This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Wednesday, January 25 • 11:30am - 12:20pm
HSTS, TLS, HPKP, CSP: putting them all together to move to HTTPS

Sign up or log in to save this to your schedule and see who's attending!

Moving a large website with many user customizations to HTTPS is not easy as it sounds. Migrating to a secure HTTPS platform is even harder. Browser vendors have added many HTTP headers to make HTTPS website safer to use: HSTS, HPKP (Public Key Pinning), CSP (Content Security Policy), etc. In this talk, I will share my experience at Zscaler and Salesforce in moving large and complex websites to HTTPS. I will explain how these headers need to be thoroughly thought out, from the TLS versions and ciphers to support to which certificate to pin. The talk will show how to plan the migration to HTTPS, how to leverage CSP to measure the impact of the update before it happens, and how HSTS, HPKP and CSP can work together to ensure a safer experience for the users.
Participants will learn a methodology to move a complex website to HTTPS, including the role of the different HTTP headers in the planning and execution phases.

avatar for Sun Hwan Kim

Sun Hwan Kim

Senior Member of Technical Staff, Development, Salesforce
Received Bachelor of Science in Computer Science from Carnegie Mellon University in 2013. Previously Interned at Neowiz internet and Ahnlab in South Korea. Now working as a software engineer in Product Defense Team at Salesforce, mainly focusing on building security framework for Salesforce application.
avatar for Julien  Sobrier

Julien Sobrier

Lead Security Product Owner, Salesforce
Julien Sobrier has spent 10+ years in the Security industry, as a Security Researcher at Netscreen/Juniper and Zscaler, then Product Manager at Zscaler and now Product Security Owner at Salesforce. He as co-author Power Security Tools (O'Reilly) and released many browser security add-ons (BlackSheep, Zscaler Safe Shopping, Balckhat SEO prevention) including HTTPS Everywhere for Internet Explorer. Julien spoke at OWASP, SOURCE, Les Assises de la... Read More →

Wednesday January 25, 2017 11:30am - 12:20pm
Terrace Lounge

Attendees (16)