TLS in 2021
Was watching a talk from EuroBSDCon from a few days ago by Michael Lucas on TLS in 2021. You can find it YT link
Anyway, there were a few slides that really caught my attention,
TLS Doesn’t Do Any Of These Things
- Add Security
- Block Intruders
- Keep Your Credit Card Secret
- Stop Password Theft
What TLS Does
- Encrypt traffic between client and server
- Identify server, client, or both
- Nothing more.
Weak TLS Versions
- In early 2021, NSA strongly discourages use of TLS 1.2
Two Trust Models
- Web of Trust
- Certificate Authority, “CA”
Trust Bundles?
- Who should we trust?
- Look through your bundles and decide who you must trust. These are OS dependent. Some browsers bring their own.
- May want to remove CAs that you don’t need to trust. If you don’t live in China or deal with Chinese companies or people, do you really want/need to trust any CA in Shanghai?
How-To guides need to stop saying that by adding an TLS cert, somehow that has “secured the server.” It has not. TLS != Security
Thanks to Michael for conveying this information.