Recorded at AppSecUSA 2016 in Washington, DC
HTTPS & TLS in 2016: Security practices from the front lines
Implementing strong security for Internet‐facing services has grown more challenging and more complex over the past two years. With protocol‐level vulnerabilities like FREAK, BEAST, CRIME, POODLE, & LOGJAM, Ops teams are forced to reevaluate long‐held assumptions about foundation system network code. What are the right tradeoffs between modern network security requirements versus widespread legacy client and user interoperability? How do we apply these to traditional Apache and Nginx servers, mobile app web services, and non‐browser infrastructure like libcurl, proxies, API endpoints, and load balancers? And what's the deal with Curve25519, ChaCha/Poly1305, LibSodium, BoringSSL, and LibreSSL?
Here, we present a practitioner's crash guide to modern site and web service endpoint encryption using HTTPS. We cover the "TLS 101" (and 201) fundamentals of certificates: ECDSA vs RSA, 2K vs 4K, ephemeral Diffie‐ Hellman (elliptic curve versus static), Domain Validation vs Extended Validation. We'll talk about intermediate and root authorities (and why Superfish is such a problem), and then look at some best practices around https including certificate transparency (CT), pinning (HPKP), and strict transport security (HSTS). Lastly, we'll give updates from the OpenSSL 1.1 audit, and point to well curated configuration guides and recipes for https and TLS.
Eric Mill is a software engineer and advocate for a web that is safe and secure for all of its users. Eric is currently an advisor and engineer in a federal government agency, and has previously worked at the Sunlight Foundation on open data infrastructure and policy.
Director, Open Crypto Audit Project
Kenneth White is a security researcher whose work focuses on networks and global systems. He is Director of the Open Crypto Audit Project (OCAP), currently managing a large‐scale audit of OpenSSL on behalf of the Linux Foundation's Core Infrastructure Initiative. In his day job, White leads an applied R&D team for Dovel Labs, working with federal clients on mission system security and cloud automation.
Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project