My talk at Internetdagarna November 22, 2016

1. TLSTLSTLS, SSL, CA, DV, OV, EV, X.509, PKI, SHA-1, SHA-2, SAN, CN,
SNI, NPN, ALPN, OCSP, CRL, DNSSEC, DANE, CT, HPKP, HSTS,
HTTPS, HTTP/2, ...

2. Email:daniel@haxx.se
Twitter:@bagder
Web:daniel.haxx.se
Blog:daniel.haxx.se/blog
Daniel Stenberg

3. Ask away!

4. TLS is more than HTTPS
… but HTTPS is a pretty big
and common TLS use case
I’ll try to be generic but some
things will be HTTPS specific

5. TLS is SSL
SSL = TLS in practice
SSL
1995
SSL
v3
1996
TLS
1.0
1999
TLS
1.1 2006
TLS
1.2
2008
TLS
1.3
2017

6. Extensions
TLS
1.2
2008
TLS
1.3
2017
Add things within same
protocol version
SNI
ALPN and NPN

7. WWW

8. WWW under attack

9. Why TLS
Surveillance Tracking
Spoofed serversModified data
Plain-textPlain-text
protocolsprotocols
are insecureare insecure

10. TLS in use

11. HTTPS == HTTP + TLS

12. TLS handshake
Client: I want to speak with
internetdagarna.se (SNI)
Server: here’s my
certificate

13. Certificate received, check it!

14. SAN and CN
Server cert lists for which name or
names it is valid.
Or wildcard
Subject Alternative Name (SAN),
Common Name (CN)
DNS Name: internetdagarna.seDNS Name: www.internetdagarna.se

15. Certificate Signatures
SHA-1 is out
Maybe soon for real

16. Who made that certificate?
How can we trust it?

17. Certificate Authorities
Hand out certificates to servers
TLS apps use a “CA cert store”
A set of trusted CAs
Hundreds of them!

18. CA system
CAs must follow guidelines
Rogue CAs are excluded over time
TLS applications add restraints

19. Bad CAs
CAs have a lot of power
CAs can hand out certificates
for any domain
by mistake or by attackers

20. Certificate Transparency
Issued certificates in append-only logs
Logs run by multiple stake-holders
Allows TLS parties detect bad CAs

21. TLS without CA
The CA system is error-prone
DNS-based Authentication of
Named Entities (DANE)
Stores certs / or revocations in
DNS
Not used for HTTPS

22. TLS Servers gone bad
Maybe attackers now control the site
Certificate revocations are hard
Online Certificate Status Protocol
(OCSP) doesn’t help much
TLS applications update slowly

23. Detect bad certificates
Certificate Revocation Lists (CRL)
OCSP stapling (TLS Certificate Status
Request)
Short life times
Pinning (HPKP)

24. Stick to TLS (HTTPS)
Accessing a web site without HTTPS
introduces a MITM risk
Strict Transport Security (HSTS)

25. HTTPS

26. How green is your padlock?
Domain Validated (DV)
Organization Validated (OV)
Extended Validation (EV)

27. Ok, but to complicate matters...

28. TLS man-in-the-middle proxies
Some operators claim they need to
inspect your traffic
But TLS is “end to end”?
“hello, I’m your trusted CA that
makes up certificates on demand”

29. TLS man-in-the-middle proxies
client server

30. TLS man-in-the-middle proxies
client server
MITM

31. But can you trust the client?

32. Trust in the other direction
Client certificates
Replaced by 2fa

33. “TLS is slow”

34. Speed it up
Resume recently closed connections
Protocol improvements only over TLS
Faster handshakes in TLS 1.3 due to
less round-trips

35. The deprecation of clear text
IETF, IAB, W3C, US Government, Mozilla
(Firefox), Google (Chrome):
“universal use of encryption
by Internet applications”

36. TLS
Validated certificate
Data integrity
No snooping
Green padlock
Going faster

37. Thank you!
Questions?