"Securing" The Web with SSL

whoami

  • Igor Galić / igalic / jMCg / @hirojin
    • Me, with less beard, and a hat.

Overview

What is SSL?

What's wrong with SSL?

How do I get it right?

How can we all get it righter?

What is SSL?

SSL 1.0 ... Netscape, 1994

SSL 2.0 ... Netscape, 1995

SSL 3.0 ... Netscape, 1996 (formally, RFC 6101, 2011)

TLS 1.0 ... RFC 2246, 1999

TLS 1.1 ... RFC 4346, 2006

TLS 1.2 ... RFC 5246, 2008 + RFC 6176, 2011

What is SSL TLS?

What is a Secure Protocol?

Confidentiality

Integrity

Authenticity

Non repudiation

Availability
Access Control

What is a TLS?

Three rows of boxes describing the layered model of TLS services: Mechanisms (Signatures, Encryption and Hashing) which again are implemented in Algorithms: DSA and RSA (for Signatures), RSA and DES (for Encryption), SHA1 and MD5 (for Hashing)
  • Services built from Mechanisms
  • Mechanisms implemented using Algorithms

How does TLS work?

This diagram shows a full (two-way) handshake of TLS.

How does TLS fail?

Flow Chart of the full algorithm of validating a certificate

What is wrong with TLS?

SSLlab's SSL Threat Model. The diagram will be dissected on the following three pages.

TLS Threat Model: Protocols, Users, Attacks

This part depics the threats on the protocol itself (mostly SSLv2), on its Users (via DNS and its usability) as well as Attacks (MITM, Route hijacking, DNS Cache Poisoning, Phishing, Corporate (or Governmental) Interception, and XSS.

TLS Threat Model: Endpoints, Server & Client

This part depics the threats on server and client endpoints.

TLS Threat Model: PKIs

This part depics the threats on the Trust Infrastructure (PKIs).

How does TLS X.509 fail?

Diagram of a (self-signed) root CA, with one two issuing CAs. The server issuing CA certifies four in-house servers.

How does X.509 fail?

Diagram (cont.): This time the client issuing CA certifies uncountable laptops and mobile phones.

How does X.509 fail?

Diagram (cont.): GeoTrust certfies RapidSSL, RapidSSL certifies uncountable servers.

How to get it right?

Demo

How to get it righter?

Discussion

Thanks. Links!