Research has demonstrated that developers often make mistakes when using TLS. Frequent mistakes include not properly validating the server’s certificate or configuring TLS improperly.
The root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries.
int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TLS);
# Minimum TLS version MinProtocol: "1.1" # CipherSuite is the order of preferred cipher suites to use # ! means disabled CipherSuite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
The Secure Socket API, and its associated system policy, can be enforced on applications that dynamically load a security library such as OpenSSL.
This project is supported by the National Science Foundation under Grant No. 1528022, by the Department of Homeland Security Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) under contract number HHSP233201600046C, and by Sandia National Laboratories, a multimission laboratory managed and operated by National Technology and Engineering Solutions of Sandia, LLC., a wholly owned subsidiary of Honeywell International, Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA-0003525.
Any opinions, findings, and conclusions or recommendations expressed in this work are those of the author(s) and do not necessarily reflect the views of the sponsors.