AppSec Europe 2016 has ended
Back To Schedule
Thursday, June 30 • 17:05 - 17:50
Calm down, HTTPS is not a VPN

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

We're writing year 2016. As far as the transport layer security is concerned during the past two years many bugs were found and squashed which makes most tech people probably feel better. 
Also especially for the most secured protocol in the internet -- HTTP -- security features like HSTS, HPKP, preloading, certificate transparency came up, one could be tempted now to think "mission accomplished", confidentiality and integrity issues on the transport layer for HTTP are solved now
-- albeit the mentioned security features could be more used.

But with respect to privacy there are often misconceptions: One is about the information security values: When is HTTPS a must, for which information security values and when it is not mandatory. Sometimes there even seems to be a current technical misbelief like switching on HTTPS is like a VPN or TOR -- last but not least sponsored by some big players in the internet.

This talk will clean up those fundamental misunderstandings and show how much privacy you really have against prying eyes while using HTTPS.

It will start with basics at the network layer, we're looking at the TLS encryption, at several browser fingerprints in the TLS handshakes and at current certificate validation strategies. Taking this alone identifies your browser and the site you're connecting to and often more. 

But what can an adversary tell about the content? 

Real world examples add a couple of bits to this as nowadays your browser often doesn't connect to a single server. Depending on the site (size, content), number of clients from an IP address, browser settings and browsing behavior of the user(s) more resources are needed to determine what
content is being request from the client. Here the talk will shed some light into it how good it is possible also while using HTTPS to tell something about the content transferred.

avatar for Dirk Wetter

Dirk Wetter

Dirk is an independent security consultant which has more than 18 years experience in information security, even more in the world of Unix/Linux. He has also a profound networking knowledge from his past. He is engaged in OWASP Germany / Europe and chaired a couple of conferences... Read More →

Thursday June 30, 2016 17:05 - 17:50 CEST
Room A (Michelangelo Ballroom Sect. 3)