Post on 14-Jan-2017
Google I/O 2014: HTTPS Everywhere„Data delivered over an unencrypted channel is insecure, untrustworthy, and trivially intercepted. We must protect the security, privacy, and integrity of our users data. In this session we will take a hands-on tour of how to make your websites secure by default: the required technology, configuration and performance best practices, how to migrate your sites to HTTPS and make them user and search friendly, and more. Your users will thank you.“
https://www.youtube.com/watch?v=cBhZ6S0PFCY
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_and_Cipher_Configuration
SSL 1SSL 2SSL 3
SSL 3.1 = TLS 1.0TLS 1.1TLS 1.2
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_and_Cipher_Configuration
SSL 1SSL 2SSL 3
SSL 3.1 = TLS 1.0TLS 1.1TLS 1.2
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_and_Cipher_Configuration
SSL 1SSL 2SSL 3
SSL 3.1 = TLS 1.0TLS 1.1TLS 1.2
Verschlüsselung
nIdentitätsprüfung
g
wQ
Q)w
HTTP(S)
<script src="//connect.facebook.net/de_DE/all.js" async></script>
http://www.webpagetest.org/result/130616_3E_A0H/1/details/https://istlsfastyet.com/
Ladezeiten
Content Security Policy (CSP)# Apache
Header set Content-Security-Policy "default-src https:"
# Nginx
add_header Content-Security-Policy "default-src https:";
https://www.owasp.org/index.php/Content_Security_Policyhttps://scotthelme.co.uk/csp-cheat-sheet/
HTTP Strict Transport Security (HSTS)
# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Lokale Entwicklungsumgebung
http://dev.walterebert.de/
->
https://dev.walterebert.de/
HSTS
# ApacheHeader always set Strict-Transport-Security "max-age=31536000"
# Nginxadd_header Strict-Transport-Security "max-age=31536000";
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Excessively_Strict_STS
Server Name Indication (SNI)
Mehrere Domains unter einer IP-Adresse
https://de.wikipedia.org/wiki/Server_Name_Indication
https://www.ssllabs.com/ssltest/analyze.html?d=walterebert.de&hideResults=on
Android 2.3
Internet Explorerauf Windows XP
Webservices
RSS-Reader
Webcrawler
Monitoring
…
PHP < 5.3.2Python 2Java 6
Nicht nur Browserhttps://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniinga
KonfigurationHow to Deploy HTTPS Correctlyhttps://www.eff.org/https-everywhere/deploying-https
SSL/TLS Deployment Best Practiceshttps://www.ssllabs.com/projects/best-practices/
Richtig verschlüsseln mit SSL/TLShttps://www.owasp.org/images/1/19/Richtig_verschluesseln_mit_SSL%2BTLS_-_Achim_Hoffmann%2BTorsten_Gigler.pdf
HTTP2-Implementationenhttps://github.com/http2/http2-spec/wiki/Implementations
diff --git a/.htaccess b/.htaccessindex 974999a..f4024c6 100644--- a/.htaccess+++ b/.htaccess@@ -3,7 +3,7 @@ # # Protect files and directories from prying eyes.-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$"> <IfModule mod_authz_core.c> Require all denied </IfModule>@@ -93,7 +93,7 @@ AddEncoding gzip svgz # If you do not have mod_rewrite installed, you should remove these # directories from your webroot or otherwise protect them from being # downloaded.- RewriteRule "(^|/)\." - [F]+ RewriteRule "(^|/)\.(?!well-known)" - [F] # If your site can be accessed both with and without the 'www.' prefix, you # can use one of the following settings to redirect users to your preferred
https://www.drupal.org/node/2408321
$ ls -l /etc/letsencrypt/total 24drwx------ 3 root root 4096 Jan 8 12:23 accountsdrwx------ 5 root root 4096 Feb 4 15:14 archivedrwxr-xr-x 2 root root 4096 Feb 4 14:36 csrdrwx------ 2 root root 4096 Feb 4 14:36 keysdrwx------ 6 root root 4096 Feb 4 15:14 livedrwxr-xr-x 2 root root 4096 Feb 4 14:36 renewal
$ sudo ls -l /etc/letsencrypt/live/walterebert.detotal 0lrwxrwxrwx 1 root root 38 Feb 4 14:59 cert.pem -> ../../archive/walterebert.de/cert1.pemlrwxrwxrwx 1 root root 38 Feb 4 14:59 cert1.pem -> ../../archive/walterebert.de/cert1.pemlrwxrwxrwx 1 root root 39 Feb 4 14:59 chain.pem -> ../../archive/walterebert.de/chain1.pemlrwxrwxrwx 1 root root 43 Feb 4 14:59 fullchain.pem -> ../../archive/walterebert.de/fullchain1.pemlrwxrwxrwx 1 root root 41 Feb 4 15:00 privkey.pem -> ../../archive/walterebert.de/privkey1.pem
Testen
SSL Server Test (Qualys SSL Labs)https://www.ssllabs.com/ssltest/
SSLyzehttps://github.com/nabla-c0d3/sslyze
O-Saft (OWASP)https://www.owasp.org/index.php/O-Saft
walter.ebert.engineering@wltrd
walterebert.deslideshare.net/walterebert