How mature is your HTTPS implementation?

hello so hello yeah so today we're talking about Oh mature is your HTTP implementation most of you have probably heard about HTTP are using it but maybe you don't know all the the tips you can so first questions why to use HTTP and wait to use this HTTP is ever allowing you to improve the security and privacy your website's

quite strange problem with the micro but will continue if you are using Firefox you could see that in the last versions the implement new a pop-up that will display you a warning message if you enter your credentials on an HTTP web sites if you're doing some business and you want to have good ranking in Google HTTP will help you also to improve your ranking and moreover it will be part of a community that will make the the Internet's safe words by using HTTPS what are the main risk to use HTTP only problems of confidentiality people some bad guy called sniff your login and password shows but also the data that are transported over the network program

about Tegrity manipulations about the data transfers about the network we plan some game so there's some interactive slide with the questions and the first person that will answer will give the good answers we bring some gifts deciding questions are pins so if you see the pins pay attention so talk about the HTTP threads the typical one passive spoofing if it's roping on with the rogue access points passes poofing on networking telecom equipments expand sport man-in-the-middle attack our people zoning we have equivalent for ipv6 something quite innovative this small device was a Raspberry Pi zero with poison tab software's you plug it on your computer victims and USB it will emulate an Internet device over USB it's

running a DHCP and DNS traffic and you will first do these websites to connect over HTTP and they will try to hijack your login passwords and session cookies what kind of badly I do inject him some contents in your web page redirect you are your users to a phishing websites stealing your logging and passports stealing your cookies of your existing sessions and replacing the files you are downloading with some markers now let's see the different HTTPS implementations in the years 90s typically we were seeing a lot of websites doing the implementation of HTTPS only for the login page so for the login page your authentication you are putting your credentials over HTTPS but after we were redirected in HTTP and the

rest of your website was in pure HTTP do you think it's a secure architecture okay I think I think you were the first one we will bring you some gift after the talk so indeed it's insufficient and security textures and it's a possible indeed to sniff your cookie and maybe get your login and password but we can still hijacked your current session unless of the full HTTP implementations so you do are you are doing the authentication in HTTPS and the rest of the website is protected also by gtps it will mitigate the past spoofing but will it mitigates all the cases indeed you have some gift it will not always mitigate all the man-in-the-middle attack the there is

still don't with possible in some cases so we will see a demo so here we have a specific website that has been so kind of a wiki specially done for the end of today and we can see it's running in HTTP we ever saw a virtual machine a Windows 7 it's on a LAN

and we have a Kali Linux on the same land on the tele Linux will do some poisoning we are running some tool to do it very easy and then the users will connect to the web sites but it will not enter the full URL you will only put the name of the website without the prefix in HTTP of course because everybody is doing like this as you can see we have some already some hit now the user will put is logging and upwards very testing P it's in HTTP but there is some block worm is the favicon - they look like an HTTP web sites he wrote on it but on the other side we got your login and

password yes

no indeed mister demo for this event but there's nothing to do with the day even okay so start the possible mitigations it's just yes it's a header transport security your browser is doing a query in HTTP and your web server will answer with a Dora thanks to this header the browser will know who is forced ways to connect to the website in HTTPS you can use this in combination with HTTP redirects HTTP to HTTPS and all the future connections will always done in HTTPS until the expiration of the value if the connection is not possible like it's blocked by a firewall or by an attacker they will know don't read too HTTP possible another feature interesting

there is no possibility to bypass to Odin exceptions is a certificate is invalid like not matching the name of the URL or it's expired you will not be able to an exception in your browser as you can see no exceptions button so this will mitigate the passage scuffing it will mitigate an attacks like we saw with the Raspberry Pi in the post on top and we together so some man in the middle attacks so let's see know if you want to implement this I will recommend it what you can do first you can choose you do it for specific domains or subdomains or you do it for all your domains if you do it's only for one

