View
2.044
Download
1
Category
Preview:
DESCRIPTION
curl and TLS Slides for my talk at MeraKrypto April 29 2014
Citation preview
#MeraKrypto
TLS and curl
Daniel Stenberg, April 29th 2014
Agenda
curlTLS
http2Future
Daniel Stenberg
Email: daniel@haxx.seTwitter: @bagderWeb: daniel.haxx.seBlog: daniel.haxx.se/blog
network hacker at
Please ask!
Feel free to interrupt and ask at any time!
curl
•curl is a tool I made•born around 1998•widely used for REST, downloads, scripted transfers and more•100% free and open source• I expect everyone here to already know about it!•Added TLS support 1999•Uses TLS for HTTPS, FTPS, POP3S, IMAPS, SMTPS, LDAPS and
RTMPS
libcurl 2014
•The engine of the curl tool•The world's most used, most portable and most feature complete URL transfer library
•Empowers cars, set-top boxes, printers, routers, Bluray players, TV sets, phones, tablets, games, web sites and a bus load of other use case.
•Used by hundreds of well known companies and brands•Some 500 million users•Written in C•More than 40 bindings - for every language you can think of
TLS in libcurl
•supports 10 different TLS back-ends•They differ in platform support, footprint, features, license and performance
•Designed to be almost invisible to the user•Allows applications to add TLS secured transfers to their applications with no effort
•libcurl itself often built upon by other layers
The libcurl usage mistake #1
Reminder
unauthenticated TLS is not secure
The libcurl usage mistake #1
“Verify peer” and “verify host”•“but I just want encryption”•“but I can't afford a certificate”•“but it is annoying to my users”•“but it works just fine even if I disable it”•“but I don't need a client certificate”
TLS obstacles
Over time, the course gets harderThe large set of obstacles are increasing and becoming harder to climbTLS-fronting applications need to care
The TLS obstacle course
SSLv2
SSLv3< TLS1.2
BEAST
CRIMERC4
MD5Broken CAs
Wildcard matching
Verify cert
Profit!
???
No end to TLS in sight
•TCP improvements are discussed•TLS improvements are discussed•TCP replacements are discussed•CA and cert improvements are discussed•TLS replacements are not discussed•HTTP improvements are discussed...
http2
•http2 is the new HTTP, arriving late 2014•not yet set in stone•changes the over-the-wire data format•same old http:// and https:// URLs
Will http2 fix HTTPS?
•attempts were made to make TLS mandatory•fought by proxies, small-products and “surveillance friendly” parties
•pushed by user-centric browser vendors•Firefox and Chrome will only do http2 over TLS•IE will do plain-text
Opportunistic TLS
•Alt-Svc: and ALTSVC•“You can also find this content over here =>”•Optional•Allows http:// over TLS!•Debated
Future
•Further TLS obstacles and problems•TLS 1.3•DANE•tcpcrypt
Thank you!
Doing good is part of our code
Recommended