@rob_rich

Developing with
HTTPS in Containers

by Rob Richardson

  @rob_rich

https://robrich.org/

About Me

Rob Richardson

Rob Richardson is a software craftsman building web properties in ASP.NET and Node, React and Vue. He's a frequent speaker at conferences, user groups, and community events, and a diligent teacher and student of high quality software development. You can find this and other talks on https://robrich.org/presentations and follow him on twitter at @rob_rich.

Developing with HTTPS in Containers

Agenda

  • Why certificates?
  • What's in a certificate?
  • How does ASP.NET do https "In the box"?
  • How does this work in Docker?
  • What can we do to fix it?
  • You give me 5 stars on Yelp

Why Certificates?

Why Certificates?

Troy Hunt source: seattletimes.com/business/have-you-been-pwned-in-a-data-breach-troy-hunt-can-tell

Why Certificates?

Troy Hunt

Because Troy told me to.

 

 

 

 

TL;DR: this is a great reason

Why Certificates?

  • Encrypt the message
  • Validate the authenticity of the message

Encrypt the Message: Firesheep

Firesheep

 

A Firefox extension

Spied on open wifi networks

Stole session cookies

Then login as them

 

source: www.darknet.org.uk/2010/10/firesheep-social-network-session-stealinghijacking-tool/

Encrypt the Message: Pineapple

Pineapple

 

A small wifi device

Listen for authentication requests

Answer "Yes, I'm that wifi"

Then proxy traffic to the real server

 

source: wifipineapple.com

Encrypt the Message

Certificates create an encryped tunnel
between the user and the web server

People in the middle
can't see the contents of the message

Man in the Middle

man in the middle

Man in the Middle

man in the middle

Man in the Middle

man in the middle

Vaidate the Authenticity

Browser lock

source: commons.trincoll.edu/security/safebrowsing/

Vaidate the Authenticity

Broken lock source: blogs.arubanetworks.com/industries/captive-portal-why-do-i-get-those-certificate-warnings/

Vaidate the Authenticity

Extended Validation source: security.stackexchange.com/a/135578/120677

Vaidate the Authenticity

Broken lock source: blogs.arubanetworks.com/industries/captive-portal-why-do-i-get-those-certificate-warnings/

DEMO: Certificates

  • Browser Certificates
  • Certificate store

Certificates

  • Trust chain
  • Thumbprint
  • Subject (domain and location)
  • Subject Alternate Names
  • Not before (start date)
  • Not after (expiration date)

What can go wrong?

  • Expired certificate
  • Insecure algorithm
  • Untrusted / broken trust chain

https://badssl.com/ is a great sandbox of cert failures

Production Certificates

DEMO: Development Certificates
for ASP.NET Core

DEMO: HTTPS and Docker