What s Your HTTPS Grade? A Case Study of HTTPS/SSL at Mid Michigan Community College. Brandon bkish@midmich.edu

Transcription

1 What s Your HTTPS Grade? A Case Study of HTTPS/SSL at Mid Michigan Community College Brandon bkish@midmich.edu

2 About Me Director of Programming Mid Michigan Community College ~4,500 students Former Blackboard Administrator Central Michigan University ~27,000 students Former Moodle Administrator at MMCC I love web bkish@midmich.edu

3 Why HTTPS? When do you look for the lock?

4 Do you want your sensitive data traveling through a series of tubes in plain sight?

5 Man-In-The-Middle Source:

6 Man-In-The-Middle ISPs (injecting ads, tracking cookies/scripts) Verizon/AT&T Gogo Even certain employers & organizations might do this! (Content filters)

7 Usernames and Passwords 1. People re-use passwords 2. Institutions with LDAP likely have multiple systems prompt for passwords

8 What does this have to do with Moodle? Don t let Moodle be your weak link! Enable HTTPS on your login screen Enable HTTPS everywhere*

9 HTTPS But wait! There s more!

10 NOT ALL HTTPS IS EQUAL!

11 NOT ALL HTTPS IS EQUAL! 1. Deprecated Protocols 2. Weak Ciphers 3. Weak Certificates 4. Bugs in Encryption Libraries

12 1. Protocol: SSL vs. TLS SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 A cryptographic protocol by any other name would be as secure? Infosec Shakespeare SSL is dead. Long live SSL*! (Transport Layer Security)

13 Cryptography 101 (A)lice is trying to tell (B)ob a secret, but (E)ve is listening in. A communicating with B with E trying to eavesdrop Alice can use the advertised key from Bob to generate gibberish, and only the private key Bob used to generate the public/advertised certificate can unlock/translate the gibberish.

14 2. Weak Ciphers Cipher = algorithm for producing (and understanding) gibberish ay2varjsfumumtvzeh9755gvyckwhg0 Browser and web server have to use the same cipher If a server accepts weak ciphers, attackers will use those to get in

15 Weak Ciphers (continued) Browser ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 ECDHE-RSA-CHACHA20-POLY1305- SHA DHE-RSA-CHACHA20-POLY1305-SHA ECDHE-ECDSA-AES256-SHA256 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 ECDHE-ECDSA-AES128-SHA128 ECDHE-RSA-AES128-SHA128 DHE-RSA-AES128-SHA128 RSA-AES128-GCM-SHA RSA-AES256-SHA256 RSA-AES128-SHA RSA-3DES-EDE-SHA168 Server ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA d=moodle.midmich.edu

16 1+2 = Downgrade attacks Forcing communication with a weak cipher Forcing communication over an older protocol POODLE (October 2014 variant) affected SSL 3 Every vulnerability gets a fun name!

17 3. Weak Certificates The public key, certificate, and private keys we ve talked about are generated with a particular algorithm Google Online Security Blog: The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least years ago. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper. Officially deprecated in 2011, but many certificate providers continued to issue certificates with this algorithm. SHA-2/SHA-256 is now preferred. Chrome is especially good about warning users about this now

18 4. Bugs in Encryption Libraries The previous problems were all about the design of the security we use Implementations of SSL/TLS are a whole source of vulnerabilities in their own right! OpenSSL is used in everything from Apache to card entry doors :) Heartbleed OpenSSL vulnerability in April 2014

19 NOT ALL HTTPS IS EQUAL! 1. Deprecated Protocols 2. Weak Ciphers 3. Weak Certificates 4. Bugs in Encryption Libraries

20 What does this mean for my institution? Case Study: Mid Michigan Community College November 2014 March 2015

21 Our Web Sites midmich.edu www. midmich.edu Expires 12/2015 $ Wildcard certificate for lower cost than many separate certificates moodle. midmich.edu Expires 12/2016 $ midweb. midmich.edu Expires 8/2015 $ One expiration date for this one wildcard certificate print. midmich.edu *. midmich.edu Expires 12/2015 $$$

22 Our Web Servers midmich.edu www. midmich.edu Apache moodle. midmich.edu nginx midweb. midmich.edu Tomcat print. midmich.edu IIS

23 Wildcard Cert Realities Different servers expect different formats for certificate and/or private key p12, pfx, p7b, pem, der, oh my! Missing certain chained certificates (I m looking at you Tomcat) causes mobile browsers to fail to connect

24 TL;DR #1 Wikipedia: Too long; didn t read Managing our certificates was a nightmare we tried to limit to once every four years.

25 Qualsys SSL Labs

26

27

28

29 Our Grades midmich.edu www. midmich.edu C/F POODLE, DH, FREAK moodle. midmich.edu B SSL 3 midweb. midmich.edu F POODLE, Bad chain print. midmich.edu No SSL! No SSL!

