On this Wednesday (09.04.2014) I gave a presentation at OWASP Switzerland chapter. Initially I choose to present an overview of SSL/TLS, which is based on our previous blog article Compass SSL/TLS recommandations. Accidently, the timing with the OpenSSL heartbleed bug was perfect, so the presentation was updated in time with several slides about this current vulnerability.
I want to thank Sven Vetsch for the awesome organization of this event, and all attendees for their attention and interesting discussions. With 30+ people the room was fully booked, which is quite impressive :-)
Presentation download link:
very well summed up presentation. Thanks!
I would add one more conclusion which is related to the CA mess and to Certificate Pinning.
With SSL/TLS you start to secure the upper application protocol layer when the foundation like DNS is still vulnerable. DNSSEC is not only about protecting cache poisoning. DNSSEC implements a new PKI in DNS which can be used by many applications to improve security and SSL/TLS is one of them. Compared to the CA hierarchy mess you only need to trust 3 organizations for your 2nd-Level Domain. Yourself, the TLD and the Root-Zone.
DNSSEC will be the future for secure connection. You can add SSHFP records to your signed zone and enable VerifyHostKeyDNS in your ~/.ssh/config already and forget about manual Fingerprint verification. Add SSL/TLS certificate fingerprints with DANE to your zone to enable Certificate Pinning.
Most client applications are not DNSSEC ready, true. Use OpenSSH from Mac OS X Ports Tree instead of Apple’s version. Install https://www.dnssec-validator.cz/ to your Web-Browser and you have the future now!
Thanks for the feedback Dani! :-)
I was not aware that DNSSEC provided a capability to fix the CA mess. Sadly, trusting your TLD and Root-Zone does not really fix the issue of state-sponsered hacking. But may fix the issue of “weakes-link CA”.
Can this also be used to improve the revoking of certificates?
With DANE, you as the DNS zone owner decides who or what to trust. You can specify the issuing CA, the whole chain or only your specific SSL certificate. So, in that sense, yes it also improves revocation.
Btw: there are many other applications taking advantage of the DNSSEC (PKI) to enhance security. DNSSEC + DKIM is another one for mail.