Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

curl and TLS #MeraKrypto


Published on

curl and TLS

Slides for my talk at MeraKrypto April 29 2014

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

curl and TLS #MeraKrypto

  1. 1. #MeraKrypto TLS and curl Daniel Stenberg, April 29th 2014
  2. 2. Agenda curl TLS http2 Future
  3. 3. Daniel Stenberg Email: Twitter: @bagder Web: Blog: network hacker at
  4. 4. Please ask! Feel free to interrupt and ask at any time!
  5. 5. If I say SSL I mean TLS I tend to use the terms interchangeably
  6. 6. curl • curl is a tool I made • born around 1998 • widely used for REST, downloads, scripted transfers and more • I expect everyone here to already know about it! • Added TLS support 1999 • Uses TLS for HTTPS, FTPS, POP3S, IMAPS, SMTPS, LDAPS and RTMPS • 100% free and open source - join us!
  7. 7. libcurl 2014 •The engine of the curl tool •The world's most used, most portable and most feature complete URL transfer library •Empowers cars, set-top boxes, printers, routers, Bluray players, TV sets, phones, tablets, games, web sites and a bus load of other use case. •Used by hundreds of well known companies and brands •Some 500 million users •Written in C •More than 40 bindings - for every language you can think of
  8. 8. TLS in libcurl •supports 10 different TLS back-ends •They differ in platform support, footprint, features, license and performance •Designed to be almost invisible to the user •Allows applications to add TLS secured transfers to their applications with no effort •libcurl itself often built upon by other layers
  9. 9. The libcurl usage mistake #1 Reminder unauthenticated TLS is not secure
  10. 10. The libcurl usage mistake #1 “Verify peer” and “verify host” •“but I just want encryption” •“but I can't afford a certificate” •“but it is annoying to my users” •“but it works just fine even if I disable it” •“but I don't need a client certificate”
  11. 11. TLS obstacles Over time, the course gets harder The large set of obstacles are increasing and becoming harder to climb TLS-fronting applications need to care
  12. 12. The TLS obstacle course SSLv2 SSLv3 < TLS1.2 BEAST CRIMERC4 MD5 Broken CAs Wildcard matching Verify cert Profit! ???
  13. 13. CA cert bundle Needed to verify server cert Which Certificate Authorities do you trust? Did you edit your CA cert bundle today? The curl site offers a bundle converted from Mozilla sources Maintaining an own set is lots of work
  14. 14. No end to TLS in sight •TCP improvements are discussed •TLS improvements are discussed •TCP replacements are discussed •CA and cert improvements are discussed •TLS replacements are not discussed •HTTP improvements are discussed...
  15. 15. http2 •http2 is the new HTTP, arriving late 2014 •not yet set in stone •changes the over-the-wire data format •same old http:// and https:// URLs
  16. 16. Will http2 fix HTTPS? •attempts were made to make TLS mandatory •fought by proxies, small-products and “surveillance friendly” parties •pushed by user-centric browser vendors •Firefox and Chrome will only do http2 over TLS •IE will do plain-text
  17. 17. Opportunistic TLS •Alt-Svc: and ALTSVC •“You can also find this content over here =>” •Optional •Allows http:// over TLS! •Debated
  18. 18. Future •Further TLS obstacles and problems •TLS 1.3 •DANE •tcpcrypt
  19. 19. Thank you!
  20. 20. Learn more! •curl and libcurl: •http2 explained: •Curl's TLS support compared:
  21. 21. Doing good is part of our code