SSL++Tales of Transport-Layer Security at Twitter

@jimio | #BSidesSF

CRIME

BEAST

HTTP

100% Certified SSL

<img src="http://twitter.com"/>

secure;

sslstrip

301

#!

#!twitter.com/#!/jimio

twitter.com/#!/jimio

DISCLAIMER

DISCLAIMER

we did this.

DISCLAIMER

we did this.

you can too.

Hello!

Hello!

twitter

twitter

twitter

twitter

http://twitter.com

http://twitter.com

https://twitter.com

http://twitter.com

https://twitter.com

http://twitter.ie

http://twitter.com

https://twitter.com

http://twitter.ie

http://www.w3.org

http://wtf.ru http://twitter.uz

<link rel="canonical" href="https://twitter.com/">

%2F

/

<-HTTPS

Hello!

Hello!

twitter.com

HTTP...

but wait!!

HSTS

HSTS

HTTP=>HTTPS 300s

0

HTTP=>HTTPS 300s

0

includeSubdomains

include$ubdomains

CSP

CSP

< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:

< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:

< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:

< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

< X-WebKit-CSP-Report-Only: default-src https: data: chrome-extension: 'unsafe-inline' 'unsafe-eval'; report-uri https://twitter.com/scribes/csp_report; frame-src https://* about: javascript: chrome-extension:

< X-Content-Security-Policy-Report-Only: options eval-script inline-script; report-uri https://twitter.com/scribes/csp_report; allow https://* data: ; frame-src https://* about: javascript:

secureheaders

secureheadersStrict-Transport-SecurityContent-Security-Policy

X-XSS-ProtectionX-Frame-Options

X-Content-Type-Options

SSL

1. OS: validate revocation, expiration2. App: check against local bundle3. Party on

https://twitter.com/jobshttps://t.co/h4x0r

#jointheflock

@jimio