Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SSL, CAs and keeping your stuff safe

Armin Ronacher
May 10, 2014
Programming
7
1k

SSL, CAs and keeping your stuff safe

A capitalistic and system conformant talk about encryption.

Armin Ronacher

May 10, 2014
Tweet

More Decks by Armin Ronacher

See All by Armin Ronacher
No Assumptions
mitsuhiko
0
56
The Complexity Genie
mitsuhiko
0
87
The Catch in Rye: Seeding Change and Lessons Learned
mitsuhiko
0
270
Runtime Objects in Rust
mitsuhiko
0
340
Rust at Sentry
mitsuhiko
0
390
Overcoming Variable Payloads to Optimize for Performance
mitsuhiko
0
170
Rust API Design Learnings
mitsuhiko
0
500
The Snowball Effect of Open Source
mitsuhiko
0
320
Mobile Games are Living Organisms, Too
mitsuhiko
0
230

Other Decks in Programming

See All in Programming
Jakarta EE meets AI
ivargrimstad
0
300
CDK開発におけるコーディング規約の運用
yamanashi_ren01
2
250
お前もAI鬼にならないか?👹Bolt & Cursor & Supabase & Vercelで人間をやめるぞ、ジョジョー!👺
taishiyade
7
4.2k
PHPのバージョンアップ時にも役立ったAST
matsuo_atsushi
0
220
新宿駅構内を三人称視点で探索してみる
satoshi7190
2
120
パスキーのすべて ── 導入・UX設計・実装の紹介 / 20250213 パスキー開発者の集い
kuralab
3
880
バッチを作らなきゃとなったときに考えること
irof
2
520
『GO』アプリ データ基盤のログ収集システムコスト削減
mot_techtalk
0
150
自力でTTSモデルを作った話
zgock999
0
100
5分で理解する SOLID 原則 #phpcon_nagoya
shogogg
1
300
pylint custom ruleで始めるレビュー自動化
shogoujiie
0
150
一休.com のログイン体験を支える技術 〜Web Components x Vue.js 活用事例と最適化について〜
atsumim
0
930

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
461
33k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
46
2.3k
Mobile First: as difficult as doing things right
swwweet
223
9.4k
Scaling GitHub
holman
459
140k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.1k
Faster Mobile Websites
deanohume
306
31k
Agile that works and the tools we love
rasmusluckow
328
21k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
366
25k
How to train your dragon (web standard)
notwaldorf
91
5.9k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
27
1.9k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
10
1.3k
Fireside Chat
paigeccino
34
3.2k

Transcript

  1. SSL, CAs and keeping your stuff safe BQSFTFOUBUJPOCZBSNJOSPOBDIFSGPSQZHSVOO http://lucumr.pocoo.org/ —

    @mitsuhiko

  2. SSL, CAs and keeping your stuff safe BQSFTFOUBUJPOCZBSNJOSPOBDIFSGPSQZHSVOO http://lucumr.pocoo.org/ —

    @mitsuhiko a capitalistic and system conformant talk about encryption

  3. Armin Ronacher Independent Contractor for Splash Damage / Fireteam Doing

    Online Infrastructure for Computer Games

  4. … The Problem with Programmers ~ Epilogue ~

  5. Programmers think everything is a technical problem

  6. Fraud ~ Chapter 1 ~

  7. XXXX-XXXX-XXXX-1234 What is the worst that can happen?

  8. What makes Credit Card Numbers “secure”?

  9. theft ere will always be criminals

  10. prevented But what damage can they do?

  11. Bitcoin A Credit Card Strong Encryption Potentially No Encryption 256

    bit private key 16 digit number + checksum decentralized centralized √ x

  12. But I'd rather lose my credit card …

  13. Never

  14. LOL

  15. We Accept Stolen Creditcards

  16. e Protocol e Process is insecure is secure

  17. If the aud percentage is smaller than the transaction fees

    we're all good.

