HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
•
57 likes•14,467 views
When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust. If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS. This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
Similar to HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015) (20)
More from Guy Podjarny
More from Guy Podjarny (20)
Recently uploaded
Recently uploaded (20)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
- 1. HTTPS What, Why and How? Guy Podjarny (@guypod)
- 3. Web Security For Developers
- 4. Intro about me • Guy Podjarny (@guypod) • Founder & CEO of Snyk.io (@snyksec) • Previously CTO at Akamai • Author (“Responsive & Fast”, “High Perf Images”) • 13 Years in Web Security, 6 Years in Web Performance
- 5. HTTPS = Encrypted HTTP
- 6. HTTPS = HTTP over TLS TCP/IP HTTP TCP/IP TLS HTTP HTTPSHTTP
- 7. SSL < TLS
- 8. What Does TLS Provide?
- 9. Identification/Authentication Who Am I Talking To?
- 10. Integrity Is This Really What It Said?
- 11. Confidentiality Nobody Else Can See What’s Said
- 13. HTTPS Used for Banking
- 14. HTTPS Used for Shopping
- 16. HTTPS Elsewhere
- 17. I want YOU To Use HTTPS
- 25. HTTPS Provides Confidentiality Caveat: SNI (more on that later)
- 26. Why HTTPS #1: Protect User Privacy
- 27. Attacks Aren’t Always Passive They Can Get VERY Active
- 29. On HTTP pages, SDK loaded over HTTP
- 32. ‘… the most severe of which could allow remote code execution…’
- 33. Who’s Behind The Curtain? With HTTP, You don’t know
- 34. HTTPS Provides Authentication Who Am I Talking To?
- 35. Why HTTPS #2: Protect Your Users From Evil Websites
- 36. Comcast: ”We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast”
- 38. Hijacking Wifi Isn’t Hard
- 41. Here’s Johnny! Or maybe some piece of malware instead
- 42. HTTPS Provides Integrity Is This Really What It Said?
- 43. Why HTTPS #3: Protect Your Business From Manipulation and Hijacking
- 48. SSLStrip http://a.com/product Client sslstrip adidas.com http://a.com/product <form target= “https://a.com/checkout”>
- 49. SSLStrip http://a.com/product Client sslstrip adidas.com <form target= “http://a.com/checkout”> http://a.com/product <form target= “https://a.com/checkout”>
- 50. SSLStrip http://a.com/product Client sslstrip adidas.com <form target= “http://a.com/checkout”> http://a.com/product http://a.com/checkout <form target= “https://a.com/checkout”>
- 52. Partial HTTPS ~= No HTTPS
- 53. But, But… Bookmarks! Deep External Links!
- 54. Option #1: Don’t support HTTP May Reduce Access
- 55. Option #2: HTTP Strict-Transport-Security (HSTS) Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
- 56. Browser Security Indicators Using Chrome as an example
- 57. HTTP Site - No Comment
- 58. HTTPS - Green + Lock
- 61. Is HTTP better than imperfect HTTPS? > ?
- 62. Is HTTPS Secure?
- 63. Is HTTPS Secure?
- 64. Is HTTPS Secure?
- 65. HTTPS ≠ Secure
- 66. HTTP = Insecure
- 67. ‘… people do not generally perceive the absence of a warning sign…’ Marking HTTP As Insecure ‘… Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web…’ Deprecating Non-Secure HTTP
- 69. Why HTTPS #4: HTTP To Be Marked Insecure
- 70. Be Afraid. Be VERY Afraid.
- 72. HTTP2 and SPDY
- 73. New And Improved HTTP Last Major Update over 15 years ago!
