Confidence - (25-26.05 2010 Krakow)
Language: polski | engish

Chris Palmer

Chris Palmer is a software security engineer dedicated to building safer, more usable, and more performant internet software. He currently works as an engineering consultant with iSEC Partners, and previously worked as a Staff Technologist at the Electronic Frontier Foundation.

Topic of Presentation: Web browser PKI/SSL security policy weaknesses and a potential solution

Language: English

Abstract: The SSL PKI as currently implemented in web browsers has the property that any one of N trusted CA organizations can certify any TLS endpoint. The past year saw at least three major published circumstances in which CA practices, or their interactions with other systems, would have left browsers vulnerable to practical man-in-the-middle attacks due to the weakness of just 1 of the N CAs.

We propose to address the browser PKI problem by modifying the TLS certificate verification algorithm to use more sources of information about a certificate’s trustworthiness. Doing this will greatly improve the browser’s trust user interface by simultaneously reducing the number of false-positives (confusing warnings about certificates that are actually correct) and false-negatives (failures to warn the user when a man-in-the-middle attack occurs).