Essential Web Security
Given the ubiquitous nature of the web, developers are doing everything they can to hasten the switchover to a TLS-everywhere world. Thankfully, what was previously an expensive and tedious task has become much easier and economical due to automated TLS certificate provisioning. Once certificates are in place, there are a multitude of configuration hardening measures available, each of which perform an important role in providing strong web security.
Attendees of this hands-on talk will walk away with an in-depth understanding of the following topics, along with how they can be put to practical use via a growing number of FOSS web security tools.
Automated TLS certificate provisioning
- Let’s Encrypt pros and cons
- authenticator comparison: web root, DNS-01, standalone web server
- automatic TLS certificate renewal via Certbot and cron
- overview of third-party provisioning tools
TLS-related configuration
- trade-off between better security and backwards-compatibility with older browsers
- protocol and cipher selection based on above trade-offs
- recommended configuration profiles, along with feeds for automated comparison/notification
Content Security Policy (CSP)
- threat model: cross-site scripting and other code injection attacks
- can have sharp edges, but a useful defensive measure
- tools for drafting, validating, and reporting on content security policies
Public Key Pinning (HPKP)
- threat model: compromised or rogue certificate authorities
- potentially hazardous and should be handled with care
Certificate Transparency (CT)
- threat model: helps detect faked/forged certificates
- Chromium will require certificate transparency in October 2017
- Certbot to include “Signed Certificate Timestamps” (CST) in near future
Other covered topics will include:
- forward secrecy
- strict transport security (HSTS)
- OCSP stapling
As mentioned above, this talk will make particular note of recent FOSS tools dedicated to improving web security.