ssl++; tales of transport layer security at twitter
DESCRIPTION
presentation at BSides San Francisco, Feb 24 2013. corresponding video available @ https://www.brighttalk.com/webcast/7651/69207TRANSCRIPT
SSL++Tales of Transport-Layer Security at Twitter
@jimio | #BSidesSF
CRIME
BEAST
HTTP
100% Certified SSL
secure;
sslstrip
301
#!
#!twitter.com/#!/jimio
twitter.com/#!/jimio
DISCLAIMER
DISCLAIMER
we did this.
DISCLAIMER
we did this.
you can too.
Hello!
Hello!
http://twitter.com
https://twitter.com
http://twitter.com
https://twitter.com
http://twitter.ie
http://twitter.com
https://twitter.com
http://twitter.ie
http://www.w3.org
http://wtf.ru http://twitter.uz
%2F
/
<-HTTPS
Hello!
Hello!
twitter.com
HTTP...
but wait!!
HSTS
HSTS
HTTP=>HTTPS 300s
0
HTTP=>HTTPS 300s
0
includeSubdomains
include$ubdomains
CSP
CSP
< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:
< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:
< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:
< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:
< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:
secureheaders
secureheadersStrict-Transport-SecurityContent-Security-Policy
X-XSS-ProtectionX-Frame-Options
X-Content-Type-Options
SSL
1. OS: validate revocation, expiration2. App: check against local bundle3. Party on
https://twitter.com/jobshttps://t.co/h4x0r
#jointheflock
@jimio