% % Landing page % - Recall TLS from last lecture % - Encrypted tunnel between client-server % - Authenticate client, server, or both; trust anchors hand-waved % - Today is about how to authenticate servers in the web's PKI % \begin{frame} \mktitle{Are we really connected to the real Google?} \begin{tikzpicture} \node[draw=none] (Login) at (0,0) {\includegraphics[height=0.8\textheight]{img/login}};\pause %\node[draw=none] (Lock) at (0,0) {\includegraphics[height=0.8\textheight]{img/lock}};\pause \node[draw=none] (Licence) at (Login.170) {\includegraphics[height=0.2\textheight]{img/certificate}};\pause \node[draw=none] (CAs) at (Login.10) {\includegraphics[height=0.2\textheight]{img/cas}}; \node[draw=none,below=0cm of CAs] (Text) {...and many more};\pause \node[draw=none,below=0cm of Text] (Fire) {\includegraphics[height=0.1\textheight]{img/fire}}; \end{tikzpicture} \footnotetext[1]{\tiny{Summary of the DigiNotar incidence: \url{https://www.enisa.europa.eu/media/news-items/operation-black-tulip/} (2011)}} \end{frame} \begin{frame} \mktitle{Learning outcomes} \begin{columns} \begin{column}{0.33\textwidth} \centering\includegraphics[width=\columnwidth]{img/certificate}\\ \textbf{X.509 certificates}\\ Format, fields, ... \end{column} \pause \begin{column}{0.33\textwidth} \centering\includegraphics[width=\columnwidth]{img/cas}\\ \textbf{Certificate Authorities}\\ Ecosystem, validation, ... \end{column} \pause \begin{column}{0.33\textwidth} \centering\includegraphics[width=\columnwidth]{img/ct}\\ \textbf{Certificate Transparency}\\ Theory, practise, ...\\ \end{column} \end{columns} \pause \vfill\alert{Why is this useful for me?} % 1. You will likely encounter websites in one form or another. A site % that's not working due to certificate errors; you need to get your own % certificate for your site; etc. What should you get, why, and how? % What steps are expected to keep your site's certificate secure? % 2. Next time we will generalize. The technology surrounding certificate % transparency is useful for a myriad of applications. Firmware, Go % modules, official documents, etc. \end{frame} \begin{frame} \mktitle{Middle part---Cronological} \centering\includegraphics[width=\textwidth]{img/outline} \end{frame} \begin{frame} \mktitle{Middle part---Segway to the end} CT logs and monitoring $\rightarrow$ no undeteted DigiNotar-style attacks \end{frame} \begin{frame} \mktitle{Middle part---Example of engagement} \begin{description} \item[]\textbf{Select all statements that are true:} \item[$\square$] An X.509 certificate proves ownership of a website \item[$\square$] An EV certificate is more secure than a DV certificate \item[$\square$] Only Swedish CAs can issue \texttt{.se} certificates \item[$\square$] There are hundreds of CAs across the globe \end{description} \end{frame} \begin{frame} \mktitle{Take away} \begin{columns} \begin{column}{0.5\textwidth} \begin{itemize} \item X.509 certificates \begin{itemize} \item ``Driver's licence for websites'' \item Am I connected to the right site? \end{itemize} \item Certificate Authorities (CAs) \begin{itemize} \item ``Transportstyrelsen for websites'' \item DV/OV/EV validated certificates \item Weakest-link security \end{itemize} \item Certificate Transparency (CT) \begin{itemize} \item Holds CAs accountable (detection) \item Enforced by Chrome, Safari, Edge \item Monitor your own websites \end{itemize} \end{itemize} \end{column} \begin{column}{0.5\textwidth} \includegraphics[width=\columnwidth]{img/crt} \end{column} \end{columns} \end{frame}