SSL And The Future Of Authenticity presented at Defcon19 2011

by Moxie Marlinspike,

Summary : In the early 90's, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure that everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. But while it's amazing that SSL has endured for as long as it has, some parts of it -- particularly those concerning Certificate Authorities -- have always caused some friction, and have recently started to cause real problems. This talk will examine authenticity within SSL, shed new light on the current problems, and cover some new strategies for how to move forward.