Embed Size (px)
What’s TLS, anyway?
The Last Samurai?
Talking Loud Syndrome?
Triple Laser Surgery?
Tangy Louisiana Sauce?
What’s TLS, anyway?
Transport Layer Security
Newer version of SSL
HTTPS == HTTP over TLS
What’s TLS, anyway?
No snooping.No tampering.
No impersonating.
Do I need it if my site isn’t very important?
Do I need it if my site isn’t very important?
Protect your users’ privacy.
Do I need it if my site isn’t very important?
Prevent injected ads and unwanted content.
(And protect your monetization strategy.)
Do I need it if my site isn’t very important?
Use powerful web features safely.
(Soon, “safely” will be the only way!)
Do I need it if my site isn’t very important?
Get on the HTTPS everywhere train!
Do I need it if my site isn’t very important?
Get on the HTTPS everywhere train!
How do I get TLS?
How do I get TLS?
Step 1: Get a certificate.
Starts at about ~$10/year: Namecheap, SSLMate.
Free certs soon from Let’s Encrypt.
How do I get TLS?
Step 1: Get a certificate.
>= 2048-bit RSA or ECDSA key
One certificate per hostname (or wildcard)
How do I get TLS?
Step 2: Configure your server.
Check out sslmate.com for easy command-line config.
How do I get TLS?
Step 2: Configure your server.
And the Mozilla SSL Configuration Generator is another great tool.
How do I get TLS?
Step 3: Check your configuration.
Use SSLLabs.com to grade your site.
How do I modify my app?
How do I modify my app?
Update your links and content; serve everything over HTTPS.
How do I modify my app?
Update your links and content; serve everything over HTTPS.
<script src=”https://foo.com/script.js”><img src=”https://foo.com/img.jpg” />
How do I modify my app?
Send sensitive cookies over HTTPS only.
Set-Cookie: session_id=...; Secure; HttpOnly
How do I modify my app?
Tell browsers to only access your site over HTTPS.
Strict-Transport-Security: max-age=60000; includeSubDomains
Does TLS protect my users from everything,
forever?
No.
Web application bugs: XSS, CSRF, etc.
Privacy-sensitive information can leak over the network.
What’s next for TLS?
What’s next for TLS?
Certificate Transparency
HTTP Public Key Pinning
HTTP/2 and TLS
TLS should be a requirement for any
modern web application.
Thanks!
![[MS-IPHTTPS]: IP over HTTPS (IP-HTTPS) Tunneling Protocol](https://img.pdfslide.net/doc/110x75/627be39a59665752362cd62d/ms-iphttps-ip-over-https-ip-https-tunneling-protocol.jpg?t=1701881323)
