TLS certificate verification in practice
Description
To ensure the security of TLS connections, it is important that clients properly verify server certificates. In practice, researchers have found that this is not always the case (see references below). While some of the most severe issues have been fixed, the certificate verification process still varies greatly between applications.
The goal of this thesis is to assess how certificate verification is done in browsers, operating systems, programming languages, and libraries. The thesis should propose a “check list” of security features (e.g. certificate revocation checking, expression of additional constraints, …) and use this to assess widely-deployed implementations.
References
- Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., and Shmatikov, V. The Most Dangerous Code in the World: Validating SSL Certificates in Non-browser Software. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 2012, pp. 38–49.
- Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., and Smith, M. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 2012, pp. 50–61.
- Stenberg, D. Lesser HTTPS for Non-Browsers. 2017. https://daniel.haxx.se/blog/2017/01/10/lesser-https-for-non-browsers/.