8/11/2019 Summary of Rethinking SSL in an Appified World

1/1

Student Number: 7569534, Student Name: Oga Ajima

Dept.: ECE, Course: ELG 7178D (Network Security and Cryptography)

Paper Summary: How Crypto Breaks session, paper #1 - Rethinking SSL Development

in an Appified World - Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter,

Matthew Smith

The growth of smartphones and tablet devices is changing the way of software development.

one of the major issues developers face is in the implementation of SSL which is used to

secure data transfer on the internet. problems with SSL are not peculiar to one application

platform; rather they are similarly present in both Apples iOS and Googles android even

though they both employ contrasting approaches (the walled garden and stricter code auditing

process of Apple to Googles open source approach). These problems leave users vulnerable

to man-in-the-middle attacks and the leaking of sensitive information on both platforms.

The major cause of these problems is the lack of understanding by developers of how SSL

works. This is because of the complexity in customizing SSL code, which was frustrating,

and developers were thus willing to use quick fixes gotten from online forums withoutunderstanding the risk. Handling SSL certificate validation is also a major problem. The use

of self-signed certificates during development led to situations where all SSL certificates

were accepted in production environments usually by turning off certificate validation. Even

apps that relied on frameworks and libraries are also at risk because of faulty code generated

by the framework. Altogether, results imply that customization of SSL handling is a major

problem for developers.

The provision of an ideal solution to enable developers use SSL correctly has to offer needed

functionality and being able to deploy secure applications at the same time. A change to the

way SSL is used is being proposed. The OS as a service should provide SSL usage patterns.Configurable options for the new SSL service that cannot be circumvented should be

provided. This prevents developers from willfully or accidentally breaking SSL, while at the

same time giving them easy access to additional features.

This is an important research considering the huge number of mobile devices (smartphones

and tablets) and their increasing use to access sensitive information (banking information,

online commerce) online. For a large number of people, especially in developing countries,

their first encounter with a computing device will be either a smartphone or tablet. A lot of

such users are not savvy computer users and hence will not be able to take measures to

protect themselves. The problems cited in the paper especially with regards to developer

struggles with SSL implementation will most likely be greater in developing countries due to

the relative competence of the developers in such countries. This coupled with the fact that

there is no indication that a connection to a service (online banking for instance) has been

compromised and lax/non-existent laws regarding liability, users in such countries are much

more vulnerable.