Essential Web Security


Given the ubiquitous nature of the web, developers are doing everything they can to hasten the switchover to a TLS-everywhere world. Thankfully, what was previously an expensive and tedious task has become much easier and economical due to automated TLS certificate provisioning. Once certificates are in place, there are a multitude of configuration hardening measures available, each of which perform an important role in providing strong web security.

Attendees of this hands-on talk will walk away with an in-depth understanding of the following topics, along with how they can be put to practical use via a growing number of FOSS web security tools.

Automated TLS certificate provisioning


  • Let’s Encrypt pros and cons
  • authenticator comparison: web root, DNS-01, standalone web server
  • automatic TLS certificate renewal via Certbot and cron
  • overview of third-party provisioning tools


TLS-related configuration


  • trade-off between better security and backwards-compatibility with older browsers
  • protocol and cipher selection based on above trade-offs
  • recommended configuration profiles, along with feeds for automated comparison/notification


Content Security Policy (CSP)


  • threat model: cross-site scripting and other code injection attacks
  • can have sharp edges, but a useful defensive measure
  • tools for drafting, validating, and reporting on content security policies


Public Key Pinning (HPKP)


  • threat model: compromised or rogue certificate authorities
  • potentially hazardous and should be handled with care


Certificate Transparency (CT)


  • threat model: helps detect faked/forged certificates
  • Chromium will require certificate transparency in October 2017
  • Certbot to include “Signed Certificate Timestamps” (CST) in near future


Other covered topics will include:


  • forward secrecy
  • strict transport security (HSTS)
  • OCSP stapling


As mentioned above, this talk will make particular note of recent FOSS tools dedicated to improving web security.

Room 106
Sunday, March 5, 2017 - 16:30 to 17:30