AppSec California 2017

Given the ubiquitous nature of the web, security professionals must do everything they can to hasten the switchover to a TLS-everywhere world. Thankfully, what was previously an expensive and tedious task has become much easier and economical due to automated TLS certificate provisioning. Once certificates are in place, there are a multitude of configuration hardening measures available, each of which perform an important role in providing strong web security.

Attendees of this hands-on talk will walk away with an in-depth understanding of the following topics, along with how they can be put to practical use.

Automated TLS certificate provisioning
======================================

* Let’s Encrypt pros and cons
* authenticator comparison: web root, DNS-01, standalone web server
* automatic TLS certificate renewal via Certbot and cron
* overview of third-party provisioning tools

TLS-related configuration
=========================

* trade-off between better security and backwards-compatibility with older browsers
* protocol and cipher selection based on above trade-offs
* recommended configuration profiles, along with feeds for automated comparison/notification

Content Security Policy (CSP)
=============================

* threat model: cross-site scripting and other code injection attacks
* can have sharp edges, but a useful defensive measure
* tools for drafting, validating, and reporting on content security policies

Public Key Pinning (HPKP)
=========================

* threat model: compromised or rogue certificate authorities
* potentially hazardous and should be handled with care

Certificate Transparency (CT)
=============================

* threat model: helps detect faked/forged certificates
* Chromium will require certificate transparency in October 2017
* Certbot to include “Signed Certificate Timestamps” (CST) in near future

Other topics that will be covered include:

* forward secrecy
* strict transport security (HSTS)
* OCSP stapling