Joshua Davies, author of Implementing SSL / TLS Using Cryptography and PKI discussed SSL/TLS, public-key infrastructure, certificate authorities, and vulnerabilities in the security infrastructure. Robert Blumen spoke with Davies about the history of SSL/TLS; TLS 1.3; symmetric and asymmetric cryptography; the TLS handshake; the Diffie-Helman key exchange; the HTTPS protocol; verification of domain ownership; man-in-the-middle (MITM) attacks; the problem of infinite regress of trust; certificate authorities (CAs); corporate MITM boxes; CAs and the trust store; how does a CA become trusted; the large number of CAs in modern operating systems; trust and vulnerabilities at the CA level; the problems created by the ability of any trusted CA to issue a certificate for any domain; how to obtain a certificate; domain validation; extended validation; attacks on the domain validation process (DNS spoofing, BGP hijacking) certificate revocation, CRLs, OCSP and OCSP stapling; certificate transparency (CT) and CT monitoring; HTTPS and browser behavior; mixed content warnings; HSTS (HTTP strict transport security); HTTPS and CDNs.
Show Notes
Related Links
- Implementing SSL / TLS Using Cryptography and PKI by Joshusa Davies on Amazon
- Bulletproof TLS newsletter
- Bulletproof SSL and TLS by Ivan Ristić
- Securing Microservice Architecture with Mutual TLS
- Wikipedia entry on HTTP Strict Transport Security
- Wikipedia entry on OCSP Stapling
- Moxie Marlinspie – New Tricks for Defeating SSL in Practice
- Wikipedia entry Online Certificate Status Protocol (OCSP)
- Wikipedia entry on public key pinning
- Mixed content
- Content Security Policy
- Cross-origin resource sharing
- Mozilla developer site on Content Security Policy
- Bulletproof TLS Newsletter (SSL, TLS and PKI news) archives
- Bamboozling Certificate Authorities with BGP by Birge-Lee, Sun, Edmundson, Rexford, Mittal
- Securing Certificate Issuance using Multipath Domain Control Validation
- Security Now episode 724
SE Radio theme: “Broken Reality” by Kevin MacLeod (incompetech.com — Licensed under Creative Commons: By Attribution 3.0)
Great episode! Learned a lot. Thanks for publishing.