Saturday 1:40 p.m.–2:25 p.m.

The Sorry State of SSL

Hynek Schlawack

Audience level:


Those web pages with shiny lock icons boasting that your data is safe because of “256 bit encryption”? They are lying. In times of mass surveillance and commercialized Internet crime you should know why that’s the case. This talk will give you an overview that will help you to assess your personal security more realistically and to make your applications as secure as possible against all odds.


The rule of thumb for people without degrees in cryptography on securing data on the Internet is “GPG for data at rest. TLS for data in motion”. And it’s actually a very good rule everyone should follow. The only kicker though is that configuring (and using!) TLS properly is not as simple as it sounds and if you’re not diligent as a user, developer, *and* ops engineer, you can easily compromise your data’s security despite best effort of everyone else. This talk will be multifaceted; you will learn: - how SSL and TLS *roughly* work and why their state is sorry, - server- and client-side duties for best possible security, - what alternatives you have for using TLS in Python, - things to keep in mind when configuring servers, - and what perils outside your control *still* can trip you up. In other words, the leitmotif is to show you the most common traps you should know about when using and deploying applications relying on TLS for transport layer security and how to avoid them.