  18. It's too easy to forget the bigger picture

  19. of Lock Symbols and Encryption ~ Chapter 2 ~

  20. the lock symbol is a lie

  21. the lock stands for secure

  22. but so is encryption 8 7

  23. such security

  24. such buzzwords CRIME BEAST Heartbleed BREACH PFS

  25. users need to understand how to keep good om bad

    lock symbols / good om bad encryption. = -

  26. but even developers are not sure yet …

  27. remember why you encrypt (NSA

  28. Why do we Encrypt Traffic? ~ Chapter 3 ~

  29. None

  30. public WiFi the unencrypted browser session kilLed

  31. ? Who is the Attacker?

  32. om secret agents to idiots

  33. om targeted to untargeted

  34. om low to high probability

  35. What You Need for Encryption ~ Chapter 4 ~

  36. passive vs active eavesdropping encryption authentication

  37. $ ssh pocoo.org The authenticity of host 'pocoo.org (148.251.50.164)' can't

    be established. RSA key fingerprint is 14:23:83:02:45:f9:9c:d0:eb:39:c7:14:42:f5:9f:9c. Are you sure you want to continue connecting (yes/no)?

  38. your user does not check ngerprints (your

  39. e Certificate Authorities thus:

  40. CAs are worthless for securing APIs let it be known

    that

  41. Protecting APIs and Services ~ Chapter 5 ~ (non

  42. The Only Rule to Follow

  43. run your own CA issue certi cates for 24 hours

    trust your own CA only screw re ocations

  44. You trust your own CA by distributing the certi cate

    to everybody.

  45. If your root gets compromised, distribute new root certi cates.

  46. If an individual key gets compromised, in less than 24

    hours everything is ne.

  47. from requests import get resp = get('https://api.yourserver.com/', verify='your/certificate.bundle')

  48. “But my awesome AntiVirus says your certi cate is not

    trusted.” — Windows User

  49. Certificate Authorities Again ~ Chapter 6 ~

  50. Hardly news: CAs are Broken

  51. But why are the broken?

  52. I Trust “TÜRKTRUST Elektronik Serti ka Hizmet Sağlayıcısı” to ouch

    for the identity of any domain on the planet. Trusting a CA:

  53. trusting half the world: one shitty employee in one shitty

    CA is enough to break your security.

  54. I Trust “Comodo” to ouch for the identity of “Foo

    Owner” foo.com. I only trust “Foo Owner” to ouch for the identity of api.foo.com What we actually want:

  55. if you have seen google.com being from Verisign and all

    the sudden google.com becomes a StartSSL certificate you know something might be wrong.

  56. Soon: Certificate Pinning?

  57. Frack OpenSSL and Question “Best Practices” ~ Chapter 7 ~

  58. Self-Signed Certificates are not bad. Just in browsers.

  59. Never. Ever. Look at OpenSSL's Source.

  60. OpenSSL's "patches" are even worse: Apple's OpenSSL always trusts system

    store :-/

  61. Requests by default trusts it's own bundle :-/ (And does

    not even properly document how to use custom ones)

  62. With Heartbleed SSL was less secure than no SSL :-/

  63. Growing SSL ~ Chapter 8 ~

  64. Credit Cards were made for thousands of people Certificate Authorities

    were made for hundreds of sites

  65. OpenSSL was probably improperly audited

  66. See “OpenSSL Valhalla Rampage” :-( “i give up. reuse problem

    is unixable. dlg says puppet crashes” — tedu

  67. Plan for Failure ~ Chapter 9 ~

  68. what

  69. what happens to your user if he gets hacked? (food

    for thought: keyloggers are still a thing)

  70. what happens to your data

  71. what happens to your company

  72. encryption is hardened security it must not be your only

    defense

  73. ? Feel Free To Ask Questions Talk slides will be

    online on lucumr.pocoo.org/talks You can find me on Twitter: @mitsuhiko And gittip: gittip.com/mitsuhiko Or hire me: armin.ronacher@active-4.com