Daniel Stenberg presented on TLS and curl. He discussed curl and its TLS support, libcurl which powers curl, TLS obstacles, the CA cert bundle, no end in sight for improving TLS, http2 which will use TLS mandatory, opportunistic TLS, and the future of further TLS improvements like TLS 1.3 and DANE. Stenberg took questions and encouraged learning more about curl and TLS on the curl website.

1. #MeraKrypto
TLS and curl
Daniel Stenberg, April 29th
2014

2. Agenda
curl
TLS
http2
Future

3. Daniel Stenberg
Email: daniel@haxx.se
Twitter: @bagder
Web: daniel.haxx.se
Blog: daniel.haxx.se/blog
network hacker at

4. Please ask!
Feel free to interrupt and ask at any time!

5. If I say SSL I mean TLS
I tend to use the terms interchangeably

6. curl
• curl is a tool I made
• born around 1998
• widely used for REST, downloads, scripted transfers and more
• I expect everyone here to already know about it!
• Added TLS support 1999
• Uses TLS for HTTPS, FTPS, POP3S, IMAPS, SMTPS, LDAPS and
RTMPS
• 100% free and open source - join us!

7. libcurl 2014
•The engine of the curl tool
•The world's most used, most portable and most feature
complete URL transfer library
•Empowers cars, set-top boxes, printers, routers, Bluray
players, TV sets, phones, tablets, games, web sites and a bus
load of other use case.
•Used by hundreds of well known companies and brands
•Some 500 million users
•Written in C
•More than 40 bindings - for every language you can think of

8. TLS in libcurl
•supports 10 different TLS back-ends
•They differ in platform support, footprint, features,
license and performance
•Designed to be almost invisible to the user
•Allows applications to add TLS secured transfers to
their applications with no effort
•libcurl itself often built upon by other layers

9. The libcurl usage mistake #1
Reminder
unauthenticated TLS is not secure

11. The libcurl usage mistake #1
“Verify peer” and “verify host”
•“but I just want encryption”
•“but I can't afford a certificate”
•“but it is annoying to my users”
•“but it works just fine even if I disable it”
•“but I don't need a client certificate”

12. TLS obstacles
Over time, the course gets harder
The large set of obstacles are increasing and
becoming harder to climb
TLS-fronting applications need to care

13. The TLS obstacle course
SSLv2
SSLv3
< TLS1.2
BEAST
CRIMERC4
MD5
Broken CAs
Wildcard
matching
Verify
cert
Profit!
???

14. CA cert bundle
Needed to verify server cert
Which Certificate Authorities do you trust?
Did you edit your CA cert bundle today?
The curl site offers a bundle converted from Mozilla
sources
Maintaining an own set is lots of work

15. No end to TLS in sight
•TCP improvements are discussed
•TLS improvements are discussed
•TCP replacements are discussed
•CA and cert improvements are discussed
•TLS replacements are not discussed
•HTTP improvements are discussed...

16. http2
•http2 is the new HTTP, arriving late 2014
•not yet set in stone
•changes the over-the-wire data format
•same old http:// and https:// URLs

17. Will http2 fix HTTPS?
•attempts were made to make TLS mandatory
•fought by proxies, small-products and “surveillance
friendly” parties
•pushed by user-centric browser vendors
•Firefox and Chrome will only do http2 over TLS
•IE will do plain-text

18. Opportunistic TLS
•Alt-Svc: and ALTSVC
•“You can also find this content over here =>”
•Optional
•Allows http:// over TLS!
•Debated

19. Future
•Further TLS obstacles and problems
•TLS 1.3
•DANE
•tcpcrypt

20. Thank you!

21. Learn more!
•curl and libcurl: http://curl.haxx.se/
•http2 explained: http://daniel.haxx.se/http2
•Curl's TLS support compared:
http://curl.haxx.se/docs/ssl-compared.html

22. Doing good is part of our code