Trust in SSL/TLS?

Where does the lock in my browser bar come from?

René Pfeiffer, UAS Technikum Wien

History of Encryption and the World Wide Web

A brief History of the Web…

• 1989 born at CERN as hypertext and hypermedia system
• 1991 Hypertext Transfer Protocol (HTTP) – not encrypted
• 1994 Amazon.com, Inc.
• 1995 Netscape releases Secure Sockets Layer (SSL) – HTTPS = HTTP Secure
• 1999 Transport Layer Security (TLS) – new version of SSL
• 2018 TLS version 1.3 published

Using SSL/TLS means HTTPS for web browsers.

HTTPS Technology

• Asymmetric encryption
  • Public/private key pairs
  • Public key is used to encrypt
  • Private key is used to decrypt
• Symmetric encryption (data transfer)
• Authentication
  • Client and server can verify identity
  • Certificates ⟷ identity
  • HTTPS detects manipulation attempts

Certificates

• Certificates are linked to identities
• Identity can be
  • a name,
  • a domain / subdomain,
  • a numeric (IP) address,
  • an email address
• Certificates are mathematically tied to public/private key pair

Certificate Authority (CA)

Certification Steps

Verification Process (CA)

• Unattended / automated
  • Domain zone entry
  • Email to/from specific addresses
  • Text on a web server
• Manual
  • Submission of identity documents
  • Legal proof

Certificate Validity

• Certificates are valid for a given period of time
• Period usually 90 days, 1 year, 2 years, …
• CA can actively revoke certificate in case of
  • abuse,
  • theft, or
  • use on compromised systems
• Revocation lists can get huge

Trust Relationships

Browser CA Lists (1)

Browser CA Lists (2)

Browser CA Lists (3)

Root Programmes (for CAs)

• Adobe® Adobe Approved Trust List (AATL)
• Apple Root Program
• Google Chromium Root Certificate Policy
• Microsoft® Root Program
• Mozilla Root Program
• Oracle Java Root Program

More policies exist.

Unresolved / Critical Issues

• Browser warnings/errors not easy to understand
• Users must trust CAs and Root CA lists
  • Dutch DigiNotar CA shut down after compromise
  • Fake certificates for real domains (used in filters)
  • Mistakes in verification process
  • Nation state CAs?
• List of revoked certificates never shrinks
• Policy of „master“ lists
  • Including new CAs (such as Austrian Bürgerkarte CA)
  • Google/Mozilla deprecated Symantec CA

Thank you!

Contact Information

• René Pfeiffer <pfeiffer@technikum-wien.at>
• 🔏 0x28CAC51F8C413583
• 🔒 Threema 9EKKN34F
• 📱 Cell: +43 676 5626390
• 📱 GSMK Cryptophone™: +807 949 050 59
• 🕸 https://web.luchs.at/