Learn, hack!

URL

http://mirror.fem-net.de/CCC/27C3/mp4-h264-HQ/27c3-4121-en-is_the_ssliverse_a_safe_place.mp4

File name

27c3-4121-en-is_the_ssliverse_a_safe_place.mp4

File size

968.9 MB

MD5

aa93a030c97f8ebf1b3e805a37767868

SHA1

a7b2b8549b69597d172cdf96523e814927cb41f7

The EFF SSL Observatory has collected a dataset of all TLS/HTTPS certificates visible on the public web. We discuss this dataset - what we have learned from it, how you can use it, and how intend to offer a live, continually updated version of it. TLS/SSL is only as good as your mechanism for verifying the other party, and it turns out that with HTTPS and other CA-certified applications of TLS, that mechanism involves trusting a lot of governments, companies and individuals. The SSL observatory is a project to bring more transparency to SSL Certificate Authorities, and help understand who really controls the web's cryptographic authentication infrastructure. The Observatory is an Electronic Frontier Foundation (EFF) project that began by surveying port 443 of all public IPv4 space. At Defcon 2010, we reported the initial findings of the SSL Observatory. That included thousands of valid 'localhost' certificates, certificates with weak keys, CA certs sharing keys and with suspicious expiration dates, and the fact that there are approximately 650 organisations that can sign a certificate for any domain that will be trusted by modern desktop browsers, including some that you might regard as untrustworthy. In this talk we will give an update on new developments in the project, including where to find a copy of our data and how to work with it for your own research; the progress made at fixing some of the vulnerabilities we found; and our design for a new, decentralised version of the SSL Observatory.