Back To Schedule
Wednesday, January 25 • 11:30am - 12:20pm
HSTS, TLS, HPKP, CSP: putting them all together to move to HTTPS

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Moving a large website with many user customizations to HTTPS is not easy as it sounds. Migrating to a secure HTTPS platform is even harder. Browser vendors have added many HTTP headers to make HTTPS website safer to use: HSTS, HPKP (Public Key Pinning), CSP (Content Security Policy), etc. In this talk, I will share my experience at Zscaler and Salesforce in moving large and complex websites to HTTPS. I will explain how these headers need to be thoroughly thought out, from the TLS versions and ciphers to support to which certificate to pin. The talk will show how to plan the migration to HTTPS, how to leverage CSP to measure the impact of the update before it happens, and how HSTS, HPKP and CSP can work together to ensure a safer experience for the users.
Participants will learn a methodology to move a complex website to HTTPS, including the role of the different HTTP headers in the planning and execution phases.

avatar for Sun Hwan Kim

Sun Hwan Kim

Senior Member of Technical Staff, Development, Salesforce
Received Bachelor of Science in Computer Science from Carnegie Mellon University in 2013. Previously Interned at Neowiz internet and Ahnlab in South Korea. Now working as a software engineer in Product Defense Team at Salesforce, mainly focusing on building security framework for... Read More →
avatar for Julien Sobrier

Julien Sobrier

Lead Security Product Owner, Salesforce
Julien Sobrier has spent 10+ years in the Security industry, as a Security Researcher at Netscreen/Juniper and Zscaler, then Product Manager at Zscaler and now Product Security Owner at Salesforce. He as co-author Power Security Tools (O'Reilly) and released many browser security... Read More →

Wednesday January 25, 2017 11:30am - 12:20pm PST
Terrace Lounge