specific domain I will always recommend you to do it for your domain calm but also with the triple W before let's talk about the difference optionals options that you can implement the first ones the include subdomains this will give you the possibility to automatically implement HSTs for all your subdomains for interesting features you need to have all CTP all your websites in HTTPS of a domain if you have some websites on in HTTP they will not be accessible anymore moreover you have the possibility to add your websites on a pillared list and this list is supported by most of the Power Cell it will mitigate the first attack to 4 because it's already are coded in

your browser this parameter is considered a highest benefit by the Mozilla security sheet which is a very good website I recommend you to look give you many tips to secure your websites so some questions always is still possible to do a man-in-the-middle attack on a website not part of the pillar list somebody have an ID indeed another ID the expiration yeah indeed NTP attack time-based and the first collections you get some gift another limitations is the question about the privacy it's possible for a webmaster to implement some specific links and with subdomains that could be leads to a finger pointing of the browser we had a look about what's the difference implementation in HSTs in the

normal mode and incognito mode the private modes so you know it's when you want to serve some some website and you don't really want that's a it's part of your history yeah it could be some websites you don't want your wife she has a look about it then there is a specific private mode of Nita mode in the browser and we had to look yeah if you connect with the normal mode standard mode and then you connect in incognito mode do they share the same cache of HSTs or do they have a separate cache depending on the browser's we can see that it's a different approach we've talked about the different incognito mode so you have a first win window you

can eat to modern you open a new one to the share the same cache another features very OCSP so what is a CSP in it in HTTP the clients needs to validate that the server certificate is not revoked so the typical way of doing it it's a CL certification revocation list but the problem it's the list which is growing and called introduced some in Latin see OCSP online certificate status protocol it's more rights but request another query to the OCSP responder so let's look about it's working you have your browser's doing a query DNS query to get the IP address to connecting to the websites then in the website they will don't know certificate the certificates contain the rest of the

OCSP responders those ESP responders she needs a DNS query to get the IP address and finally you can do your checked and access the website so what are the limitations there is a privacy issue because the certification authority with those GSP responders can potentially track the website you are visiting and what's happening if the SIS responders is not answering to possibility either you stop and there is a potential problem of availability in our service or you continue and then you could connect to some websites where the certificate is potentially compromised what does Firefox today the implements a way to continue where you can easily change it in your browsers OCSP stapling it's another way it's not the browsers

that will initiate the connection is the servers and the advantage is that in one query you will get your web page the content of the website you are visiting but also the confirmation that the certificate is not Revolt hpk P still an under HTTP header this it will find the certification Authority so in place of visiting our web sites and any certification authority that have trusted in your browsers a valid only specific specific certificate will will be allowed to connect we will be very did by the browser there are some different case of yes the question

yes this correct yes yes indeed we will see it in few slides do and yeah so there are some foreign certificates we can see different gains of both the past years in foreign countries but indeed it's so this is the way you need to implement it you need to use different keys it's quite complex to implement there is a way of reporting incidents you can put a URL and the browser's will post some informations unfortunately it's nuts or is not really supported you can pin a root or intermediate CA and there is also list of billeted certificate it will not interfere with SSL decryption but indeed they are different limitation is not widely supported first connection

is removed not protected you have a problem of hostel pinning that could be leads of hacker that will install some private key on your website which is hacked the customers they will connect to the websites and then the hacker could deletes the keys and force you to pay a ransom to giving you the keys otherwise all your visitors will not be able to visit the website anymore

yes you could if you have like PayPal or e-commerce websites it could be extremely dangerous so masya recommends to only implement it for maximum risk science that recommends for most of the sites no other interesting features will not go to other particles but BFS perfect for secrecy its features that allows you to protect the traffic against the future possibility of the crispness of the current starts transactions

you seems to have a good knowledge body so I propose you explain it yes yes thank you for your remark so we have another certification transparency it's a frameworks that will allow you to monitors and look at the certification generations the NACA it's a DNS entry quite interesting that we'll only on the few entries - only so you know of some certification authority to generate a certificate for you domain so you do a sort of right listing of the certification authority that are allowed to generate a certificate for you it's not mandatory but unfortunately it has only be recently added to Amazon with 53 and still not supported by all the DNS providers so let's see an example or to

