Armin Ronacher: SSL, CAs and keeping your stuff safe

published May 09, 2014

Armin Ronacher talks about SSL, CAs and keeping your stuff safe, at PyGrunn.

See the PyGrunn website for more info about this one-day Python conference in Groningen, The Netherlands.

The title really should have been: a capitalistic and system conformant talk about encryption, but okay, let's talk about SSL.

The problem with programmers is that they think everything is a technical problem.

Let's talk about fraud. What makes credit card numbers secure? Nothing. They are just 16 digits. Some consider it safe to trust you when you know the last four digits.

We accept stolen credit cards. So the protocol is insecure. It is too easy to forget the bigger picture: the process itself is secure.

The 'lock' symbol stands for 'secure'. But you can use that symbol anywhere: it does not prove anything.

'It has encryption, so it is secure?' No, the used encryption system can be very insecure.

Remember why you encrypt. Do you really need SSL on your weblog?

Why do we encrypt traffic? Before Starbucks there was basically no public wifi. They made it possible for agents to attack idiots.

Encryption gives you protection against passive eavesdropping. For active eavesdropping, you need authentication, so people cannot impersonate you or the one you talk too.

Your user does not check fingerprints. Your user just thinks a lock symbol means it is secure.

Enter the Certificate Authorities (CAs). It is a distribution of the trust problem: you trust your browser, they trust certificate authorities, they trust their clients.

Let it be known that CAs are worthless for securing APIs.

Protecting APIs (non javascript) and servers:

  • run your own CA
  • issue certificates for 24 hours
  • trust your own CA only
  • screw revocations

You trust your own CA by distributing its certificate to everybody.

from requests import get
resp = get('https://api.yourserver.com/',
           verify='your/certificate.bundle')

"But my awesome AntiVirus syas your certificate is not trusted." -- a Windows user.

Revocations do not work in practice.

One shitty employee in one shitty CA is enough to break your security. (Crowd: this actually happened in the Netherlands with Diginotar.)

Soon: Certificate pinning? Changes are happening. Ideas are floating about.

Frack OpenSSL and question 'Best practices'. Not enough people have looked at the OpenSSL code. There is not enough knowledge among developers. Never, ever look at the source code of openssl; wrong defaults, patches. Apple's 'patches' are even worse.

Plan for failure. Plan for things going wrong. What happens when your user gets hacked? Food for thought: keyloggers are still a thing. What happens to your data? What happens to your company?

Security should not be your only defense.

@mitsuhiko at Twitter.