Dept.: ECE, Course: ELG 7178D (Network Security and Cryptography)
Paper Summary: How Crypto Breaks session, paper #1 - Rethinking SSL Development in an Appified World - Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, Matthew Smith The growth of smartphones and tablet devices is changing the way of software development. one of the major issues developers face is in the implementation of SSL which is used to secure data transfer on the internet. problems with SSL are not peculiar to one application platform; rather they are similarly present in both Apples iOS and Googles android even though they both employ contrasting approaches (the walled garden and stricter code auditing process of Apple to Googles open source approach). These problems leave users vulnerable to man-in-the-middle attacks and the leaking of sensitive information on both platforms. The major cause of these problems is the lack of understanding by developers of how SSL works. This is because of the complexity in customizing SSL code, which was frustrating, and developers were thus willing to use quick fixes gotten from online forums without understanding the risk. Handling SSL certificate validation is also a major problem. The use of self-signed certificates during development led to situations where all SSL certificates were accepted in production environments usually by turning off certificate validation. Even apps that relied on frameworks and libraries are also at risk because of faulty code generated by the framework. Altogether, results imply that customization of SSL handling is a major problem for developers. The provision of an ideal solution to enable developers use SSL correctly has to offer needed functionality and being able to deploy secure applications at the same time. A change to the way SSL is used is being proposed. The OS as a service should provide SSL usage patterns. Configurable options for the new SSL service that cannot be circumvented should be provided. This prevents developers from willfully or accidentally breaking SSL, while at the same time giving them easy access to additional features. This is an important research considering the huge number of mobile devices (smartphones and tablets) and their increasing use to access sensitive information (banking information, online commerce) online. For a large number of people, especially in developing countries, their first encounter with a computing device will be either a smartphone or tablet. A lot of such users are not savvy computer users and hence will not be able to take measures to protect themselves. The problems cited in the paper especially with regards to developer struggles with SSL implementation will most likely be greater in developing countries due to the relative competence of the developers in such countries. This coupled with the fact that there is no indication that a connection to a service (online banking for instance) has been compromised and lax/non-existent laws regarding liability, users in such countries are much more vulnerable.