Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Posted Mar 25, 2015 19:15 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)In reply to: Google: Maintaining digital certificate security by dlang
Parent article: Google: Maintaining digital certificate security
Then there's an ability to use session tickets to resume TLS connections without a full renegotiation. I'm pretty sure that there are vulnerabilities still undiscovered there, since pretty much nobody actually uses them yet lots of servers inherit it from OpenSSL.
So yes, I think the world would be better with plain text HTTP - we might actually get a simple and secure transport protocol instead of the TLS mess.
Posted Mar 26, 2015 19:07 UTC (Thu)
by kleptog (subscriber, #1183)
[Link] (1 responses)
Eeh, what? Resuming SSL sessions is used a lot. You need it to get any kind of performance out of an HTTPS site. See this bug enabling it in Firefox in 2008.
TLS isn't perfect, but it's come a long way as the knowledge of cryptography has improved. The installed base is not to be sneezed at and we're getting a lot better at pushing out updates.
Posted Mar 26, 2015 19:09 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
And no, in practice they're not used that often.
Google: Maintaining digital certificate security
https://bugzilla.mozilla.org/show_bug.cgi?id=415033
Google: Maintaining digital certificate security