HTTPS & TLS in 2016: Security practices from the front lines

Presented at AppSec USA 2016, Oct. 13, 2016, 3:30 p.m. (60 minutes).

Implementing strong security for Internet‐facing services has grown more challenging and more complex over the past two years. With protocol‐level vulnerabilities like FREAK, BEAST, CRIME, POODLE, & LOGJAM, Ops teams are forced to reevaluate long‐held assumptions about foundation system network code. What are the right tradeoffs between modern network security requirements versus widespread legacy client and user interoperability? How do we apply these to traditional Apache and Nginx servers, mobile app web services, and non‐browser infrastructure like libcurl, proxies, API endpoints, and load balancers? And what's the deal with Curve25519, ChaCha/Poly1305, LibSodium, BoringSSL, and LibreSSL? Here, we present a practitioner's crash guide to modern site and web service endpoint encryption using HTTPS. We cover the "TLS 101" (and 201) fundamentals of certificates: ECDSA vs RSA, 2K vs 4K, ephemeral Diffie‐ Hellman (elliptic curve versus static), Domain Validation vs Extended Validation. We'll talk about intermediate and root authorities (and why Superfish is such a problem), and then look at some best practices around https including certificate transparency (CT), pinning (HPKP), and strict transport security (HSTS). Lastly, we'll give updates from the OpenSSL 1.1 audit, and point to well curated configuration guides and recipes for https and TLS.

Presenters:

  • Kenneth White - Director - Open Crypto Audit Project
    Kenneth White is a security researcher whose work focuses on networks and global systems. He is Director of the Open Crypto Audit Project (OCAP), currently managing a large‐scale audit of OpenSSL on behalf of the Linux Foundation's Core Infrastructure Initiative. In his day job, White leads an applied R&D team for Dovel Labs, working with federal clients on mission system security and cloud automation. Previously, he was Principal Scientist at Washington DC‐based Social & Scientific Systems where he led the engineering team that designed and ran global operations and security for the largest clinical trial network in the world, with research centers in over 100 countries. White co‐founded CBX Group which provides security services to major organizations including World Health, UNICEF, Doctors without Borders, the US State Department, and BAO Systems. White cofounded the TrueCrypt audit project, a community‐driven initiative to conduct the first comprehensive cryptanalysis and public security audit of the widely used TrueCrypt encryption software. His work on network security and forensics and been cited by media including the Wall Street Journal, Forbes, Reuters, Wired and BBC. White is a technical reviewer for the Software Engineering Institute, and publishes and speaks frequently on cloud ops, security engineering, and trust.
  • Eric Mill
    Eric Mill is a software engineer and advocate for a web that is safe and secure for all of its users. Eric is currently an advisor and engineer in a federal government agency, and has previously worked at the Sunlight Foundation on open data infrastructure and policy.

Links:

Similar Presentations: