presentation at BSides San Francisco, Feb 24 2013. corresponding video available @ https://www.brighttalk.com/webcast/7651/69207

1. SSL++
Tales of Transport-Layer Security at Twitter
@jimio | #BSidesSF

2. CRIME

3. BEAST

5. HTTP

25. 100% Certified SSL

27. <img src="http://twitter.com"/>

28. secure;

30. sslstrip

32. 301

33. #!

34. #!/jimio
twitter.com/

35. #!/jimio
twitter.com/

37. DISCLAIMER

38. DISCLAIMER
we did this.

39. DISCLAIMER
we did this.
you can too.

40. Hello!

41. twitter
Hello!

42. twitter

43. twitter

44. twitter

46. http://twitter.com

47. https://twitter.com
http://twitter.com

48. http://twitter.ie
https://twitter.com
http://twitter.com

49. http://twitter.ie
https://twitter.com
http://twitter.com
http://www.w3.org
http://wtf.ru
http://twitter.uz

50. <link rel="canonical" href="https://twitter.com/">

51. %2F

52. /

55. <-HTTPS

56. Hello!

57. twitter.com
Hello!

58. HTTP...

59. but wait!!

62. HSTS

63. HSTS

64. HTTP=>HTTPS 300s
0

65. HTTP=>HTTPS 300s
0

66. includeSubdomains

67. include$ubdomains

68. CSP

69. CSP

70. < X-WebKit-CSP-Report-Only: default-src https:
data: chrome-extension: 'unsafe-inline'
'unsafe-eval'; report-uri https://twitter.com/
scribes/csp_report; frame-src https://* about:
javascript: chrome-extension:
< X-Content-Security-Policy-Report-Only:
options eval-script inline-script; report-uri
https://twitter.com/scribes/csp_report; allow
https://* data: ; frame-src https://* about:
javascript:

71. < X-WebKit-CSP-Report-Only: default-src https:
data: chrome-extension: 'unsafe-inline'
'unsafe-eval'; report-uri https://twitter.com/
scribes/csp_report; frame-src https://* about:
javascript: chrome-extension:
< X-Content-Security-Policy-Report-Only:
options eval-script inline-script; report-uri
https://twitter.com/scribes/csp_report; allow
https://* data: ; frame-src https://* about:
javascript:

72. < X-WebKit-CSP-Report-Only: default-src https:
data: chrome-extension: 'unsafe-inline'
'unsafe-eval'; report-uri https://twitter.com/
scribes/csp_report; frame-src https://* about:
javascript: chrome-extension:
< X-Content-Security-Policy-Report-Only:
options eval-script inline-script; report-uri
https://twitter.com/scribes/csp_report; allow
https://* data: ; frame-src https://* about:
javascript:

73. < X-WebKit-CSP-Report-Only: default-src https:
data: chrome-extension: 'unsafe-inline'
'unsafe-eval'; report-uri https://twitter.com/
scribes/csp_report; frame-src https://* about:
javascript: chrome-extension:
< X-Content-Security-Policy-Report-Only:
options eval-script inline-script; report-uri
https://twitter.com/scribes/csp_report; allow
https://* data: ; frame-src https://* about:
javascript:

74. secureheaders

75. secureheaders
Strict-Transport-Security
Content-Security-Policy
X-XSS-Protection
X-Frame-Options
X-Content-Type-Options

76. SSL

80. 1. OS:
validate revocation, expiration
2. App:
check against local bundle
3. Party on

87. https://twitter.com/jobs
https://t.co/h4x0r
#jointheflock
@jimio