SSL, We Used to Know (YOU)

I'm Jacky.

I work at 

I live in Oakland tho.

https://jacky.wtf

use:

encrypt eveything

What is SSL?

SSL

Secure
Sockets
Layer

Developed by Netscape!

About 6 months younger than me!

 

Wait, HOW OLD?

SSL 1.0: defined/invented in '93, released ???

SSL 2.0: a RFC pushed out ~ '95

SSL 3.0: a RFC dropped around 2011

EVentually

SSL DIED.

ITs' like that sometimes.

Protocols come and go. Anyone remember ICQ?

what to expect?

I HAZ WEBSEC!

We know the person who gave Slides this SSL certificate. And it's using SHA256 (good stuff)

Elliptic key, AES encryptor

TLS 1.freaking.2!!

A TLS CERT

A human-readable format.

A TLS CERT

A less-than-human readable format.

-----BEGIN CERTIFICATE-----
MIIFDDCCA/SgAwIBAgISAQ+tMMHlwnHGsi5tAxF7YN0/MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTExMjkwNTQyMDBaFw0x
NjAyMjcwNTQyMDBaMBgxFjAUBgNVBAMTDXd3dy5qYWNreS53dGYwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCs2iQQ4jImFOY7/cg3g3X+5FHiKzMNsjxY
Jv2eThh477adhI2GrCQxJ2w7OsU0H2K4Z9Ek1BaetJu5bQjY6rwsM8LZ9xOJYa8d
7aunF+9PfRpfqogs04Z9ruzAnaneH+neDmPvGNmObVGfUtQ/62xECLdZo4Z1va2k
Hn97oxdz7xCHN8IMenqPSlGniKYEppOS15tVRq77bPlzTSOd6VAwkwwz/TT44SMg
Iufc0BiEAU1qRdoGkivzotC8z8ODFUYrQzBsGiXZXPrjKK75J2Bg/ZDRHUsOHvL9
lOMnWEQmp0RVrEngOGdaBCNZnLH0XddvUgqK/hhmPfhazs5ztpXlAgMBAAGjggIc
MIICGDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIKc0PLnoO+h6sQvnX+b1QANFwuZ
MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQw
YjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgxLmxldHNlbmNyeXB0Lm9y
Zy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14MS5sZXRzZW5jcnlwdC5v
cmcvMCMGA1UdEQQcMBqCDXd3dy5qYWNreS53dGaCCWphY2t5Lnd0ZjCCAQAGA1Ud
IASB+DCB9TAKBgZngQwBAgEwADCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyB
m1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVs
eWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2Vy
dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3Jn
L3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQCVOT/18v1AGwWuogMXciMq
36xScTzuBPYXA34xBNmwDkaK8t970awVcAnoygGq3Hvm7FFYo3tvEWtbJFG+bWqb
HeE3CYnZnf0/8UybV4019ITN/wwxrJgk0Nh0V7f9kEQjobtGjAplZIDG+GLdnrvf
lAY04Tf4i3ZnlvCpCIurQJtx7oIGa+ryTfGAFvvJsRLefQ/gjZIVZda5nmbWWWq4
7/jeFs4qBt1fKCZY9ohpgg9Tfc3q+S5Rt0PreHgtpQPUh74MC7INyIlb/vVwS2bm
6kBAbFNOD69diFNnzw3jH6RHPbLvZEjyom6sM1WB5fjwplf0Tc6cRrUpFbTuNFu/
-----END CERTIFICATE-----

​

Here comes

TLS

Transport
layer
security

TLS uses...

  • Symmetric Encryption

  • Public Key Cryptography (we know who you are)

  • Every Message is MAC'd (no phonies)

  • Forward Secrecy (everything's legit)

  • Certificate pinning

THE FUTURE!!!1

No puppies were harmed in this GIF. Srsly.

COMMON

  • HTTP Layer

  • TLS 1.2 used by server

  • GZIP

  • Minification

EXPECTED

  • HTTP/2. Dassit.

 

 

HTTP/2

  • Used to be SPDY (Google)
  • Picked up by NGINX
  • Twitter uses it (I THINK)
  • ... HTTP's future

DASSIT.

SSL, We Used to Know You​

By Jacky Alciné

SSL, We Used to Know You​

This talk was presented at WaffleJS Feb 3, 2016. It provides a short story as to why SSL was created & deprecated, the use of TLS to replace it and how HTTP/2 incorporates security by default.

  • 1,697