TLS and HTTPS Options in Microsoft IIS

Hussein Nasser · Beginner ·🔧 Backend Engineering ·4y ago

Key Takeaways

Discusses HTTPS/TLS binding options in Microsoft IIS

Full Transcript

microsoft internet information services have introduced a bunch of new features in their https tls offerings and i have missed some of these features when i made that video on iis few months back and uh i guess i had a outdated version of windows when i made that video nevertheless it's worth talking about these beautiful new options that are exposed in the ui and uh explain why are they even exist because some of them really doesn't make sense to exist right it's like making your system slow and insecure on purpose but the more i think about it there is a reason for that and this is what i'm going to discuss in this episode of the backup engineering show let's jump in to a welcome to the backend unix show with your host hussein nasser so these are the site bindings you enable this option when you have enabled effectively tls or https on your website and the moment you enable secure connection you need obviously to enable a bunch of other things one of the most important one is is basically you need to have a certificate and i made a video about certificate very recently uh talking about the details of why certificates exist and the technicality behind them check out the video right here if you're interested to learn more about it but let's start with the first option require server name indication so this option is a extension that basically forces the client to include the host name that your that it tries to connect to in the tls client hello so when you establish a tcp connection you only have the iap address given that you obviously did a dns before that but you lost that fact you are now communicating with the ip address but then when you only communicate with the ip address you lost that context the database the database the server doesn't know which domain you intentionally wanted to connect to that's a very iop error is you might say how saying an ip address is equal to a domain no no no no you can have many domains that point to the same ip address this is how web sharing works right so the tlx extension here forces you if you if you check this option require server name indication forces the client to include the domain name that it wants to connect in the tls hello this way now we know which domain you want to because i can have an ipad 1.2.3.4 but i host josenas.com adam nasser.com alisain.com whatever.com i have i can have many many domains pointing to the same ip address and have completely different content because each one will be served different certificates even different folder directory different everything because the reverse proxy will just will just point you to the right location based on the domain and how do you have this context tls hello using the server name undocument and then this is the option basically this is where you force the client to include that server name indication so this is so older clients that don't understand sni server name indication will basically fail to connect because if you don't include it then if your iis web server has multiple sharing websites right you on the same ip errors which is the most economical thing you can do right then those clients will really get weird errors we want we want them to fail so that hey you you're just really uh an old client an old tls client effectively right and then how do you upgrade your tls client you get an updated open ssl or libre ssl or whatever library ssl you're using right and this is deep down so if you're using python or go those guys are using a tls library they must have right in order to make these connections i mean just figure out what connection uh what what library are using effectively to do that and uh most of the time is really inherited from the operating system yeah those guys just call into the os whatever library exists it will just pull it up so yeah that's the first one so the second option is disable tls 1.3 over tcp notice that these all these options are always a negative which is the worst thing ever in my opinion right to build a ux that is you know a checkbox that indicates a negative is the most confusing thing that you can build in a user experience because i built something like that i remember exactly regretting the fact that i used the negative like that and it just confused when you want to talk about oh did you disable quick is your disable quick option checked is your disable quick option enabled it just become so confusing to talk to right it's like if you wanted to talk to someone so oh have you have you enabled the disable have you enabled the disabled tls 1.3 over tcp whoa yeah bad idea bad user experience i i don't know if they have figured this out but this is really bad i just don't like this at all so regardless this is what we have let's talk through them so the first option is disable tls 1.3 over tcp and very critical reward over tcp here because they want to differentiate between tls 1.3 over tcp which is mostly http 2 and http 1 right http 3 is not on top of tcp right so because it's on top of quack and that also uses dls 1.3 so you want to disable ts 1.3 over tcp but you want to keep quick enabled for some reason you might say i'm saying why are we disabling ts one point three fingers 1.3 is the best option because first of all it's faster right and more secure faster in the sense that it's one round thread instead of two that's compared to theories one point two right and uh it it's more secure because it uses the latest and greatest ciphers it deprecates rsa key exchange algorithms and anything that is basically uh not perfectly forward algorithms and just have the latest and greatest stuff and it's being improved and improved and improved even recently they are working on something called encrypted client hello so even the initial tls client hello is completely almost completely encrypted why would you ever disable that hmm thinking through this slightly i thought it was like maybe maybe the administrator who's hosting ios maybe they don't want everything encrypted they want to snoop on its users and they in combination with the require server name indication you can actually snoop on people only if you disable ts 1.3 right because if you enable ts 1.3 and the client's so advanced it does a an encrypted client hello you're out of luck you can never know what the user actually is connected to so you don't know which domain they want to go through right the second option or the third i guess disable legacy tls this they called it legacy i guess but they are i think they're referring to tls 1.1 and tls 1.0 and ssl 3 and anything that is basically old so they didn't want to list everything basically they say okay let's just disable all the tls this is a good thing and i'm surprised that this is not really enabled by default that's that's the confusing part that's the confusing part i'm surprised that these are not disabled by default right and i'm also surprised that this option is not enabled by default does that make sense it's just so confusing talking through this double negative things um so yeah disabling legacy tls the only reason i can think of why ios won't don't want to disable this by default to disable legacy tls by default it's because older clients all their clients still use trs101 and tls10 and they they still want to connect to some iism