google i/o 2014: https everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfgoogle i/o 2014:...
TRANSCRIPT
![Page 1: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/1.jpg)
![Page 2: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/2.jpg)
Google I/O 2014: HTTPS Everywhere„Data delivered over an unencrypted channel is insecure, untrustworthy, and trivially intercepted. We must protect the security, privacy, and integrity of our users data. In this session we will take a hands-on tour of how to make your websites secure by default: the required technology, configuration and performance best practices, how to migrate your sites to HTTPS and make them user and search friendly, and more. Your users will thank you.“
https://www.youtube.com/watch?v=cBhZ6S0PFCY
![Page 10: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/10.jpg)
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_and_Cipher_Configuration
SSL 1SSL 2SSL 3
SSL 3.1 = TLS 1.0TLS 1.1TLS 1.2
![Page 11: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/11.jpg)
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_and_Cipher_Configuration
SSL 1SSL 2SSL 3
SSL 3.1 = TLS 1.0TLS 1.1TLS 1.2
![Page 12: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/12.jpg)
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_and_Cipher_Configuration
SSL 1SSL 2SSL 3
SSL 3.1 = TLS 1.0TLS 1.1TLS 1.2
![Page 13: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/13.jpg)
Verschlüsselung
nIdentitätsprüfung
g
![Page 14: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/14.jpg)
wQ
![Page 15: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/15.jpg)
Q)w
![Page 22: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/22.jpg)
![Page 23: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/23.jpg)
![Page 24: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/24.jpg)
![Page 25: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/25.jpg)
![Page 28: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/28.jpg)
![Page 29: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/29.jpg)
HTTP(S)
<script src="//connect.facebook.net/de_DE/all.js" async></script>
![Page 30: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/30.jpg)
http://www.webpagetest.org/result/130616_3E_A0H/1/details/https://istlsfastyet.com/
Ladezeiten
![Page 31: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/31.jpg)
Content Security Policy (CSP)# Apache
Header set Content-Security-Policy "default-src https:"
# Nginx
add_header Content-Security-Policy "default-src https:";
https://www.owasp.org/index.php/Content_Security_Policyhttps://scotthelme.co.uk/csp-cheat-sheet/
![Page 32: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/32.jpg)
HTTP Strict Transport Security (HSTS)
# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
![Page 33: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/33.jpg)
Lokale Entwicklungsumgebung
http://dev.walterebert.de/
->
https://dev.walterebert.de/
![Page 34: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/34.jpg)
![Page 35: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/35.jpg)
![Page 36: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/36.jpg)
HSTS
# ApacheHeader always set Strict-Transport-Security "max-age=31536000"
# Nginxadd_header Strict-Transport-Security "max-age=31536000";
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Excessively_Strict_STS
![Page 38: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/38.jpg)
Server Name Indication (SNI)
Mehrere Domains unter einer IP-Adresse
https://de.wikipedia.org/wiki/Server_Name_Indication
![Page 39: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/39.jpg)
https://www.ssllabs.com/ssltest/analyze.html?d=walterebert.de&hideResults=on
Android 2.3
Internet Explorerauf Windows XP
![Page 40: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/40.jpg)
Webservices
RSS-Reader
Webcrawler
Monitoring
…
PHP < 5.3.2Python 2Java 6
Nicht nur Browserhttps://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniinga
![Page 41: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/41.jpg)
KonfigurationHow to Deploy HTTPS Correctlyhttps://www.eff.org/https-everywhere/deploying-https
SSL/TLS Deployment Best Practiceshttps://www.ssllabs.com/projects/best-practices/
Richtig verschlüsseln mit SSL/TLShttps://www.owasp.org/images/1/19/Richtig_verschluesseln_mit_SSL%2BTLS_-_Achim_Hoffmann%2BTorsten_Gigler.pdf
HTTP2-Implementationenhttps://github.com/http2/http2-spec/wiki/Implementations
![Page 42: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/42.jpg)
![Page 45: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/45.jpg)
diff --git a/.htaccess b/.htaccessindex 974999a..f4024c6 100644--- a/.htaccess+++ b/.htaccess@@ -3,7 +3,7 @@ # # Protect files and directories from prying eyes.-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$"> <IfModule mod_authz_core.c> Require all denied </IfModule>@@ -93,7 +93,7 @@ AddEncoding gzip svgz # If you do not have mod_rewrite installed, you should remove these # directories from your webroot or otherwise protect them from being # downloaded.- RewriteRule "(^|/)\." - [F]+ RewriteRule "(^|/)\.(?!well-known)" - [F] # If your site can be accessed both with and without the 'www.' prefix, you # can use one of the following settings to redirect users to your preferred
https://www.drupal.org/node/2408321
![Page 48: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/48.jpg)
$ ls -l /etc/letsencrypt/total 24drwx------ 3 root root 4096 Jan 8 12:23 accountsdrwx------ 5 root root 4096 Feb 4 15:14 archivedrwxr-xr-x 2 root root 4096 Feb 4 14:36 csrdrwx------ 2 root root 4096 Feb 4 14:36 keysdrwx------ 6 root root 4096 Feb 4 15:14 livedrwxr-xr-x 2 root root 4096 Feb 4 14:36 renewal
$ sudo ls -l /etc/letsencrypt/live/walterebert.detotal 0lrwxrwxrwx 1 root root 38 Feb 4 14:59 cert.pem -> ../../archive/walterebert.de/cert1.pemlrwxrwxrwx 1 root root 38 Feb 4 14:59 cert1.pem -> ../../archive/walterebert.de/cert1.pemlrwxrwxrwx 1 root root 39 Feb 4 14:59 chain.pem -> ../../archive/walterebert.de/chain1.pemlrwxrwxrwx 1 root root 43 Feb 4 14:59 fullchain.pem -> ../../archive/walterebert.de/fullchain1.pemlrwxrwxrwx 1 root root 41 Feb 4 15:00 privkey.pem -> ../../archive/walterebert.de/privkey1.pem
![Page 51: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/51.jpg)
Testen
SSL Server Test (Qualys SSL Labs)https://www.ssllabs.com/ssltest/
SSLyzehttps://github.com/nabla-c0d3/sslyze
O-Saft (OWASP)https://www.owasp.org/index.php/O-Saft
![Page 52: Google I/O 2014: HTTPS Everywherewalterebert.com/files/https-lets-encrypt-dugffm.pdfGoogle I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy,](https://reader035.vdocument.in/reader035/viewer/2022081400/605760813419d564c608393f/html5/thumbnails/52.jpg)
walter.ebert.engineering@wltrd
walterebert.deslideshare.net/walterebert