Friday 11:30 a.m.–noon
Introduction to HTTPS: A Comedy of Errors
- Audience level:
Given recent increases in hostile attacks on internet services and large scale surveillance operations by certain unnamed government organizations, security in our software is becoming ever more important. We'll give you an idea of how modern crypto works in web services and clients, look at some of the common flaws in these crypto implementations, and discuss recent developments in TLS.
In this talk we'll explain what happens behind the scenes when we try to establish a secure connection to a web site. We'll cover the common security flaws in popular TLS implementations like OpenSSL, and see how these issues can be avoided if we have a good well-designed TLS implementation in a high level language like Python. Finally, we'll discuss how the API design of OpenSSL leads to application bugs, and a lack of abstract secure defaults leads to insecure applications.