TLS is completely broken in many applications

Research has demonstrated that developers often make mistakes when using TLS. Frequent mistakes include not properly validating the server’s certificate or configuring TLS improperly.

The root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries.

The most dangerous code in the world: validating SSL certificates in non-browser software. Martin Georgiev et al., 2012 ACM CCS

The Secure Socket API makes TLS easy

int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TLS);

Policy Control

A system administrator or OS vendor can deploy TLS policy for machines and devices, such as minimum allowed TLS version and ensuring only strong cipher suites are used.

# Minimum TLS version
MinProtocol: "1.1"

# CipherSuite is the order of preferred cipher suites to use
# ! means disabled


TrustBase enables a system administrator or OS vendor to ensure applications validate certificates properly. For example, policy can require revocation checking or use of Certificate Transparency, independently of the application being used.

Patch Broken Systems

The Secure Socket API, and its associated system policy, can be enforced on applications that dynamically load a security library such as OpenSSL.


This project is supported by the National Science Foundation under Grant No. 1528022, by the Department of Homeland Security Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) under contract number HHSP233201600046C, and by Sandia National Laboratories, a multimission laboratory managed and operated by National Technology and Engineering Solutions of Sandia, LLC., a wholly owned subsidiary of Honeywell International, Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA-0003525.

Any opinions, findings, and conclusions or recommendations expressed in this work are those of the author(s) and do not necessarily reflect the views of the sponsors.