SSL/TLS is one of the major security mechanism of Internet. Initially designed to protect HTTP connections to allow for secure e-commerce transactions, it has now become, 20 years later, a universal security layer for all kinds of protocols (e.g. POP, IMAP, SMTP, LDAP), to establish secure VPN or to handle WiFi authentication (EAP TLS).
Since 2011, a lot has happened in the SSL/TLS world: structural flaws were discovered, cryptographic attacks deemed untractable were implemented, implementation bugs were shown to be pervasive and the WebPKI trust model was shown to be far from perfect.
In this talk, I present an overview of the protocol and of what could go (and has actually gone) wrong.
Présenté lors du séminaire EURECOM à Nice, France en novembre 2015BibTeX Présentation