- 75. HTTP/1.0 - Single Request GET /foo 200 OK Open Connection Close Connection
- 76. HTTP/1.1 GET /foo 200 OK GET /bar 200 OK GET /baz 200 OK
- 77. HTTP/1.1 Pipelining GET /foo 200 OK GET /bar 200 OK GET /baz 200 OK
- 78. HTTP/1.1 Pipelining GET /foo 200 OK GET /bar 200 OK GET /baz 200 OK Head of Line Blocking
- 79. HTTP/2 Multiplexing GET /foo 200 OK GET /bar 200 OK GET /baz 200 OK GET /foo 200 OK GET /bar 200 OK GET /baz 200 OK
- 80. HTTP/1.1 HTTP/2
- 83. HTTP2 Is Awesome
- 84. HTTP2 Is Here Today! https://caniuse.com/http2
- 85. HTTP2 is Binary Won’t be allowed through port 80…
- 86. HTTP2 is New Current Intermediaries (e.g. ISP Proxies) won’t support it
- 87. How Can We Keep Proxies From Inspecting & Interfering? Any Ideas?
- 88. HTTP/2 is a better HTTP
- 89. Why HTTPS #5: HTTP2 works only over TLS Works on current web + Makes the web secure!
- 90. HTTP/2 0-25% Faster Compared to un-encrypted HTTP/1.1 Source: Akamai
- 91. Service Worker
- 92. appCache is a Douchebag TM Source: A List Apart
- 93. We need Offline Web Native Apps Have It…
- 94. Solution: ServiceWorker • JavaScript Proxy, intercepts all requests • Programmable Cache, can store/read while offline • Can register for Push Notifications • Extensible Web Manifesto style • No-Prompt Installation, persists forever
- 96. ServiceWorker Poisoning? Feels Good In The Moment, But You Pay For It Later…
- 97. Why HTTPS #6: ServiceWorker requires TLS Mitigates Malicious ServiceWorker Risk
- 98. Upcoming TLS-Only Features: Geolocation Device Motion/Orientation Fullscreen EME (Encrypted Media Extensions) getUserMedia … Further Reading (By @metromoxie): https://w3c.github.io/webappsec/specs/powerfulfeatures/
- 100. HTTPS Impacts SEO
- 101. ‘… we’re starting to use HTTPS as a ranking signal…’ ‘… For now it's only a very lightweight signal … But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web…’
- 102. Why HTTPS #7: Google Ranks HTTPS Higher
- 103. Handy Tools
- 104. Certificate Cost & Complexity
- 111. Only Last Mile Protected!
- 112. Only Last Mile Protected! Note: Requires SNI
- 113. No SNI - Single Host DNS Resolve foo.com foo.com=1.2.3.4 Client DNS Server
- 114. No SNI - Single Host DNS Resolve foo.com foo.com=1.2.3.4 Client DNS Server TLS Client Hello foo.com Certificate Client 1.2.3.4 (foo.com)
- 115. No SNI - Shared Host DNS Resolve foo.com CNAME cdn.net Client DNS Server DNS Resolve cdn.net cdn.net=5.6.7.8
- 116. No SNI - Shared Host DNS Resolve foo.com CNAME cdn.net Client DNS Server TLS Client Hello Client 5.6.7.8 (CDN) No Host Name! Which Certificate To Return? DNS Resolve cdn.net cdn.net=5.6.7.8
- 117. SNI -Server Name Identifer DNS Resolve foo.com CNAME cdn.net Client DNS Server TLS Client Hello (foo.com) foo.com Certificate Client 5.6.7.8 (CDN) DNS Resolve cdn.net cdn.net=5.6.7.8 Includes Host Not Supported on: - Windows XP (and older) - Android 2.3 (and older) - IE 7 (and older)
- 119. Is Your TLS Secure?
- 120. IsTLSFastYet.com
- 121. Summary
- 122. Why HTTPS #1: Protect User Privacy
- 123. Why HTTPS #2: Protect Your Users From Evil Websites
- 124. Why HTTPS #3: Protect Your Business From Manipulation and Hijacking
- 125. Why HTTPS #4: HTTP To Be Marked Insecure
- 126. Why HTTPS #5: HTTP2 works only over TLS Works on current web + Makes the web secure!
- 127. Why HTTPS #6: ServiceWorker requires TLS Mitigates Malicious ServiceWorker Risk
- 128. Why HTTPS #7: Google Ranks HTTPS Higher
- 129. Switch (to HTTPS) Today!
- 130. Thank You! Questions? Guy Podjarny (@guypod)