points and you want this option to essentially support backward compatibility that's the only reason i can think of but effectively want to build goods secure website this has to be checked you need to disable like a ctls to get a good scoring on the stops website um let's go to disable all csp stapling i talked about that exactly when on my certificate uh video right ocsp stands for online certificate step status protocol stapling and this is the only reason i can think of why you would you want to disable this is to minimize the overhead uh that the back end is doing which is iis the ii if you if you have ocsp stabling then the back end which is iis needs to phone into some sort of an lcsp server to prove that its certificate has not been revoked effectively and that needs first an internet connection thanks noah second it requires more work effectively and your end right because you're you're consuming your work bandwidth you're consuming cpu you're consuming precious memory right and resources on the back end to do these uh intervals of ocsp phoning elm right to get the the to approve that your certificate hasn't been revoked so it's an extra you know work so you can disable this and i think you can disable this safely if your certificate is a very very short certificate right uh you're using let's encrypt for example or you're using uh cloudflare's uh two-week certificates right and you have all your cert management automated i think you can safely disable that in my opinion but if you have long certificates like two years which i think browsers start to give warning on connecting to that and then i think you have to kind of have this option enabled just to prove that your certificate hasn't been stolen when i say stolen your private key hasn't been installed effectively disable quick why would you ever want to disable quick quick so this tells us first that uh iis supports quick by default which is beautiful which means supports quick and http 3 anything above that this is kind of good which also means that you have tls 1.3 for free connection management for free in a single beautiful handshake and obviously this whole thing is is done through udp so you need this this is good stuff this is fast more secure obviously latest and greatest technology you might want to disable it if you again want the the admin want to look through the content and quick obviously prevents you from looking into anything right i believe even quick encrypts the sequence number in the connection in the quick connection so even you cannot even see those which is pretty cool thing if you think about it tcp on the other hand these sequence numbers these window sizes right the congestion windows and other bits are all there in the opera anyone in the middle can actually read them and your router effectively keeps even track of these connections so if it sees okay it keeps tracks and a running account of all the connections and the sequence numbers uh so that it can just disconnect you anytime you want so yeah disabling quick if you want you can disable it but to be honest i can't think of a reason why you won't disable it other than really you want to force users through a path to use the backward compatible way right um maybe maybe uh if you're i guess it's not a bad idea to have this fine level control uh because quick and for that matter http 2 is a cpu hog both tech or cpu hungry and the reason is because um uh they they they that's the other option we're going to come to the disabled http 2 right these both let's actually lump them together disable quick and disable hdb2 they are together they give you the option to disable them because they have some sort of a side effect and the side effect is this leaky abstraction that yeah we give you all this beautiful security one ha one handshake and of course hdb2 will give you multiplexing quick also gives you multiplexing but it's more general uh layer four protocol but it's expensive because each packet has to be inspected and segments right has to be combined so they can be inspected for the stream ids and now the application or the operating system need to group similar streams together right in in its own segments in its own logical segment this grouping and discarding of things and waiting and congestion control based on each stream is expensive because all of this is just you know you're shoveling through packets and http one way you don't have to do any of this scrap right whatever you receive what you get is what you see what do you see is what you get that that's that's what it is any packet that you see it's it's just just decrypted if you're using tls and then just consume it immediately right and they just buffer buffer buffer buffer and that's that's an http request i said there's no there's no headers right when i say headers there's no protocol headers yes there is http headers which is to me just part of the content but http 2 there are headers at the protocol level there are http 2 tcp headers you know wrong wrong saying there are just you know the protocol is if has own system hitters that's the right word okay which is an overhead right it's an increased overhead so you have to look through this header which has the stream id which has the congestion control for http 2. so much work both of quick and hdb2 and the community behind quick effectively they're working on reducing the cpu usage uh more and more so is gives you an option which is i i don't think is wrong i take my word back right uh as i think more about it it's just maybe give you an option hey disable it if you think your cpu is shining up high disable it if you have a scalable vertical you know badass machine enable it but watch out for your cpu when you when you have enabled these two so i think it's a good idea to have these options so they the the admin have a configurable way to disable those if they want to see where where uh you know they want to manage their resources and and finally the option to ssl certificate we know this is required hey you need to authenticate yourself who are you right and i believe when you require server name indication there's another window that serves what a host name correspond to what certificate this is not in this window it's probably another window so you can effectively say okay uh whatever like like in my domain right i have backend.husseinosa.com that's a certificate by itself i have i have a database.husseinus.com which points to udemy my my course right get that course and i have nginx dot hussein also.com that that's a completely different certificate each one of them is a different certificate so i'm using let's encrypt for that uh and and the backend i'm using netlify by my domains are just aliased to netlify right so that's what i'm doing it's the same thing here and and so how was how does this work you need sni for this to work so so that the back end in this case netlify knows what certificate to serve back to the client and as a result established the connection successfully all right guys let's end it here this was an overview of all the options in the https binding in iis and i think you can agree that this is really have nothing to do with iis these options literally must i think exist most of them at least in in any reverse proxy in any web server in my opinion this fine level controls is what backend engineers really require and need all right i'm going to see on the next one you guys say awesome goodbye all this nick

