27C3 - Version 1.6.3

27th Chaos Communication Congress
We come in peace

Speakers
Jesse
Peter Eckersley
Schedule
Day Day 2 - 2010-12-28
Room Saal 2
Start time 16:00
Duration 01:00
Info
ID 4121
Event type Lecture
Track Community
Language used for presentation English
Feedback

Is the SSLiverse a safe place?

An update on EFF's SSL Observatory project

The EFF SSL Observatory has collected a dataset of all TLS/HTTPS certificates visible on the public web. We discuss this dataset - what we have learned from it, how you can use it, and how intend to offer a live, continually updated version of it.

TLS/SSL is only as good as your mechanism for verifying the other party, and it turns out that with HTTPS and other CA-certified applications of TLS, that mechanism involves trusting a lot of governments, companies and individuals.

The SSL observatory is a project to bring more transparency to SSL Certificate Authorities, and help understand who really controls the web's cryptographic authentication infrastructure. The Observatory is an Electronic Frontier Foundation (EFF) project that began by surveying port 443 of all public IPv4 space. At Defcon 2010, we reported the initial findings of the SSL Observatory. That included thousands of valid 'localhost' certificates, certificates with weak keys, CA certs sharing keys and with suspicious expiration dates, and the fact that there are approximately 650 organisations that can sign a certificate for any domain that will be trusted by modern desktop browsers, including some that you might regard as untrustworthy.

In this talk we will give an update on new developments in the project, including where to find a copy of our data and how to work with it for your own research; the progress made at fixing some of the vulnerabilities we found; and our design for a new, decentralised version of the SSL Observatory.