30 TL;DR #2 Our web servers had inconsistent and insecure configurations. (And we re only as strong as weakest link.)

31 Option 1 Update each web server individually Tomcat: Edit server.xml sslprotocol="tls" sslenabledprotocols= TLSv1.2,TLSv1.1,TLSv1" ciphers="tls_ecdhe_rsa_with_aes_128_cbc_sha256,tl S_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WI TH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_ CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AE S_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

32 Option 1 Update each web server individually Apache: Edit ssl mod s ssl.conf file SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM \ EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 \ EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4!aNULL!eNULL!LOW \!3DES!MD5!EXP!PSK!SRP!DSS"

33 Option 1 Update each web server individually IIS: Powershell?

34 Option 2 Load balancer(s) in front of all our web systems nginx was already doing this for our Moodle app servers: See Matt Rice s A Balanced Approach: How to Direct Your Moodle Traffic I had used F5 appliances at another institution HAProxy has had great SSL support in recent years

35 Option 2, Visualized

36 global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1ssl). ssl-default-bind-ciphers keecdh+arsa+aes:krsa+aes:+aes256:arsa+3des:!rc4-sha:!kedh:!low:!exp:!md5:!anull:!enull ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option log-separate-errors balance roundrobin option dontlognull timeout connect 5000 timeout client timeout server # Separate error logs from access logs errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers ## Binding to both test (192.) and production (67.) IP addresses #HTTP bind :80 bind :80 #HTTPS bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## Sample HAProxy configuration for MMCC ## Moodle ############# acl dest_moodle_prod hdr(host) -i moodle.midmich.edu use_backend moodle_prod_nodes ######################## if dest_moodle_prod backend moodle_prod_nodes option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ # Redirect all traffic to HTTPS redirect scheme https if!{ ssl_fc } # Do NOT inject this cookie; however, if it exists, send the user to the appropriate server cookie MAPPSERVER indirect nocache preserve server mapp1 server mapp2 server mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp3 backup

37 global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1ssl). ssl-default-bind-ciphers keecdh+arsa+aes:krsa+aes:+aes256:arsa+3des:!rc4-sha:!kedh:!low:!exp:!md5:!anull:!enull ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option log-separate-errors balance roundrobin option dontlognull timeout connect 5000 timeout client timeout server # Separate error logs from access logs Configure allowed ciphers and bind ports to certificate errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers ## Binding to both test (192.) and production (67.) IP addresses #HTTP bind :80 bind :80 #HTTPS bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle ############# acl dest_moodle_prod hdr(host) -i moodle.midmich.edu use_backend moodle_prod_nodes ######################## if dest_moodle_prod backend moodle_prod_nodes option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ # Redirect all traffic to HTTPS redirect scheme https if!{ ssl_fc } # Do NOT inject this cookie; however, if it exists, send the user to the appropriate server cookie MAPPSERVER indirect nocache preserve server mapp1 server mapp2 server mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp3 backup

38 global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1ssl). ssl-default-bind-ciphers keecdh+arsa+aes:krsa+aes:+aes256:arsa+3des:!rc4-sha:!kedh:!low:!exp:!md5:!anull:!enull ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option log-separate-errors balance roundrobin option dontlognull timeout connect 5000 timeout client timeout server # Separate error logs from access logs errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers ## Binding to both test (192.) and production (67.) IP addresses #HTTP bind :80 bind :80 #HTTPS bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle ############# acl dest_moodle_prod hdr(host) -i moodle.midmich.edu Connect traffic received on the front end to various backends via ACLs use_backend moodle_prod_nodes ######################## if dest_moodle_prod backend moodle_prod_nodes option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ # Redirect all traffic to HTTPS redirect scheme https if!{ ssl_fc } # Do NOT inject this cookie; however, if it exists, send the user to the appropriate server cookie MAPPSERVER indirect nocache preserve server mapp1 server mapp2 server mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp3 backup

39 global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1ssl). ssl-default-bind-ciphers keecdh+arsa+aes:krsa+aes:+aes256:arsa+3des:!rc4-sha:!kedh:!low:!exp:!md5:!anull:!enull ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option log-separate-errors balance roundrobin option dontlognull timeout connect 5000 timeout client timeout server # Separate error logs from access logs errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers ## Binding to both test (192.) and production (67.) IP addresses #HTTP bind :80 bind :80 #HTTPS bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle ############# acl dest_moodle_prod use_backend moodle_prod_nodes ######################## hdr(host) -i moodle.midmich.edu if dest_moodle_prod backend moodle_prod_nodes option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ Inject headers so Moodle servers will know traffic was forwarded # Redirect all traffic to HTTPS redirect scheme https if!{ ssl_fc } # Do NOT inject this cookie; however, if it exists, send the user to the appropriate server cookie MAPPSERVER indirect nocache preserve server mapp1 server mapp2 server mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp3 backup

