Given the ubiquitous nature of the web, security professionals must do everything they can to hasten the switchover to a TLS-everywhere world. Thankfully, what was previously an expensive and tedious task has become much easier and economical due to automated TLS certificate provisioning. Once certificates are in place, there are a multitude of configuration hardening measures available, each of which perform an important role in providing strong web security. Attendees of this hands-on talk will walk away with an in-depth understanding of the following topics, along with how they can be put to practical use. Automated TLS certificate provisioning ====================================== * Let’s Encrypt pros and cons * authenticator comparison: web root, DNS-01, standalone web server * automatic TLS certificate renewal via Certbot and cron * overview of third-party provisioning tools TLS-related configuration ========================= * trade-off between better security and backwards-compatibility with older browsers * protocol and cipher selection based on above trade-offs * recommended configuration profiles, along with feeds for automated comparison/notification Content Security Policy (CSP) ============================= * threat model: cross-site scripting and other code injection attacks * can have sharp edges, but a useful defensive measure * tools for drafting, validating, and reporting on content security policies Public Key Pinning (HPKP) ========================= * threat model: compromised or rogue certificate authorities * potentially hazardous and should be handled with care Certificate Transparency (CT) ============================= * threat model: helps detect faked/forged certificates * Chromium will require certificate transparency in October 2017 * Certbot to include “Signed Certificate Timestamps” (CST) in near future Other topics that will be covered include: * forward secrecy * strict transport security (HSTS) * OCSP stapling