N S B-B T T R A I Tom Ritter —
[email protected] iSEC Partners, Inc 123 Mission Street, Suite 1020 San Francisco, CA 94105 https://www.isecpartners.com March 15, 2012 Abstract Improvements to Browser Security, TLS, and Public Key Infrastructure have been appearing at an astonishing rate in the past few years. Standards are proposed in the IETF in Web Security, Public Key Infrastructure, TLS, and DNS Working Groups and similarly in the W3C Working Groups. Proposals for replacing Certificate Authorities, or improving them, are presented alternately on any one of two dozen mailing lists, at conferences on opposite sides of the globe, and in standards bodies. This paper first presents a survey of improvements being made to Browsers, HTTP, and Javascript, noting what will be effective and what won’t. Methods for leveraging DNSSEC for improved authentication for different protocols are covered and improvements to TLS are presented covering protocol revisions, extensions, and techniques for using it to improve identity management. Finally a survey of all the proposals about replacing or improving CAs is done, and the commonalities and core concepts of them are drawn out and presented. This paper is likely to undergo editorial and content improvements. The most recent version will be available at http://ritter.vg/p/2012-TLS-Survey.pdf. 1 I are covered. When speaking with individuals participating through- out this ecosystem - administrators of web sites, the 2 B S engineers behind browsers, researchers testing, break- ing, and deploying protocol enhancements - a common In the last several years we’ve seen an explosion of web- phrase has been heard when speaking of the past few based vulnerabilities being exploited: the most common years: ”Things are moving really fast.” While it may seem four being cross site scripting, SQL injection, cross-site that there is tremendous inertia of web servers not up- request forgery, and clickjacking.