Why SPA should switch to HTTPS and how easy that is
It's not cool anymore to serve your web site over HTTP. It has also become very easy to move to HTTPS.
Tutorial, 75minAbstract
Objectives
+ understand why secure communication is important, even for static websites
+ run through some alternative procedures for supporting HTTPS at low cost
+ know how to enforce HTTPS
+ appreciate weaknesses and limitations of TLS and hence HTTPS
Content
As a site owner, you have a responsibility to your users to protect their privacy. You probably also want to ensure that nobody tampers with your content, let alone that your users would be re-directed to an adversary's site. Confidentiality, data integrity and server authenticity were objectives of HTTPS right from the start and they have only become more pertinent as network technology and our habits evolved.
But there are additional incentives to going HTTPS, such as the influence of the use of HTTPS on page ranking, increasingly aggressive sign-posting of insecure sites in browsers and performance benefits with HTTP/2.
While it used to be complex and expensive to enable HTTPS, it is now cheap and easy. One easy way is using Cloudflare's free reverse proxy, which will terminate HTTPS connections on your behalf.
Another free, but slightly more challenging, option is Let's Encrypt. The extra effort buys extra control and even better security.
When you are serving your web pages over HTTPS, maybe you don't want to immediately turn off HTTP since this would make the server unavailable for anyone with the old URL. On the other hand, you do not want to fall victim to SSL Stripping attacks. Use HTTP Strict Transport Security (HSTS) for protection.
Transport Layer Security (TLS), the protocol HTTPS relies on for its security, has not had a good press in recent years: numerous bugs have been discovered and some of its underlying design has been questioned. A discussion of the cryptographic details is out of scope, but it is important to appreciate that (i) you need to keep your TLS stack patched (ii) you need to configure it correctly. Fortunately, state-of-the-art configuration files do not need to be built by hand - there are good tools such as the Mozilla SSL Configuration Generator to do this for you. And tools such as Qualys SSL Labs test the configuration.
Audience background
This talk is for anyone who uses web technology and either does not run it over HTTPS or does not know whether they use HTTPS.
Benefits of participating
Understand some of the security risks associated with the use of web technology and how to mitigate them cost-effectively.
Materials provided
Presentation. Demos.
Process
Interactive presentation.
Participants are encouraged to try some of the technologies discussed during the session.
Detailed timetable
00:00 - 00:10 welcome and intro
00:10 - 00:20 why you should switch to HTTPS
00:20 - 00:30 brief technical overview of HTTPS
00:30 - 00:45 using Cloudflare
00:45 - 01:00 using Let's Encrypt (ACME)
01:00 - 01:15 wrap-up discussion
Outputs
Slides comparing 3 approaches are available: https://docs.google.com/presentation/d/11t_CYwxUcBlbBrVqlu7tDuJTS71ywtt7GJ2JkyGsy1M/pub?start=false&loop=false&delayms=3000
How to use Let's Encrypt including some sample command lines and configuration files for NGINX and Caddy: https://github.com/supernelis/letsencrypt-demo
History
We have spoken about TLS at OWASP and taught TLS for ops, devs and devops commercially. However, this session is more high-level, focusing on the motivation for using TLS and looking for the simplest way you could possibly enable it.
Presenters
- Johan Peeters
Johan Peeters bvba - Nelis Boucké