spa2017 Conference - Session: Why SPA should switch to HTTPS and how easy that is

BCS SPA2017

Why SPA should switch to HTTPS and how easy that is

It's not cool anymore to serve your web site over HTTP. It has also become very easy to move to HTTPS.

Tutorial, 75min

Abstract

Objectives

+ understand why secure communication is important, even for static websites
+ run through some alternative procedures for supporting HTTPS at low cost
+ know how to enforce HTTPS
+ appreciate weaknesses and limitations of TLS and hence HTTPS

Content

As a site owner, you have a responsibility to your users to protect their privacy. You probably also want to ensure that nobody tampers with your content, let alone that your users would be re-directed to an adversary's site. Confidentiality, data integrity and server authenticity were objectives of HTTPS right from the start and they have only become more pertinent as network technology and our habits evolved.
But there are additional incentives to going HTTPS, such as the influence of the use of HTTPS on page ranking, increasingly aggressive sign-posting of insecure sites in browsers and performance benefits with HTTP/2.

While it used to be complex and expensive to enable HTTPS, it is now cheap and easy. One easy way is using Cloudflare's free reverse proxy, which will terminate HTTPS connections on your behalf.
Another free, but slightly more challenging, option is Let's Encrypt. The extra effort buys extra control and even better security.

When you are serving your web pages over HTTPS, maybe you don't want to immediately turn off HTTP since this would make the server unavailable for anyone with the old URL. On the other hand, you do not want to fall victim to SSL Stripping attacks. Use HTTP Strict Transport Security (HSTS) for protection.

Transport Layer Security (TLS), the protocol HTTPS relies on for its security, has not had a good press in recent years: numerous bugs have been discovered and some of its underlying design has been questioned. A discussion of the cryptographic details is out of scope, but it is important to appreciate that (i) you need to keep your TLS stack patched (ii) you need to configure it correctly. Fortunately, state-of-the-art configuration files do not need to be built by hand - there are good tools such as the Mozilla SSL Configuration Generator to do this for you. And tools such as Qualys SSL Labs test the configuration.

Audience background

This talk is for anyone who uses web technology and either does not run it over HTTPS or does not know whether they use HTTPS.

Benefits of participating

Understand some of the security risks associated with the use of web technology and how to mitigate them cost-effectively.

Materials provided

Presentation. Demos.

Process

Interactive presentation.

Participants are encouraged to try some of the technologies discussed during the session.

Detailed timetable

00:00 - 00:10 welcome and intro
00:10 - 00:20 why you should switch to HTTPS
00:20 - 00:30 brief technical overview of HTTPS
00:30 - 00:45 using Cloudflare
00:45 - 01:00 using Let's Encrypt (ACME)
01:00 - 01:15 wrap-up discussion

Outputs

Slides comparing 3 approaches are available: https://docs.google.com/presentation/d/11t_CYwxUcBlbBrVqlu7tDuJTS71ywtt7GJ2JkyGsy1M/pub?start=false&loop=false&delayms=3000
How to use Let's Encrypt including some sample command lines and configuration files for NGINX and Caddy: https://github.com/supernelis/letsencrypt-demo

History

We have spoken about TLS at OWASP and taught TLS for ops, devs and devops commercially. However, this session is more high-level, focusing on the motivation for using TLS and looking for the simplest way you could possibly enable it.

Presenters

  1. Johan Peeters
    Johan Peeters bvba
  2. Nelis Boucké