why and how you should use ssl - bwmtechblog.net
TRANSCRIPT
Why and How You Should Use SSL(HTTPS) on Your Web Site
Bruce Moore, DEng
Moore Software Services, LLCP.O. Box 183
Coppell, TX 75019(972) 652-0254
www.mooresoftwareservices.com
S i m p l i f y i n g F i n a n c i a l D at a A n a l y s i s
March 18, 2015
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Why should I care about SSL and HTTPS?
Attacks against you and your users
SpoofingMan-in-the-middle
Google will lower your page rank (beginning August 6,2014)
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Agenda
Spoofing attacks
Man in the middle
Certificate types
Certificate vendors
Obtaining and installing a certificate
Test environment
Lenovo Superfish
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
What is spoofing?
Look-alike for your site
User enters credentials...user ID is now compromised
Attack takes several forms
Phishing emailCompromised DNS
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Compromised DNS is more common than youmight think
FBI
Google, August 2014
Verizon, August 2014
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
How does SSL protect against spoofing?
An attacker can visually imitate your site easily
SSL certificates provide visual difference in browser
Imitating/stealing your SSL certificate is much harder
Doors typically only have to withstand three or fourkicks before criminals move to the next house
Don’t be the easiest site on the block to spoof
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
SSL on Firefox
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
SSL on Firefox–basic certificate information
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
SSL on Firefox–more certificate information
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
SSL on Firefox–certificate details
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
SSL on Chrome
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
SSL on Internet Explorer
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
SSL on Safari
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
What is man-in-the-middle?
Listen to conversation
Capture unencrypted user ID and passwordUsers re-use passwords...thief can then log in to othersites
Insert ads (most ISPs do this)
Insert malicious JavaScript
Track user’s browserForce download of malware
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
How does man-in-the-middle attack start?
Public Wi-fi connections
Which of the SSIDs that you see here is my cell phone?
Compromized network routers
November 2013, DOD via IcelandNovember 2013, Mexico to NY via BelarusNovember 2014,Moscow to Yaroslavl via China
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
How does SSL/HTTPS protect againstman-in-the-middle attacks?
HTTPS encrypts transmissions to/from browser
Man in the middle cannot interpret the traffic withoutthe server’s private key
Man in the middle still knows what client iscommunicating with what server
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
There are several types of SSL certificates
Validation levels (increasing cost)
Self-signed is not useful for public web sitesClass 1–Low validationClass 2–Individual and business validationClass 2 EV–Physical and cyber business validation
Uses
Email authentication and encryptionServer traffic authentication and encryptionCode signing
Coverage
Single domain (www.mooresoftwareservices.com)Multi-domain (ftp. smtp. imap.www.mooresoftwareservices.com)Wild-card (anything .mooresoftwareservices.com)
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Each validation level requires moredocumentation
You pay for application for certificate, not the certificate
Class 1 requires control of email account or rootdirectory of domain
Class 2 requires
Driver’s licencePassportBusiness registration with State (of Texas)Tax ID documentsLetter from President of organization (on documents)authorizing you to get certificates
Class 2 Extended validation requires additionalinformation on physical address
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
CAs differ in audit of validation procedures andthus how widely accepted
Need a CA that is accepted by browser vendors
Some free CAs are not accepted by Apple, Microsoft,Firefox, Google
CACert.org
Some free CAs ARE accepted by major browsers
Start Com
Paid certificates are easy
Start ComGeotrustThawteComodo...
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
StartCom is perhaps currently best for a freecertificate
Class 1
One year
Free
Revocation is about $25
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
There are several steps in the process
Choose a vendor
Generate private key
Generate certificate request (CR)
Send CR to vendor
Receive certificate and install on domain
Set up email, FTP etc to use certificate
Configure Joomla
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Using CPanel
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Using CPanel SSL Manager
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Using CPanel to generate a private key
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Using CPanel to generate a certificate request
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Using CPanel to list certificate requests
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Passing the certificate request to Start SSL
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Using CPanel to install the certificate part 1
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Using CPanel to install the certificate part 2
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Using Web Hosting Manager to installcertificate: Part 1
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Using Web Hosting Manager to installcertificate: Part 2
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Configuring Joomla to force HTTP to HTTPS
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Configuring Akeeba Web Master Tools toconvert SSL
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Turn on HTTP Strict Transport Security(HSTS) in Akeeba .htaccess Generator
On first access to site, tells browser to expect HTTPSon all future connections
Adds your site to the list of HTTPS-only sites that arepreconfigured in browsers
Protects against attacks similar to Lenovo Superfish
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Self-signed certificates are handy for testing
Generate self-signed certificate in CPanel
X Certificate Authority (XCA) to manage an internalCA
Practice the process on test machine
Generate certificate signing requestImport signing request in to XCAGenerate a certificat in XCAInstall the certificate
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Protecting against Lenovo Superfish
Lenovo Superfish substituted own certificate
Browser can’t tell difference
Lenovo modified HTML to insert their own ads
Malicious attacker could do great harm
Solution is HTTP header change for key pinning
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
To protect against certificate substitution, usekey pinning
Not sure how to do this yet
Requires an Apache module
Header indicates what CA browser should expect
HTTPS Bruce Moore
HTTPS
BruceMoore
Why Care
Spoofing
Man in themiddle
CertificateTypes
CertificateAuthorities
ObtainingandInstalling
Test Envi-ronment
LenovoSuperfish
Contact
Contact information
Bruce Moore, [email protected](972) 652-0254
HTTPS Bruce Moore
