TLS in 2021

Posted by JD 10/01/2021 at 20:00

Was watching a talk from EuroBSDCon from a few days ago by Michael Lucas on TLS in 2021. You can find it YT link
Anyway, there were a few slides that really caught my attention,

TLS Doesn’t Do Any Of These Things

  • Add Security
  • Block Intruders
  • Keep Your Credit Card Secret
  • Stop Password Theft

What TLS Does

  • Encrypt traffic between client and server
  • Identify server, client, or both
  • Nothing more.

Weak TLS Versions

  • In early 2021, NSA strongly discourages use of TLS 1.2

Two Trust Models

  • Web of Trust
  • Certificate Authority, “CA”

Trust Bundles?

  • Who should we trust?
  • Look through your bundles and decide who you must trust. These are OS dependent. Some browsers bring their own.
  • May want to remove CAs that you don’t need to trust. If you don’t live in China or deal with Chinese companies or people, do you really want/need to trust any CA in Shanghai?

How-To guides need to stop saying that by adding an TLS cert, somehow that has “secured the server.” It has not. TLS != Security

Thanks to Michael for conveying this information.