Original Description

In this episode of the backend engineering show, I’ll discuss all HTTPS/TLS binding options in Microsoft IIS and also explain why every web server and reverse proxy should have some of these fine level control. Chapters 0:00 Intro 1:00 Require Server Name Indication (SNI) 5:00 Disable TLS 1.3 Over TCP 8:30 Disable Legacy TLS 10:00 Disable OCSP Stapling 12:00 Disable QUIC 14:30 Disable HTTP/2 17:30 Certificate Get my database course https://database.husseinnasser.com Get my NGINX course https://nginx.husseinnasser.com Get my Python on the Backend course https://python.husseinnasser.com Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join 🔥 Members Only Content https://www.youtube.com/playlist?list=UUMO_ML5xP23TOWKUcc-oAE_Eg Support my work on PayPal https://bit.ly/33ENps4 🧑‍🏫 Courses I Teach https://husseinnasser.com/courses 🏭 Backend Engineering Videos in Order https://backend.husseinnasser.com 💾 Database Engineering Videos https://www.youtube.com/playlist?list=PLQnljOFTspQXjD0HOzN7P2tgzu7scWpl2 🎙️Listen to the Backend Engineering Podcast https://husseinnasser.com/podcast Gears and tools used on the Channel (affiliates) 🖼️ Slides and Thumbnail Design Canva https://partner.canva.com/c/2766475/647168/10068 🎙️ Mic Gear Shure SM7B Cardioid Dynamic Microphone https://amzn.to/3o1NiBi Cloudlifter https://amzn.to/2RAeyLo XLR cables https://amzn.to/3tvMJRu Focusrite Audio Interface https://amzn.to/3f2vjGY 📷 Camera Gear Canon M50 Mark II https://amzn.to/3o2ed0c Micro HDMI to HDMI https://amzn.to/3uwCxK3 Video capture card https://amzn.to/3f34pyD AC Wall for constant power https://amzn.to/3eueoxP Stay Awesome, Hussein
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Hussein Nasser · Hussein Nasser · 0 of 60