implement it so we did some research about what's what's the different options and all they are implemented in Luxembourg to do it we take the country Luxembourg on alexa.com but we only took the TLD da tell you and we look about the different parameters of features and order implemented so for the top 60 of the TLD dot Lu we have 51 website in HTTP sums are HTTP and HTTPS and 9 website in HTTP only to have an idea about how many websites are using it's STS the row no it's more lets port in % 15 so 15 up sides have implement it's STS fat the person's quite good apparently compared to what's net craft wrote about its last year HP kept in

your body it's extremely not use OCSP stapling to websites the NSE to websites BFS 43 different algorithms some are using good implementations some are still using like SSL version to version 3 thank you so no this cattle bit about it how many people in these rooms are webmasters or managing a web site quite a lot do you have a HTTP web sites only or HTTP did you implement it's just yes not yet okay good point to some would you have a question yes we will go back to the slide so the DNA CA we have the possibility to configure DNS records and you will do the list of the certification authority that are allow to generate certification for you when

somebody will request the certification authority to generate a certificate the certificate authority to the authority will do the NS query and they will they will see if they're in the the world list or not if you didn't implement it they will consider it's okay if you implement it even though this whitelist then they will generate a certificate if they are not in the whitelist they will not enter certificates and you have the positive to add an email address and they will send an incident with to the imagery dimensions you

by in supported yes maybe nonetheless the the old version but the last versions are supporting it you can also mention which certificate says which domain you want to use subdomains are supported and you can also give a specific entry for the vault or certificate let's say you're not exchanging any critical data whatsoever would I still be use case would use regular HTTP or not I will recommend to always use HTTPS and to implement the subdomain but of course this depending about what you want to do your data classification and but it's today extremely easy to enable HTTPS so I will recommend to do it for your subdomains

yeah we've let's encrypt you can even get free certificates so the the custard will be an argument anymore

I was not running exactly but I think you went through the slides right so yeah any other questions that you have not already so here for me we heard the mm-hmm sorry the the presentation about checking the email security and email crypto so some of these newer features I don't think that does does tools like SSL labs check for these kind of settings for example what kind of great do you get with SSL labs if you have h k PK enabled for example is it going to be a positive thing negative thing so all those features they are available in SSL lab including the NACA including HP KP excluding all the rest if you want to have a priest

today you need to implement HSTs with a long period for the rest they will not give you an extra ranking but only a banner with like if you see other stuff this will be mentioned as extra banner concerning HP kept in there is a no new header that has been published quite recently and you will not block the connection anymore but only doing a reporting Facebook is using it like this so basically way it will go as they we're not gonna phase it out we just gonna make sure that we won't be able to like if you make a mistake that is called the cage key now PK suicide or someone else you ransom so

you think that that's the direction where this because this is really a debated feature like I think just a month ago in risky business there was a full interview just on this feature so there's this quite a debate going on with this you think that that's the direction where it will go or we will like doubt and just back up like saying okay maybe this was not the best idea so what do you think it's what we'll have as future for this personally I think the reporting tag is extremely interesting to use and only has only advantage yeah I will definitely recommend to implement modes of features to assist be stopping this is not giving you extremely high

security it's not just a different way of to implement it but it is certainly something to implement anybody else okay real a little bit earlier but I think I don't know is the break is already already there or it's already done yeah okay so coffee coffee at least is there probably on snacks or things yeah oh yeah gift gift yeah let's let's give out the gifts before we go for a break looks like booze I should have I should have paid more attention maybe nobody told me that that's the present yeah okay so if nothing else to add then let's go for the break and yeah what do you want with that battle oh nice oh very good very

good thank you very much so um if you don't have anything else then we're gonna start earlier to break after the big we're gonna do the summary presentations we're gonna do it on on time according to the schedule because the workshop is still ongoing if you want to take a look then go for the workshop they still think wrapping it up yeah other than that go for the break and please give a big round of applause for an offer low for the presentation [Applause]