moving to https in 2017 proprietary + confidential filebest practice: ask about tls pricing...
TRANSCRIPT
Proprietary + Confidential
Moving to HTTPS in 2017
Eric Lawrence - Chrome Security @ericlaw October 2017
Why HTTPS?
It’s the only way to ensure that the site you’ve built is what your visitors actually experience.
Deploy HTTPS Everywhere
There are many different types of website. The only constant is that HTTPS is needed for all of them.
“Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the
benevolence of network operators.”
https.cio.gov/everything/
Meh. Are there real-world threats?
Yes.
● Ad injection● Injected “Enhancements” flight tracking, bandwidth warnings, service
notices, etc.● SSLStrip● Firesheep● DDoS attacks via script injection● Privacy concerns ($29/month)● Malware injection● Global adversaries (Snowden revelations)
The Web Platform is Powering Up
The Web Platform is growing more powerful, especially on mobile, to compete with native applications.
Richer access to sensors, devices, and sensitive information means security is even more important.
...getUserMedia(), geolocation, ServiceWorker, device motion/orientation, EME, AppCache...
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Many Datapoints of interest
● Percentage of HTTPS page loads○ Absolute
○ Traffic-weighted
● Time-spent-per-page
● By country
● By platform
Up and
to the
right
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
HTTPS Transparency Report
google.com/transparencyreport/https/
Percentage of pages loaded over HTTPS in Chrome by platform
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
HTTPS Transparency Report
google.com/transparencyreport/https/
Percentage of HTTPS browsing time by Chrome platform
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sembuiltwith.com
http://example.com
Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum
Login
http://example.com
Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum
Login
LoginAliceUsername
•••••••Password
Submit
Not Secure
Non-Secure login forms trigger the new Not Secure UI treatment
http://example.com
Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum Lorem ipsum
Login
https://example.com
Login
AliceUsername
•••••••Password
Submit
Instead, prefer Secure login forms
https://example.com
Login
AliceUsername
•••••••Password
Submit
Content Delivery Networks● Some CDNs are great partners in getting sites on to HTTPS.
● Others advertise (misleading) pricing due to bundling
○ Best Practice: Ask about TLS pricing specifically
Ads
Once a huge issue, now much better.
● All ads that come from any Google source always support HTTPS, including AdWords, AdSense or DoubleClick Ad Exchange.
● The IAB: “we feel that broad support for HTTPS on public servers is a best practice for the industry”
● By the end of 2014, 80% of IAB member ad delivery systems supported HTTPS.
Search Engine OptimizationGoogle has released Two FAQs to help sites transition correctly, and will continue to improve our web fundamentals guidance.
https://plus.google.com/+JohnMueller/posts/PY1xCWbeDVC https://plus.google.com/+GoogleWebmasters/posts/eYmUYvNNT5J
I/O Presentation on maintaining PageRank while moving HTTP->HTTPS
HTTPS ErrorsHTTPS provides powerful security, but misconfigurations can be disastrous.
Perils to watch out for include:
● Incorrect certificate information● Expired certificates● Missing intermediates● Mixed content
Stages of a HTTPS Move
1. WhyTLS○ Understand why and where change is needed
2. TryTLS○ Acquire certs
○ Deploy initial configuration on dev
○ Test to verify performance, certificate and cipher
configuration.
Stages of a HTTPS Move - cont’d
3. SomeTLS○ Deploy TLS on dev, then in parallel on live.
○ Observe impact.
○ Tune.
4. BetterTLS○ Kill mixed content (active/passive/latent)
5. AllTLS○ Add HSTS, Probably avoid HPKP
Free and Automatic Certificates and Configuration
● LetsEncrypt.org
● Automatic certificates for many hosts, like WordPress
(even custom domains!)
● Mozilla’s SSL Configuration Generator
Automated Checkers
● SslLabs.com (SSLLabs.com)
● Mozilla [TLS] Observatory (https://observatory.mozilla.org/)
● Hardenize (Hardenize.com)
Finding Problems with SSLLabs’ Server Test
● Missing intermediates (“Extra download”)
● Unneeded certificates
● Weak ciphers and hashes
● Common configuration or deployment mistakes
Finding Problems with SSL Labs
Missing intermediates (“Extra download”) slow HTTPS
connection establishment and may fail entirely on some platforms.
The Biggest Blocker? Mixed Content● Active Mixed Content - Blocked
○ Script
○ CSS
● Passive Mixed Content - Lock suppressed
○ Images
○ Audio
○ Forms
● Latent Mixed Content - No direct warning
○ Non-secure links
Mitigating Mixed Content upgrade-insecure-requestsThe upgrade-insecure-requests Content Security Policy directive helps ensure that any requests you overlook are seamlessly upgraded to HTTPS, protecting your lock icon.
Mitigating Mixed Content
w3c.github.io/webappsec-upgrade-insecure-requests/
Allow modern clients to tattle on mixed content while the requests are upgraded silently to HTTPS, preserving your secure context (and lock icon!)
Content-Security-Policy: upgrade-insecure-requests; default-src https: 'unsafe-inline' 'unsafe-eval';
Content-Security-Policy-Report-Only: default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri /log.cgi
Strict-Transport-SecurityBenefits: Performance, security Downsides: Possible footgun (expiration, forgotten domains); mixed content still warns
Strict-Transport-Security
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
hstspreload.appspot.com
DANGER:
Possible
footguns
HTTPS Everything
Email tracking links are
The Worst
textslashplain.com/2016/09/22/use-https-for-all-inbound-links/
Preserving and Sanitizing ReferersReferrer Policy helps ensure that any non-secure sites you link to still recognize your site as the source of the referral.
www.w3.org/TR/referrer-policy/
Preserving and Sanitizing Referers
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: origin
www.w3.org/TR/referrer-policy/
Performance Benefits of TLS
● HTTP/2
● Service Worker
● Brotli compression
● TLS/1.3
istlsfastyet.com
TLS 1.3 - Better Performance and Security
● Chrome Canary○ chrome://flags/#ssl-version-max
● Firefox Nightly○ Enter "about:config" in the address bar
○ Set security.tls.version.max from 3 to 4
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Appendix
● Google’s HTTPS Migration Guide● https://whytls.com● Google I/O 2017 - Getting the Green Lock, HTTPS Migration Stories from the field● Google I/O 2014 - HTTPS Everywhere (Slides) -- Includes motivations and good
step-by-step instructions for performing a migration, including fixing legacy content and maintaining SEO
● Deploying HTTPS: The Green Lock and Beyond (Chrome Dev Summit 2015) - Emily Stark
● Bulletproof SSL and TLS book
Outreach and Fixing Sites
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn
Scenarios1. A page has a visible password field at all times. Chrome shows "Not Secure" on page load.2. A page has a hidden password field that is hidden using a supported mechanism (e.g. style="display: none" ). Chrome does not show a "Not Secure" warning until the field is unhidden using JavaScript.3. A page has a obscured or non-rendered password field that is hidden using a non-supported mechanism (e.g. style="visibility: hidden" ). Chrome 56 shows a warning on page load.