← Previous Next →
1 Extending ArcObjects (IGeometry) - 01 - Getting Started
Extending ArcObjects (IGeometry) - 01 - Getting Started
Hussein Nasser
2 Extending ArcObjects  (IGeometry) - 02 - The Document, The Map and The Layers
Extending ArcObjects (IGeometry) - 02 - The Document, The Map and The Layers
Hussein Nasser
3 Channel Update - New Book, New Job, New Videos
Channel Update - New Book, New Job, New Videos
Hussein Nasser
4 Learn Programming with VB.NET - 01 - Getting Started
Learn Programming with VB.NET - 01 - Getting Started
Hussein Nasser
5 Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Hussein Nasser
6 Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Hussein Nasser
7 Learn Programming with VB.NET - 04 - User Interface
Learn Programming with VB.NET - 04 - User Interface
Hussein Nasser
8 Learn Programming with VB.NET - 05 - By Value v. By Reference
Learn Programming with VB.NET - 05 - By Value v. By Reference
Hussein Nasser
9 Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Hussein Nasser
10 Learn Programming with VB.NET - 07 - Conditional Statements
Learn Programming with VB.NET - 07 - Conditional Statements
Hussein Nasser
11 Learn Programming with VB.NET - 08 - Inheritance
Learn Programming with VB.NET - 08 - Inheritance
Hussein Nasser
12 Learn Programming with VB.NET - 09 - Strategy Design Pattern
Learn Programming with VB.NET - 09 - Strategy Design Pattern
Hussein Nasser
13 Learn Programming with VB.NET - 10 -  How did I learn programming
Learn Programming with VB.NET - 10 - How did I learn programming
Hussein Nasser
14 IGeometry 2016 Retrospective - Channel Update
IGeometry 2016 Retrospective - Channel Update
Hussein Nasser
15 Javascript by Example - The Vook
Javascript by Example - The Vook
Hussein Nasser
16 Vlog - Keep your servers close and your database closer
Vlog - Keep your servers close and your database closer
Hussein Nasser
17 Vlog - Client/Server Programming Languages
Vlog - Client/Server Programming Languages
Hussein Nasser
18 Javascript By Example L1E01 - Getting Started
Javascript By Example L1E01 - Getting Started
Hussein Nasser
19 Persistent Connections (Pros and Cons)
Persistent Connections (Pros and Cons)
Hussein Nasser
20 Javascript By Example L1E02 - Building the Calculator Interface
Javascript By Example L1E02 - Building the Calculator Interface
Hussein Nasser
21 Happy new Year from IGeometry!
Happy new Year from IGeometry!
Hussein Nasser
22 Synchronous v. Asynchronous
Synchronous v. Asynchronous
Hussein Nasser
23 Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Hussein Nasser
24 Show Your Work. Blog, Vlog, Write, Create and Develop!
Show Your Work. Blog, Vlog, Write, Create and Develop!
Hussein Nasser
25 Relational Database Atomicity Explained By Example
Relational Database Atomicity Explained By Example
Hussein Nasser
26 Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Hussein Nasser
27 What Comes First, User Experience or Software Architecture?
What Comes First, User Experience or Software Architecture?
Hussein Nasser
28 Javascript By Example L1E05 -  Evaluate the Calculator Expressions with eval
Javascript By Example L1E05 - Evaluate the Calculator Expressions with eval
Hussein Nasser
29 Fastest Way to Learn Programming Language or Technology
Fastest Way to Learn Programming Language or Technology
Hussein Nasser
30 Javascript By Example L1E06 -  Fix Leading Zero Bug with Conditions
Javascript By Example L1E06 - Fix Leading Zero Bug with Conditions
Hussein Nasser
