false start, and dynamic record sizing. It also covers TLS debugging tools like istlsfastyet.com and security headers like HSTS, CSP, and HPKP. The presentation aimed to provide practical techniques and checks to improve TLS performance in practice.
Dynamic Content Acceleration: Lightning Fast Web Apps with Amazon CloudFront ...Amazon Web Services
Traditionally, content delivery networks (CDNs) were known to accelerate static content. Amazon CloudFront has come a long way and now supports delivery of entire websites that include dynamic and static content. In this session, we introduce you to CloudFront’s dynamic delivery features that help improve the performance, scalability, and availability of your website while helping you lower your costs. We talk about architectural patterns such as SSL termination, close proximity connection termination, origin offload with keep-alive connections, and last-mile latency improvement. Also learn how to take advantage of Amazon Route 53's health check, automatic failover, and latency-based routing to build highly available web apps on AWS.
Dynamic Content Acceleration: Amazon CloudFront and Amazon Route 53 (ARC309) ...Amazon Web Services
Amazon CloudFront and Amazon Route 53 can help optimize web application performance and availability. CloudFront improves performance by caching static and reusable content at edge locations and optimizing delivery of dynamic content through features like keep-alive connections and latency-based routing. Route 53 provides fast, reliable DNS services and can health check origins to improve high availability. Together, CloudFront and Route 53 provide a global network that caches content close to users and routes traffic based on network conditions to optimize performance and design for failure.
Getting started with HTTPS | LumoSpark webinar LumoSpark
Рассмотрим что такое Docker и чем он отличается от других систем виртуализации. Вы узнаете:
Рассмотриваем что такое SSL сертификаты и как защитить свой сайт бесплатно с такой же надежностью как и с дорогими сертификатами. Вы узнаете:
1) Как работаю SSL сертификаты;
2) Отличие платных и бесплатных SSL-сертификатов;
3) Как можно поставить сертификат на сервер и сконфигурировать его;
4) Как автоматически продлевать сертификаты;
5) Как бесплатно защитить домен и все поддомены корневого домена.
На практике посмотрим:
- Базовое управление сертификатами;
- Настроим сертификат на Apache и Nginx;
- Сгенерируем SSL Wildcard сертификат.
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Netgate
This document provides an overview of Squid, SquidGuard, and Lightsquid proxy software that can be used with pfSense firewalls. It discusses project news about pfSense, introduces the proxy packages and their functions, and outlines steps for basic installation and configuration of Squid including enabling transparent and HTTPS interception modes. The document also covers topics like browser testing, monitoring, and advanced SquidGuard configuration.
While application security will always be an application space problem that's ultimately up to programmers to solve, new techniques in modern browsers can help mitigate vulnerability surface area when bugs enter the playing field unnoticed. Besides the obvious transport level security provided by HTTPS, CSP and Sandboxed Iframes provide solid mechanisms for setting rules to help the browser help you.
Slides from a workshop I held on cryptography for web developers.
Part 1 is about cryptography in web applications and why you should not mix HTTP and HTTPS.
https://blog.hboeck.de/archives/849-Slides-from-cryptography-workshop-for-web-developers.html
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1yKnuxS.
Omer Shapira introduces HTTP/2 (and SPDY), exploring the impact the protocol has on application design, and telling the story of LinkedIn adopting SPDY on its network infrastructure. Filmed at qconsf.com.
Omer Shapira is an engineering manager at LinkedIn. He and his team are building scalable, low-latency traffic infrastructure to keep LinkedIn site fast.
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebAll Things Open
Presented at All Things Open 2018
Presented by Alexander Krizhanovsky with Tempesta Technologies INC
10/23/18 - 2:00 PM - Networking/Infrastructure Track
This document summarizes key principles for building scalable, reliable and secure RESTful services using HTTP. It discusses how to ensure reliability through idempotent operations. It also covers techniques for scaling such as use of ETags, caching, content types and uniform resource locators (URLs). The document concludes with an overview of security considerations and tools that can be used including HTTP authentication, SSL and XML signature/encryption.
The document provides an overview of basic web security concepts including:
1. It defines common web terms like front-end, back-end, cookies, sessions, URLs, HTTP methods, headers and status codes.
2. It discusses how cookies and sessions are used to track users and maintain state on the web.
3. It covers potential information leaks from files like robots.txt, hidden files and directories as well as techniques for searching websites like Google hacking.
4. It introduces common web vulnerabilities like XSS, CSRF and discusses how attacks are carried out and potential impacts. It also notes some PHP quirks that could be exploited if not understood.
The document discusses techniques for improving web performance, including reducing time to first byte, using content delivery networks and HTTP compression, caching resources, keeping connections alive and reducing request sizes. It also covers optimizing images, loading JavaScript asynchronously to avoid blocking, and prefetching content. The overall goal is to reduce page load times and improve user experience.
Maximizing SPDY and SSL Performance (June 2014)Zoompf
Presented at the Atlanta Web Performance Meetup Group on June 2014, Billy Hoffman from Zoompf shows how to improve the performance of your website using SPDY and SSL and discusses SSL issues such as Heartbleed and CRIME
An overview of the HTTP protocol showing the protocol basics such as protocol versions, messages, headers, status codes, connection management, cookies and more.
But it still remains an overview without in-depth information. Also some key aspects are left out (because of limited time) such as authentication, content negotiation, robots, web architecture etc..
Learn how to load balance your applications following best practices with NGINX and NGINX Plus.
