ritter.vg
Black Hat EU Presentation: The IETF & The Future of Security Protocols
14 Mar 2012 04:05 EST

Just two weeks (to the day) after presenting Cloud & Control at RSA in San Francisco, I was in Amsterdam presenting at Black Hat EU. I've been getting more involved with the tremendous number of standards bodies and keeping track in my own head on what improvements are coming down the pipe - I decided it'd be worthwhile to quantify that in a talk (and whitepaper). The talk actually only brushes over some of the topics that I thought would be the most interesting to talk about - the whitepaper and slides contain way more info.

According to my filters, I'm on over 50 mailing lists and keeping track of everything is a pain - so I did it for you. The whitepaper, available here, covers a lot of topics. Improvements in and coming soon to browsers like Content Security Policy, Caja, Strict Transport Security, and Key Pinning; achieving authenticity through DNSSEC; and huge sections on TLS and PKI. I go into detail on TLS 1.1 and 1.2 including implementation issues, deployment, and why we'll never actually get the security of the protocols until we remove backwards compatibility; but also upcoming TLS changes like False Start and Next Protocol Negotiation. A couple larger topics in TLS like Channel Binding and Secure Remote Password, and a lot of smaller topics like Datagram TLS and Encrypted Client Certificates. Finally, I survey all the proposed fixes or replacements for the Certificate Authority system, from the very popularized like Convergence to the very obscure like YURLs. I pull out all the core concepts from the proposals to come up with a list of properties that can be used to evaluate all of the proposals and see where each falls short.

I put way more effort into the whitepaper than I think Black Hat expects, but once I started working on it I wanted it to be complete. It's likely to have some changes made - the current version is dated March 15, 2012, and is the first revision, containing a typo fix and a minor correction relating to RFC 5705 thanks to Adam Langley.

Update: The video has been posted by Black Hat. 160MB MP4.

Comments
Add a comment...
required
required, hidden, gravatared

required, markdown enabled (help)
you type:you see:
*italics*italics
**bold**bold
[stolen from reddit!](http://reddit.com)stolen from reddit!
* item 1
* item 2
* item 3
  • item 1
  • item 2
  • item 3
> quoted text
quoted text
Lines starting with four spaces
are treated like code:

    if 1 * 2 < 3:
        print "hello, world!"
Lines starting with four spaces
are treated like code:
if 1 * 2 < 3:
    print "hello, world!"
Stuck?
me
sec/code
quick links