Improving Application Security through TLS-Library Redesign
نویسندگان
چکیده
Research has revealed a number of pitfalls inherent in contemporary TLS libraries. Common mistakes when programming using their APIs include insufficient certificate verification and the use of weak cipher suites. These programmer errors leave applications susceptible to man-in-the-middle attacks. Furthermore, current TLS libraries encourage system designs which leave the confidentiality of secret authentication and session keys vulnerable to application flaws. This paper introduces libtlssep (pronounced lib·tē·el·sep), a new, open-source TLS library which provides a simpler API and improved security architecture. Applications that use libtlssep spawn a separate process whose role is to provide one or more TLS-protected communication channels; this child process assures proper certificate verification and isolates authentication and session keys in its separate memory space. We present a security, programmability, and performance analysis of libtlssep.
منابع مشابه
IPRO: an iterative computational protein library redesign and optimization procedure.
A number of computational approaches have been developed to reengineer promising chimeric proteins one at a time through targeted point mutations. In this article, we introduce the computational procedure IPRO (iterative protein redesign and optimization procedure) for the redesign of an entire combinatorial protein library in one step using energy-based scoring functions. IPRO relies on identi...
متن کاملTeam Members:
Secure Sockets Layer (SSL) and, more recently, its successor Transport Layer Security (TLS) are foundational technologies of secure communications on the Internet. Secure web browsing, Virtual Private Networks (VPN), and other secure protocols (such as SFTP and SSH) leverage TLS to ensure the privacy of their communications. To meet the needs of software developers, many libraries have been cre...
متن کاملBreaking and Fixing Authentication over TLS
TLS was designed as a transparent channel abstraction to allow developers with no cryptographic expertise to protect their application against attackers that may control some clients, some servers, and may have the capability to tamper with network connections. However, the security guarantees of TLS fall short of those of a secure channel, leading to a variety of attacks. We show how some wide...
متن کاملA Coq Starter Kit to Verify TLS Packet Processing in C
TLS is such a widespread security protocol that errors in its implementation can have disastrous consequences. This heavy responsibility is mostly borne by programmers who are almost left to themselves, caught between error-prone low-level programming with C and specifications with the ambiguities of natural language. Our purpose is to provide a Coq framework for the formal verification of TLS ...
متن کاملDetecting Bot Networks Based On HTTP And TLS Traffic Analysis
Abstract— Bot networks are a serious threat to cyber security, whose destructive behavior affects network performance directly. Detecting of infected HTTP communications is a big challenge because infected HTTP connections are clearly merged with other types of HTTP traffic. Cybercriminals prefer to use the web as a communication environment to launch application layer attacks and secretly enga...
متن کامل