Join this webinar to learn:
- How to configure basic HTTP load balancing features
- The essential elements of load balancing: session persistence, health checks, and SSL termination
- How to load balance MySQL, DNS, and other common TCP/UDP applications
- How to have NGINX Plus automatically discover new service instances in an auto-scaling or microservices environment
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things Amazon CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. You will also learn how you can use AWS Web Application Firewall (AWS WAF) with CloudFront to protect your site. Finally, we will share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting an A+ on SSL labs.
This document discusses recommendations for improving web security in 2019. It recommends: 1) Redirecting all sites to HTTPS; 2) Using TLS protocols 1.2 or newer and disabling legacy protocols; 3) Optimizing cipher suites to use perfect forward secrecy and disable weak ciphers; and 4) Adding security headers to browsers to restrict content and functionality. Following these recommendations will help sites adopt modern encryption standards and security best practices.
Web performance optimization - MercadoLibrePablo Moretti
The document provides techniques and tools for improving web performance. It discusses how reducing response times can directly impact revenues and user experience. It then covers various ways to optimize the frontend, including reducing time to first byte through DNS optimization and caching, using content delivery networks, HTTP compression, keeping connections alive, parallel downloads, and prefetching. It also discusses optimizing images, JavaScript loading, and introducing new formats like WebP. The overall document aims to educate on measuring and enhancing web performance.
Cleaning Up the Dirt of the Nineties - How New Protocols are Modernizing the WebSteffen Gebert
This document summarizes recent developments in web protocols, including HTTP/2, QUIC, and Multipath TCP (MPTCP). HTTP/2 modernized HTTP by introducing binary framing, multiplexing, header compression and server push. QUIC aims to replace TCP with UDP to reduce latency during connection setup. MPTCP leverages multiple network paths simultaneously for increased throughput and resilience.
2. Bio
● Head, Data & Infrastructure Security @
LinkedIn
● Prior - Yahoo, PayPal, Symantec, McAfee
3. What is HTTPS?
● HTTPS is HTTP over a channel
secured by TLS or SSL.
● TLS (predecessor SSL) are crypto
protocols designed to authenticate peer
in client to server communication and
ensure confidentiality and integrity of
data.
4. LinkedIn HTTPS Timeline
Mar 2012 Opt-in HTTPS
June 2013 team assembled (netops, security,
CDNOps, traffic) to make site default HTTPS.
Dec 2013 Launch default HTTPS in NL
Jan - Jun 2014 Rollout default HTTPS to US,
EU, most of APAC
Dec 2014 - Default HTTPS except CN and ZA
7. What is it?
On a https page, resource origin is insecure.
What are the consequences?
MITM
Mixed Active Content Blocking - script, frames
Mixed Content
9. CSP Gotchas
● Set on just HTTPS response
● Sample
● Exclude report requests from any page-view
rate-limiting
● unsafe-eval and unsafe-inline
● May not report on NPAPI Plugins
● Must Scale
● No cookies even if report-uri is same domain
10. Fixing Mixed Content
Ads 3rd, 4th, 5th party pixels must all be https,
even in iframe!
Source Code Scanner fix hardcoded external
links in dust templates
Dynamic Scanner fix logical bugs, links
constructed by backend applications
13. TLS False Start
● Full handshake is 2
roundtrip
● Client validates
“Finished” from
server before
sending Application
Data
● With Client side
False Start, client
sends “Application
Data” before
validating Finished
=> just 1 roundtrip
● Is this secure?
14. TLS Session Ticket
● Pre-Master
Secret
● What is in a
ticket?
● Fallback is full
handshake
● Is this secure?
● Tickets and
PFS
15. Network Roundtrip
● Terminate TLS closer to user
● Where to build Points-of-Presence (PoP)?
See LinkedIn presentation at Velocity 2015
● Static content - CDN map
16. Online Certificate Status Protocol
● Claims of 30% slow down:
o DNS
o TCP
o OCSP request/response for chain
However:
● OCSP response cached by browser (even days), ocsp
response served off CDN
● Chrome disables OCSP checks by default
17. OCSP Stapling
Server caches OCSP response, sends in Certificate Status
Request
Pros
● Captive Portal
● Preserves browsing privacy
● Supported by nginx, traffic server, Apache, etc
Cons
● OCSP stapling (solution) not supported by mobile
● Stapling increases TLS handshake message size.
21. “No login” HTTP -> HTTPS Upgrade
http? ajax? bot?
ramp
segment
yes no no yes
● Set “migration underway” hint cookie with TTL 10 minutes (avoid repeatedly upgrading bot that
refuses to be upgraded)
● 301 to HTTPS
● Kill old authentication cookie+session/mint new authentication cookie+session
● Set new authentication cookie secure => new cookie was never on wire in plaintext!
● Set TLS hint cookie that is NOT secure
● Implement reverse for rollback
23. SSL Stripping
How it Works?
Attacker MITM HTTP requests. 301 or rejecting
HTTP requests does not help.
Mitigation
Host Strict Transport Security (HSTS) and
preload
24. HSTS
Strict-Transport-Security: max-age=31536000; includeSubDomains;
preload
Window of vulnerability! Rollback with max-age=0
Preload
● Submit site https://hstspreload.appspot.com/ to enter
into hardcoded list
● Domain should not serve HTTP traffic
● includeSubDomains (www), preload flag, max age >=
18 weeks
Handle preload with care - hard to rollback
25. Perfect Forward Secrecy
● ClientKeyExchange - with RSA “pre-master”
secret encrypted with server public key
● DH vs DHE vs ECDHE
● Forward Secrecy with Session Resumption
27. Pinning*
What problem does Pinning solve?
Rogue CA, some MITM, reduces trust requirements
What do you Pin?
server certificate, server public key, public key of cert in
chain
Public-Key-Pins-Report-Only: max-age=2592000;
pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";
report-uri="https://other.example.net/pkp-report"