Explore the critical vulnerabilities in HTTPS security and the chain of trust in this thought-provoking JSConf EU 2017 talk. Delve into the concept of the "weakest link" in digital security - private keys - and how their potential compromise undermines the entire trust model. Examine the scalability of digital copies compared to physical ones, and learn how to detect potential private key duplications through TLS handshake time measurements. Understand the limitations of CA Certificates and PKI in maintaining private key integrity. Conclude by questioning current digital identity management practices and considering potential solutions to rebuild trust in online security.
Overview
Syllabus
Intro
What happens to your trust when you know that there are copies of your door key?
PHYSICAL copies do not scale. DIGITAL copies scale. And every copy is perfect!
How do we detect copies of private keys from the outside?
Measure: TLS handshake time
Q.E.D. THERE ARE COPIES OF KEYS!
Q.E.D THERE ARE COPIES OF KEYS!
CA Certificates PKI are only built to maintain the integrity of the public keys!
The integrity of the private key is untouched by the CA/PKI infrastructure
Conclusion: THE WEAKEST LINK is THE PRIVATE KEY of our partner
QUESTION: Is there a solution to maintain the private keys integrity along the PKI implementations?
Taught by
JSConf
