Recently, I found myself working at the Secure Socket Layer (SSL) and Transport Layer Security (TLS) standards, mostly for optimizing and accelerating the expensivecryptographic operations. In particular, I examined the OpenSSL toolkit and I tried to figure out, what applies into the real world (web browsers, web servers, open source SSL/TLS stacks). The scenery is quite fuzzy and sometimes insecure. The lack of a unified direction and the unavoidable need for backward compatibility with all the versions of standards create an environment with several possible configurations. Unfortunately, this introduces significant space for security flaws (e.g. man-in-the-middle attacks) and thus, the proper attention is needed when SSL/TLS is applied. Ivan Ristic conducted an excellent research for SSL Labs. This research gives a great overview of the usage of SSL/TLS in real-life and presents an in depth analysis for all the cryptographic features. The results of this investigation will be presented in Black Hat 2010 USA.
The presentation can be found here.
Comments are closed.