HTTPS + Let's Encrypt

0 Aufrufe

Veröffentlicht am

Vortrag beim Drupal Meetup Frankfurt am 11. Februar 2016

Veröffentlicht in: Internet
0 Kommentare
0 Gefällt mir
Statistik
Notizen
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Keine Downloads
Aufrufe
Aufrufe insgesamt
0
Auf SlideShare
0
Aus Einbettungen
0
Anzahl an Einbettungen
0
Aktionen
Geteilt
0
Downloads
3
Kommentare
0
Gefällt mir
0
Einbettungen 0
Keine Einbettungen

Keine Notizen für die Folie

HTTPS + Let's Encrypt

  1. 1. Google I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy, and trivially intercepted. We must protect the security, privacy, and integrity of our users data. In this session we will take a hands-on tour of how to make your websites secure by default: the required technology, configuration and performance best practices, how to migrate your sites to HTTPS and make them user and search friendly, and more. Your users will thank you.“ https://www.youtube.com/watch?v=cBhZ6S0PFCY
  2. 2. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_a nd_Cipher_Configuration SSL 1 SSL 2 SSL 3 SSL 3.1 = TLS 1.0 TLS 1.1 TLS 1.2
  3. 3. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_a nd_Cipher_Configuration SSL 1 SSL 2 SSL 3 SSL 3.1 = TLS 1.0 TLS 1.1 TLS 1.2
  4. 4. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_a nd_Cipher_Configuration SSL 1 SSL 2 SSL 3 SSL 3.1 = TLS 1.0 TLS 1.1 TLS 1.2
  5. 5. Verschlüsselung n Identitätsprüfung g
  6. 6. wQ
  7. 7. Q ) w
  8. 8. HTTP(S) <script src="//connect.facebook.net/de_DE/all.js" async></script>
  9. 9. http://www.webpagetest.org/result/130616_3E_A0H/1/details/ https://istlsfastyet.com/ Ladezeiten
  10. 10. Content Security Policy (CSP) # Apache Header set Content-Security-Policy "default-src https:" # Nginx add_header Content-Security-Policy "default-src https:"; https://www.owasp.org/index.php/Content_Security_Policy https://scotthelme.co.uk/csp-cheat-sheet/
  11. 11. HTTP Strict Transport Security (HSTS) # Apache Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" # Nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
  12. 12. Lokale Entwicklungsumgebung http://dev.walterebert.de/ -> https://dev.walterebert.de/
  13. 13. HSTS # Apache Header always set Strict-Transport-Security "max-age=31536000" # Nginx add_header Strict-Transport-Security "max-age=31536000"; https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Excessively_Strict_STS
  14. 14. Server Name Indication (SNI) Mehrere Domains unter einer IP-Adresse https://de.wikipedia.org/wiki/Server_Name_Indication
  15. 15. https://www.ssllabs.com/ssltest/analyze.html?d=walterebert.de&hideResults=on Android 2.3 Internet Explorer auf Windows XP
  16. 16. Webservices RSS-Reader Webcrawler Monitoring … PHP < 5.3.2 Python 2 Java 6 Nicht nur Browser https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniinga
  17. 17. Konfiguration How to Deploy HTTPS Correctly https://www.eff.org/https-everywhere/deploying-https SSL/TLS Deployment Best Practices https://www.ssllabs.com/projects/best-practices/ Richtig verschlüsseln mit SSL/TLS https://www.owasp.org/images/1/19/Richtig_verschluesseln_mit_SSL%2 BTLS_-_Achim_Hoffmann%2BTorsten_Gigler.pdf HTTP2-Implementationen https://github.com/http2/http2-spec/wiki/Implementations
  18. 18. diff --git a/.htaccess b/.htaccess index 974999a..f4024c6 100644 --- a/.htaccess +++ b/.htaccess @@ -3,7 +3,7 @@ # # Protect files and directories from prying eyes. -<FilesMatch ".(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig| tpl(.php)?|xtmpl|yml)(~|.sw[op]|.bak|.orig|.save)?$|^(..*|Entries.*| Repository|Root|Tag|Template|composer.(json|lock))$| ^#.*#$|.php(~|.sw[op]|.bak|.orig|.save)$"> +<FilesMatch ".(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig| tpl(.php)?|xtmpl|yml)(~|.sw[op]|.bak|.orig|.save)?$|^(.(?!well-known).*| Entries.*|Repository|Root|Tag|Template|composer.(json|lock))$| ^#.*#$|.php(~|.sw[op]|.bak|.orig|.save)$"> <IfModule mod_authz_core.c> Require all denied </IfModule> @@ -93,7 +93,7 @@ AddEncoding gzip svgz # If you do not have mod_rewrite installed, you should remove these # directories from your webroot or otherwise protect them from being # downloaded. - RewriteRule "(^|/)." - [F] + RewriteRule "(^|/).(?!well-known)" - [F] # If your site can be accessed both with and without the 'www.' prefix, you # can use one of the following settings to redirect users to your preferred https://www.drupal.org/node/2408321
  19. 19. $ ls -l /etc/letsencrypt/ total 24 drwx------ 3 root root 4096 Jan 8 12:23 accounts drwx------ 5 root root 4096 Feb 4 15:14 archive drwxr-xr-x 2 root root 4096 Feb 4 14:36 csr drwx------ 2 root root 4096 Feb 4 14:36 keys drwx------ 6 root root 4096 Feb 4 15:14 live drwxr-xr-x 2 root root 4096 Feb 4 14:36 renewal $ sudo ls -l /etc/letsencrypt/live/walterebert.de total 0 lrwxrwxrwx 1 root root 38 Feb 4 14:59 cert.pem -> ../../archive/walterebert.de/cert1.pem lrwxrwxrwx 1 root root 38 Feb 4 14:59 cert1.pem -> ../../archive/walterebert.de/cert1.pem lrwxrwxrwx 1 root root 39 Feb 4 14:59 chain.pem -> ../../archive/walterebert.de/chain1.pem lrwxrwxrwx 1 root root 43 Feb 4 14:59 fullchain.pem -> ../../archive/walterebert.de/fullchain1.pem lrwxrwxrwx 1 root root 41 Feb 4 15:00 privkey.pem -> ../../archive/walterebert.de/privkey1.pem
  20. 20. Testen SSL Server Test (Qualys SSL Labs) https://www.ssllabs.com/ssltest/ SSLyze https://github.com/nabla-c0d3/sslyze O-Saft (OWASP) https://www.owasp.org/index.php/O-Saft
  21. 21. walter.ebert.engineering @wltrd walterebert.de slideshare.net/walterebert

×