jquerysf: https:

https://<your site here>

Emily StarkGoogle Chrome security team

[email protected], @estark37

mailto:[email protected]

mailto:[email protected]

What’s TLS, anyway?

The Last Samurai?

Talking Loud Syndrome?

Triple Laser Surgery?

Tangy Louisiana Sauce?


Transport Layer Security

Newer version of SSL

HTTPS == HTTP over TLS


No snooping.No tampering.

No impersonating.

Do I need it if my site isn’t very important?


Protect your users’ privacy.


Prevent injected ads and unwanted content.

(And protect your monetization strategy.)


Use powerful web features safely.

(Soon, “safely” will be the only way!)


Get on the HTTPS everywhere train!

How do I get TLS?

How do I get TLS?

Step 1: Get a certificate.

Starts at about ~$10/year: Namecheap, SSLMate.

Free certs soon from Let’s Encrypt.

How do I get TLS?

Step 1: Get a certificate.

>= 2048-bit RSA or ECDSA key

One certificate per hostname (or wildcard)

How do I get TLS?

Step 2: Configure your server.

Check out sslmate.com for easy command-line config.

How do I get TLS?

Step 2: Configure your server.

And the Mozilla SSL Configuration Generator is another great tool.

How do I get TLS?

Step 3: Check your configuration.

Use SSLLabs.com to grade your site.

How do I modify my app?


Update your links and content; serve everything over HTTPS.


Update your links and content; serve everything over HTTPS.

<script src=”https://foo.com/script.js”><img src=”https://foo.com/img.jpg” />


Send sensitive cookies over HTTPS only.

Set-Cookie: session_id=...; Secure; HttpOnly


Tell browsers to only access your site over HTTPS.

Strict-Transport-Security: max-age=60000; includeSubDomains

Does TLS protect my users from everything,

forever?

Web application bugs: XSS, CSRF, etc.

Privacy-sensitive information can leak over the network.

What’s next for TLS?

What’s next for TLS?

Certificate Transparency

HTTP Public Key Pinning

HTTP/2 and TLS

TLS should be a requirement for any

modern web application.

Thanks!

Technology