19
#MeraKrypto TLS and curl Daniel Stenberg, April 29 th 2014

curl and TLS #MeraKrypto

Embed Size (px)

DESCRIPTION

curl and TLS Slides for my talk at MeraKrypto April 29 2014

Citation preview

Page 1: curl and TLS #MeraKrypto

#MeraKrypto

TLS and curl

Daniel Stenberg, April 29th 2014

Page 2: curl and TLS #MeraKrypto

Agenda

curlTLS

http2Future

Page 3: curl and TLS #MeraKrypto

Daniel Stenberg

Email: [email protected]: @bagderWeb: daniel.haxx.seBlog: daniel.haxx.se/blog

network hacker at

Page 4: curl and TLS #MeraKrypto

Please ask!

Feel free to interrupt and ask at any time!

Page 5: curl and TLS #MeraKrypto

curl

•curl is a tool I made•born around 1998•widely used for REST, downloads, scripted transfers and more•100% free and open source• I expect everyone here to already know about it!•Added TLS support 1999•Uses TLS for HTTPS, FTPS, POP3S, IMAPS, SMTPS, LDAPS and

RTMPS

Page 6: curl and TLS #MeraKrypto

libcurl 2014

•The engine of the curl tool•The world's most used, most portable and most feature complete URL transfer library

•Empowers cars, set-top boxes, printers, routers, Bluray players, TV sets, phones, tablets, games, web sites and a bus load of other use case.

•Used by hundreds of well known companies and brands•Some 500 million users•Written in C•More than 40 bindings - for every language you can think of

Page 7: curl and TLS #MeraKrypto

TLS in libcurl

•supports 10 different TLS back-ends•They differ in platform support, footprint, features, license and performance

•Designed to be almost invisible to the user•Allows applications to add TLS secured transfers to their applications with no effort

•libcurl itself often built upon by other layers

Page 8: curl and TLS #MeraKrypto

The libcurl usage mistake #1

Reminder

unauthenticated TLS is not secure

Page 9: curl and TLS #MeraKrypto
Page 10: curl and TLS #MeraKrypto

The libcurl usage mistake #1

“Verify peer” and “verify host”•“but I just want encryption”•“but I can't afford a certificate”•“but it is annoying to my users”•“but it works just fine even if I disable it”•“but I don't need a client certificate”

Page 11: curl and TLS #MeraKrypto

TLS obstacles

Over time, the course gets harderThe large set of obstacles are increasing and becoming harder to climbTLS-fronting applications need to care

Page 12: curl and TLS #MeraKrypto

The TLS obstacle course

SSLv2

SSLv3< TLS1.2

BEAST

CRIMERC4

MD5Broken CAs

Wildcard matching

Verify cert

Profit!

???

Page 13: curl and TLS #MeraKrypto

No end to TLS in sight

•TCP improvements are discussed•TLS improvements are discussed•TCP replacements are discussed•CA and cert improvements are discussed•TLS replacements are not discussed•HTTP improvements are discussed...

Page 14: curl and TLS #MeraKrypto

http2

•http2 is the new HTTP, arriving late 2014•not yet set in stone•changes the over-the-wire data format•same old http:// and https:// URLs

Page 15: curl and TLS #MeraKrypto

Will http2 fix HTTPS?

•attempts were made to make TLS mandatory•fought by proxies, small-products and “surveillance friendly” parties

•pushed by user-centric browser vendors•Firefox and Chrome will only do http2 over TLS•IE will do plain-text

Page 16: curl and TLS #MeraKrypto

Opportunistic TLS

•Alt-Svc: and ALTSVC•“You can also find this content over here =>”•Optional•Allows http:// over TLS!•Debated

Page 17: curl and TLS #MeraKrypto

Future

•Further TLS obstacles and problems•TLS 1.3•DANE•tcpcrypt

Page 18: curl and TLS #MeraKrypto

Thank you!

Page 19: curl and TLS #MeraKrypto

Doing good is part of our code