Recipes for enabling HTTPS
Session organised on AppSecEU 2013 with Thomas Herlea and Johan Peeters, 22/08/2013Abstract
Securely enabling HTTPS turns out to be tricky and time consuming. There is the considerable accidental complexity of web application and server configuration. Then there is lots of advice on what versions of SSL, TLS, which ciphers and modes to avoid, but precious little on how to do it right. No week seems to pass without something being added to the list of DON’Ts, as attacks continue to grow more sophisticated. In this demo-packed presentation, we do give advice. Even better, we give it in the form of Puppet scripts, ideal for capturing and enforcing best practices across servers. This is the DevOps approach to enabling HTTPS. Participants learn how to set up HTTPS-enabled web servers with Puppet, how to review and adapt existing manifests according to specific needs and prevailing cryptographic advice, and how to incorporate third-party modules. We discuss pain points in the configuration, show how Puppet helps with change management and demonstrate how to migrate an existing user base via HSTS.