Student Number: 7569534, Student Name: Oga Ajima

Dept.: ECE, Course: ELG 7178D (Network Security and Cryptography)

Paper Summary: How Crypto Breaks session, paper #1 - Rethinking SSL Development
in an Appified World - Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter,
Matthew Smith
The growth of smartphones and tablet devices is changing the way of software development.
one of the major issues developers face is in the implementation of SSL which is used to
secure data transfer on the internet. problems with SSL are not peculiar to one application
platform; rather they are similarly present in both Apples iOS and Googles android even
though they both employ contrasting approaches (the walled garden and stricter code auditing
process of Apple to Googles open source approach). These problems leave users vulnerable
to man-in-the-middle attacks and the leaking of sensitive information on both platforms.
The major cause of these problems is the lack of understanding by developers of how SSL
works. This is because of the complexity in customizing SSL code, which was frustrating,
and developers were thus willing to use quick fixes gotten from online forums without
understanding the risk. Handling SSL certificate validation is also a major problem. The use
of self-signed certificates during development led to situations where all SSL certificates
were accepted in production environments usually by turning off certificate validation. Even
apps that relied on frameworks and libraries are also at risk because of faulty code generated
by the framework. Altogether, results imply that customization of SSL handling is a major
problem for developers.
The provision of an ideal solution to enable developers use SSL correctly has to offer needed
functionality and being able to deploy secure applications at the same time. A change to the
way SSL is used is being proposed. The OS as a service should provide SSL usage patterns.
Configurable options for the new SSL service that cannot be circumvented should be
provided. This prevents developers from willfully or accidentally breaking SSL, while at the
same time giving them easy access to additional features.
This is an important research considering the huge number of mobile devices (smartphones
and tablets) and their increasing use to access sensitive information (banking information,
online commerce) online. For a large number of people, especially in developing countries,
their first encounter with a computing device will be either a smartphone or tablet. A lot of
such users are not savvy computer users and hence will not be able to take measures to
protect themselves. The problems cited in the paper especially with regards to developer
struggles with SSL implementation will most likely be greater in developing countries due to
the relative competence of the developers in such countries. This coupled with the fact that
there is no indication that a connection to a service (online banking for instance) has been
compromised and lax/non-existent laws regarding liability, users in such countries are much
more vulnerable.