Google: Maintaining digital certificate security

Posted Mar 26, 2015 19:07 UTC (Thu) by kleptog (subscriber, #1183)
In reply to: Google: Maintaining digital certificate security by Cyberax
Parent article: Google: Maintaining digital certificate security

> Then there's an ability to use session tickets to resume TLS connections without a full renegotiation. I'm pretty sure that there are vulnerabilities still undiscovered there, since pretty much nobody actually uses them yet lots of servers inherit it from OpenSSL.

Eeh, what? Resuming SSL sessions is used a lot. You need it to get any kind of performance out of an HTTPS site. See this bug enabling it in Firefox in 2008.
https://bugzilla.mozilla.org/show_bug.cgi?id=415033

TLS isn't perfect, but it's come a long way as the knowledge of cryptography has improved. The installed base is not to be sneezed at and we're getting a lot better at pushing out updates.

Google: Maintaining digital certificate security

Posted Mar 26, 2015 19:09 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Here's a good explanation: https://timtaubert.de/blog/2014/11/the-sad-state-of-serve...

And no, in practice they're not used that often.