14. SAN and CN
Server cert lists for which name or
names it is valid.
Or wildcard
Subject Alternative Name (SAN),
Common Name (CN)
DNS Name: internetdagarna.seDNS Name: www.internetdagarna.se
21. TLS without CA
The CA system is error-prone
DNS-based Authentication of
Named Entities (DANE)
Stores certs / or revocations in
DNS
Not used for HTTPS
22. TLS Servers gone bad
Maybe attackers now control the site
Certificate revocations are hard
Online Certificate Status Protocol
(OCSP) doesnāt help much
TLS applications update slowly
28. TLS man-in-the-middle proxies
Some operators claim they need to
inspect your traffic
But TLS is āend to endā?
āhello, Iām your trusted CA that
makes up certificates on demandā
34. Speed it up
Resume recently closed connections
Protocol improvements only over TLS
Faster handshakes in TLS 1.3 due to
less round-trips
35. The deprecation of clear text
IETF, IAB, W3C, US Government, Mozilla
(Firefox), Google (Chrome):
āuniversal use of encryption
by Internet applicationsā