31 Stateful vs Stateless Applications (Explained by Example)
Stateful vs Stateless Applications (Explained by Example)
Hussein Nasser
32 Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Hussein Nasser
33 Advice for New Software Engineers and Developers
Advice for New Software Engineers and Developers
Hussein Nasser
34 Why JSON is so Popular?
Why JSON is so Popular?
Hussein Nasser
35 Building Scalable Software - SLA, HS, VS
Building Scalable Software - SLA, HS, VS
Hussein Nasser
36 Vlog (Istanbul) - Datacenter Proximity
Vlog (Istanbul) - Datacenter Proximity
Hussein Nasser
37 Should Software Engineers Learn Bleeding-Edge Technologies?
Should Software Engineers Learn Bleeding-Edge Technologies?
Hussein Nasser
38 Do Developers Build Bad User Interfaces/Experience?
Do Developers Build Bad User Interfaces/Experience?
Hussein Nasser
39 Learn By Doing.
Learn By Doing.
Hussein Nasser
40 I Wrote Bad Front-End Code That Broke Chrome
I Wrote Bad Front-End Code That Broke Chrome
Hussein Nasser
41 My Story
My Story
Hussein Nasser
42 Vlog - Horizontal vs Vertical Scaling
Vlog - Horizontal vs Vertical Scaling
Hussein Nasser
43 Can User Experience Help Build Better Rest API?
Can User Experience Help Build Better Rest API?
Hussein Nasser
44 Reverse engineering Instagram in flight mode
Reverse engineering Instagram in flight mode
Hussein Nasser
45 The Benefits of the 3-Tier Architecture (e.g. REST API)
The Benefits of the 3-Tier Architecture (e.g. REST API)
Hussein Nasser
46 Stateless v. Stateful Architecture (Podcast)
Stateless v. Stateful Architecture (Podcast)
Hussein Nasser
47 The evolution from virtual machines to containers
The evolution from virtual machines to containers
Hussein Nasser
48 Proxy vs. Reverse Proxy (Explained by Example)
Proxy vs. Reverse Proxy (Explained by Example)
Hussein Nasser
49 Canary Deployment (Explained by Example)
Canary Deployment (Explained by Example)
Hussein Nasser
50 No Excuses
No Excuses
Hussein Nasser
51 Synchronous vs Asynchronous Applications (Explained by Example)
Synchronous vs Asynchronous Applications (Explained by Example)
Hussein Nasser
52 What is an Asynchronous service?
What is an Asynchronous service?
Hussein Nasser
53 Difference between Client Polling vs Server Push in Notifications
Difference between Client Polling vs Server Push in Notifications
Hussein Nasser
54 Software vs. Hardware AdBlockers (Explained by Example)
Software vs. Hardware AdBlockers (Explained by Example)
Hussein Nasser
55 HTTP Caching with E-Tags -  (Explained by Example)
HTTP Caching with E-Tags - (Explained by Example)
Hussein Nasser
56 Simple Object Access Protocol Pros and Cons (Explained by Example)
Simple Object Access Protocol Pros and Cons (Explained by Example)
Hussein Nasser
57 Nodejs Express "Hello, World"
Nodejs Express "Hello, World"
Hussein Nasser
58 Reverse Engineering Instagram feed
Reverse Engineering Instagram feed
Hussein Nasser
59 Popup Modal Dialog with Javascript and HTML
Popup Modal Dialog with Javascript and HTML
Hussein Nasser
60 MIME and Media Type sniffing explained and the type of attacks it leads to
MIME and Media Type sniffing explained and the type of attacks it leads to
Hussein Nasser

Related AI Lessons

Chapters (8)

Intro
1:00 Require Server Name Indication (SNI)
5:00 Disable TLS 1.3 Over TCP
8:30 Disable Legacy TLS
10:00 Disable OCSP Stapling
12:00 Disable QUIC
14:30 Disable HTTP/2
17:30 Certificate
Up next
This Cop Was Held Accountable For His Brutality! #police #lawyer
Hampton Law
Watch →