Behind the Padlock: HTTPS Ubiquitous and Fragile

Presented at The Next HOPE (2010), July 17, 2010, 11 a.m. (60 minutes)

HTTPS is finally getting adopted all over the place - including Gmail, Twitter, Facebook, Google Search, and Wikipedia - as people realize that packet sniffing is easy and credit cards aren’t the only sensitive information we send over the Internet. At the same time, a new series of attacks and scandals have shown that TLS is rather fragile. SSL stripping lets attackers bypass sites’ HTTPS-only policies; a series of scandals over the past two years has renewed skepticism of certificate authorities’ role and the security of the global public-key infrastructure. More and more people are wondering who those strange organizations are, what they’re doing in our browsers, whether anyone knows if they’re doing a good job, and even how to pronounce some of their names. And recent evidence suggests some CAs may be inept - or cooperating with national governments. Seth will explain the push to increase HTTPS deployment to protect privacy and fight Internet censorship, but also make its protections more meaningful and robust. He’ll describe the work on Firefox plugins that change the browser security model, and ideas on information sources that can supplement the certificate authorities. The talk will also include a look at SSL Observatory, which aims to collect data to catch rogue CAs in the act.

Presenters:

• Seth Schoen
  Seth Schoen is a senior staff technologist at the Electronic Frontier Foundation. He has worked at EFF for eight years, helping other technologists to understand the civil liberties implications of their work, the EFF staff to better understand the underlying technology related to EFF's legal work, and the public to understand what the technology products they use really do. He helped create the LNX-BBC live CD and has researched phenomena including laser printer forensic tracking codes, ISP packet spoofing, and key recovery from computer RAM after a computer has been turned off. He is secretary of the Noisebridge hackerspace.

Links:

• https://infocon.org/cons/2600/The Next Hope (2010)/The Next HOPE (2010) - Behind the Padlock - HTTPS Ubiquitous and Fragile.srt (subtitles)
• https://infocon.org/cons/2600/The Next Hope (2010)/The Next HOPE (2010) - Behind the Padlock - HTTPS Ubiquitous and Fragile.mp4
• https://www.youtube.com/watch?v=9VL7zW07XIw

Similar Presentations:

• THOTCON 0x1 (2010) / How Everyone Screws Up SSL
• Black Hat USA 2019 / Monsters in the Middleboxes: Building Tools for Detecting HTTPS Interception
• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10