Back To Schedule
Tuesday, January 24 • 4:50pm - 5:40pm
Essential TLS Hardening for Better Web Security

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Given the ubiquitous nature of the web, security professionals must do everything they can to hasten the switchover to a TLS-everywhere world. Thankfully, what was previously an expensive and tedious task has become much easier and economical due to automated TLS certificate provisioning. Once certificates are in place, there are a multitude of configuration hardening measures available, each of which perform an important role in providing strong web security.

Attendees of this hands-on talk will walk away with an in-depth understanding of the following topics, along with how they can be put to practical use.

Automated TLS certificate provisioning

* Let’s Encrypt pros and cons
* authenticator comparison: web root, DNS-01, standalone web server
* automatic TLS certificate renewal via Certbot and cron
* overview of third-party provisioning tools

TLS-related configuration

* trade-off between better security and backwards-compatibility with older browsers
* protocol and cipher selection based on above trade-offs
* recommended configuration profiles, along with feeds for automated comparison/notification

Content Security Policy (CSP)

* threat model: cross-site scripting and other code injection attacks
* can have sharp edges, but a useful defensive measure
* tools for drafting, validating, and reporting on content security policies

Public Key Pinning (HPKP)

* threat model: compromised or rogue certificate authorities
* potentially hazardous and should be handled with care

Certificate Transparency (CT)

* threat model: helps detect faked/forged certificates
* Chromium will require certificate transparency in October 2017
* Certbot to include “Signed Certificate Timestamps” (CST) in near future

Other topics that will be covered include:

* forward secrecy
* strict transport security (HSTS)
* OCSP stapling

avatar for Justin  Mayer

Justin Mayer

Founder, Monitorial.com
Justin Mayer is the founder of Monitorial.com, a solution for identifying and addressing potential security vulnerabilities. A serial entrepreneur who has designed and built a variety of mobile/web applications, Justin is also an active open-source contributor and has presented talks... Read More →

Tuesday January 24, 2017 4:50pm - 5:40pm PST
Garden Terrace Room