In the years leading to the definition of TLS~1.3, many vulnerabilities have been published on the TLS protocol, including numerous implementation flaws affecting a wide range of independent stacks. The infamous Heartbleed bug, was estimated to affect more than 20% of the most popular HTTPS servers.
We propose a structured review of these implementation flaws. By considering their consequences but also their root causes, we present some lessons learned or yet to be learned. We also assess the impact of TLS~1.3, the latest version of the protocol, on the security of SSL/TLS implementations.
Publié dans les actes 15th International Conference on Risks and Security of Internet and Systems (LNCS 12528) (pages 87 à 104)
Présenté lors de la conférence CRiSIS à Paris, France en novembre 2020BibTeX Document Présentation