Ssl/tls in a post-prism era

[Nytro]

SSL/TLS IN A POST-PRISM ERA

This is a collection of information related to the security of Secure Socket Layer (SSL) and Transport Layer Security (TLS). The aim of this page is to keep track of the current limitations and security problems in SSL/TLS and HTTPS. The biggest unsolved problem is the trust model of the Certification Authorities.All of these problems have been known for some time. These problems are mainly discussed and talked about at special security conferences to an audience that only contains security experts. These issues are rarely discussed with the general public or developers who use SSL/TLS in their projects. We aim to raise awareness of these problems outside of the security community.

Contents

1. Introduction
   
   1. 
      
   2. What is SSL/TLS and CA
      
   3. The biggest problem with SSL/TLS
      
      
   4. ROOT-CA Security Breaches
      
      1. Dutch CA DigiNotar
         
      2. Etisalat
         
      3. NSA's PRISM project
         
      4. Other Incidents
         

[*]Attacks

1. Self Signed Certificates
   
2. SSL Strip
   

[*]Other Problems

1. Weak Certificate Keys
   
2. Disconnected Security Community
   

[*]Solutions

1. Online Certificate Status Protocol
   
2. CA Regulation
   
3. HTTP Strict Transport Security
   
4. EFF HTTPS Everywhere
   
5. Certificate Pinning
   
6. Double Signed Certificates
   
7. Reverse Fingerprint
   
8. SSL Sovereign Keys
   
9. RFC 6962 Certificate Transparency
   
10. SSL Convergence
    
11. DNS-SEC
    
12. DANE
    

[*]Summary of best known immediate solution

1. BCP or RFC
   
2. for HTTPS
   
3. For Certificate Verification in General
   
4. for applications in general
   

[*]Further Reading

Sursa: https://wiki.thc.org/ssl