HOPE X (2014): "SSL++: Tales of Transport-Layer Security at Twitter" (Download)
Friday, July 18, 2014: 8:00 pm (Manning): You've enabled HTTPS on your site. Now what? How do you protect against sslstrip attacks, CA compromise, and the dangers of mixed content? @jimio will share some approaches they've taken @twitter: Strict-Transport-Security, "secure SEO" with canonical link elements, Content Security Policy, and certificate pinning. There will be code, exploits, and open source! There will be a few fun stories to share as well, and since this is an SSL talk, you know there's gonna be heartbleed.