Version 1.0

lecture: To Make Hearts Bleed

A Native Developer's Account On SSL


A tour-de-force through the real-life SSL-adversities faced by developers outside the ivory tower that are today's browsers. It's the tale of understaffed engineering teams, hard-to-educate administrators. It's the horror of broken and undocumented APIs, and contradicting standards. It's the nightmare of FIPS requirements. It's a story without a happy ending, but with a call to action.

In a hostile and broken Internet, cryptography is a basic foundation of communication. But cryptography has no value when it's not used correctly. Browser vendors have tried to improve usability, but even they can't fix everything. Some of the improvements have actually been outright rejected by usability studies. Finally, even the biggest amount of developers can't fix ambiguities found in fundamental standards such as those defining X.509 semantics.

Moreover, developers who cannot depend on browser technologies are off much worse: They are required to know a significant amount about crypto, and get to re-implement the GUI part of it, often poorly and wrong, only relying on sub-par APIs of their libraries and/or toolkits.

Somewhere else, server administrators are left with unsafe defaults by their distribution. Due to sheer complexity, under-educated sysadmins and old libraries found in enterprise distributions, SSL setups today are a lot less safe than they should be.

This talk will discuss these subjects, provide examples and give hints for workarounds and proper behavior where possible. And after all, post-Snowden there is enough momentum to fix issues on a broader level, as efforts such as LibreSSL have shown. More effort is needed, and this talk outlines a possible solution.