![]() ![]() ‘It’s not everything, but so long as you click that padlock you have some confidence about safety – it’s the most basic thing,’ he said.īesides, internet users are not only worried about hackers. Usually, personal data gets into the wrong hands because of bugs in software – what Dr Bhargavan’s group was working on to begin with – or human error.īut Dr Bhargavan believes there is reassurance in knowing that the underlying protocol is secure. It is true that for most online security breaches, TLS is not to blame. ![]() So how much safer are internet users as a result? ‘So long as you click that padlock you have some confidence about safety.’ Dr Karthikeyan Bhargavan, INRIA, France Since then it has been implemented by major internet browsers such as Mozilla Firefox and Google Chrome. TLS 1.3 was officially launched in August 2018. ‘Dr Bhargavan was a key player in that effort,’ said Rescorla who oversaw TLS at the IETF at the time of the work. His group was also part of a broad collaboration within the internet community, overseen by an IETF working group, to construct the more secure, and man-in-the-middle-proof successor that is TLS 1.3, using modern algorithms and techniques. Still, he says that his group discovered some of the most surprising flaws in TLS1.2, which he believes may have been the ‘final nails in the coffin’ for the protocol. There were four or five other research groups unearthing problems with the current protocol, pushing one another along, he says, in a healthy rivalry. Nevertheless, the Internet Engineering Task Force (IETF), an international organisation promoting internet standards, judged the threat to be sufficiently serious to warrant a new version of the cryptographic protocol.ĭr Bhargavan points out that he was far from the only computer scientist to prompt the revision. Such a hacker would need great expertise and computational power, that of a government agency, for example, as well as access to some of the physical infrastructure close to the key actors. ‘Or I could pretend to be Apple or Google, and download (insert) malware via a software update to get access to people’s computers.’ ‘If, as the person in the middle, I was successful, I could potentially steal someone’s payment details,’ he continued. ‘Typically, the person in the middle would have to send weird messages to each actor to lure them into a buggy part of the code.’ ‘It would have to be a fairly complex sequence of actions,’ explained Dr Bhargavan. The attacks revealed that it was possible to be a ‘man in the middle’ between an internet user and a service provider, such as Google, and thereby steal that user’s data. ‘At some point, we realised they weren’t,’ he said.Īfter discovering some shaky lines of code, the researchers worked with Microsoft Research and took on the role of hackers, performing some simulated attacks on the protocol to test the extent of its vulnerability. To improve security at the software level, however, Dr Bhargavan and colleagues had to thoroughly check that the underlying assumptions about TLS1.2 – that it had no serious flaws – were justified. Usually, software developers rely on TLS like a builder relies on a scaffold – in other words, they take its safety for granted. After that, many experts believed that the latest incarnation, TLS1.2, was safe enough for the foreseeable future, until researchers such as Dr Karthikeyan Bhargavan and his colleagues at the French National Institute for Research in Digital Science and Technology (INRIA) in Paris came along.Īs part of a project called CRYSP, the researchers had been working on ways to improve the security of software applications. In the two decades leading up to 2018, there were five overhauls of TLS to keep pace with the sophistication of online attacks. ‘It’s the most popular security protocol on the internet, securing essentially every e-commerce transaction,’ Eric Rescorla, chief technology officer at US technology company Mozilla, told Horizon over email. Authentication, so that your data goes where you think it is going encryption, so that it does not go anywhere else and integrity, so that it is not tampered with en route. In fact, TLS guarantees security on three fronts: authentication, encryption and integrity. Behind that little padlock is cryptographic code that guarantees the security of data passing between you and, for example, the website you are looking at.
0 Comments
Leave a Reply. |