40 global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1ssl). ssl-default-bind-ciphers keecdh+arsa+aes:krsa+aes:+aes256:arsa+3des:!rc4-sha:!kedh:!low:!exp:!md5:!anull:!enull ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option log-separate-errors balance roundrobin option dontlognull timeout connect 5000 timeout client timeout server # Separate error logs from access logs errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers ## Binding to both test (192.) and production (67.) IP addresses #HTTP bind :80 bind :80 #HTTPS bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle ############# acl dest_moodle_prod use_backend moodle_prod_nodes ######################## hdr(host) -i moodle.midmich.edu if dest_moodle_prod backend moodle_prod_nodes option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ # Redirect all traffic to HTTPS redirect scheme https if!{ ssl_fc } # Do NOT inject this cookie; however, if it exists, send the user to the appropriate server cookie MAPPSERVER indirect nocache preserve server mapp1 server mapp2 server mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp3 backup Define a health check to determine whether servers in the pool are online!

41 global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1ssl). ssl-default-bind-ciphers keecdh+arsa+aes:krsa+aes:+aes256:arsa+3des:!rc4-sha:!kedh:!low:!exp:!md5:!anull:!enull ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option log-separate-errors balance roundrobin option dontlognull timeout connect 5000 timeout client timeout server # Separate error logs from access logs errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers ## Binding to both test (192.) and production (67.) IP addresses #HTTP bind :80 bind :80 #HTTPS bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle ############# acl dest_moodle_prod use_backend moodle_prod_nodes ######################## hdr(host) -i moodle.midmich.edu if dest_moodle_prod backend moodle_prod_nodes option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ # Redirect all traffic to HTTPS redirect scheme https if!{ ssl_fc } We forward all traffic to https at the load balancer level! # Do NOT inject this cookie; however, if it exists, send the user to the appropriate server cookie MAPPSERVER indirect nocache preserve server mapp1 server mapp2 server mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp3 backup

42 global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1ssl). ssl-default-bind-ciphers keecdh+arsa+aes:krsa+aes:+aes256:arsa+3des:!rc4-sha:!kedh:!low:!exp:!md5:!anull:!enull ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option log-separate-errors balance roundrobin option dontlognull timeout connect 5000 timeout client timeout server # Separate error logs from access logs errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers ## Binding to both test (192.) and production (67.) IP addresses #HTTP bind :80 bind :80 #HTTPS bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind :443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle ############# acl dest_moodle_prod use_backend moodle_prod_nodes ######################## hdr(host) -i moodle.midmich.edu if dest_moodle_prod backend moodle_prod_nodes option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ # Redirect all traffic to HTTPS redirect scheme https if!{ ssl_fc } List the servers in the pool we keep our worker server as a backup # Do NOT inject this cookie; however, if it exists, send the user to the appropriate server cookie MAPPSERVER indirect nocache preserve server mapp1 server mapp2 server mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp :80 check inter 2000 cookie mapp3 backup

43 Advantages TL;DR #2 New vulnerabilities and cipher preferences can be managed for all web systems by tweaking our HAProxy configuration TL;DR #1 We can renew or update our wildcard certificate in one location now we re more likely to revoke and reissue!

44 More Advantages (for MMCC) Two production HAProxy VMs share an IP address When a particular web site goes down, we can put up a standard error page with our help desk info (and possibly a system status page!) Configuring HTTPS for new web systems is much easier copy & paste from sections of the configuration file! We can have test load balancers just change host file on local computer to use our test HAProxy server s configuration We were able to launch a CMS at the same URL and keep the old one running!

45 Making the Case for HTTPS Everywhere

46 FAQs Why encrypt regular content? https.cio.gov/everything Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators. Google is giving preference to HTTPS content. Apple emphasizing in ios 9. Doesn t encrypting all requests make them slower? istlsfastyet.com TLS has exactly one performance problem: it is not used widely enough. The Changelog #161: HTTP/2 (formerly SPDY) only supported over TLS by major browsers. Certificates are expensive! letsencrypt.org EFF launching in September 2015

47 Letting go of IE 6

48 Letting go of IE 6 Download IE 6 VM from Modern.IE and see how much of the web has moved on!

49 Embedding Challenges

50 Embedding Challenges

51 Embedding Challenges Step 1: Try changing http https in the URL Step 2: Provide link to original video

52 1. Continue looking for the lock Takeaways 2. Enable HTTPS for all login screens 3. Play around the Qualsys SSL labs tool ssllabs.com/ssltest How are your web sites? How is your bank s site? Other sites you frequent? 4. Start moving to HTTPS everywhere! Holistically consider how you manage your certificates and web server configurations Centralize web services behind appliances or open source load balancers Practice reissuing certificates