 Now this is Hano Berg. I think a lot of you probably already know him because he's a well-known Journalist and most of you probably have read something in a lot of magazines where he is writing something and He will speak about TLS interception considered harmful. So this is about HTTPS and this is not only encryption. It's also about the identities and whom we trust and who decides whom we trust and How this can be attacked well and have fun Hello Yeah, so TLS interception. This is a problem that came up earlier this year When there was software called super fish that got detected and that had a very severe Security vulnerability, but this also highlighted kind of an issue that a lot of Software pieces are doing this and it's a quite questionable Way of doing things and I wanted to yeah provide an overview about this issue and get a bit deeper into it quickly about myself as she already said I'm a journalist mainly writing for the German IT news magazine Golem but right now I'm also Doing some IT security work for the core infrastructure initiative from the Linux Foundation and mainly I do fuzzing there So I'm trying to improve the software that you're running on your computers Yeah So I want to go a step back and talk a bit in general about TLS and the kind of discussions we had in the past five years Where we had a lot of vulnerabilities you've probably heard about some of them We had hardly which had most attention, but also we had things like beast crime lucky 13 Poodle yeah, so many of So we got a lot of attention about the security of TLS encrypted connections and there are also some things to learn from that One example was the so-called beast vulnerability This was already when the beast vulnerability was presented It was already a known issue that older versions of TLS had some issue with the CBC mode, which is the encryption mode for the symmetric encryption So there was already a fix available, but back then most people still use the old TLS 1.0 version and Still today a lot of web pages only support TLS 1.0 and yeah so the fixes one possible fix is to use a newer TLS version that Doesn't have this issue and there's also a workaround where you can if you do a certain kind of splitting of your Data packets and then this vulnerability doesn't happen Yeah, then there was an issue called crime which was that due to compression in TLS that would leak information about the data inside And the relatively trivial solution is don't use TLS compression It gets a bit tricky because HTTP also has compression and it has similar issues and it's a bit harder to fix it there but yeah, so What's also interesting here is again, we have an issue that's part of the protocol So it's not that there's a bug in the software But it's the TLS protocol itself that had a security issue and then we had lucky 13 Which was an issue with the way that TLS combines the Mac and the padding and the encryption and in which order it does it so generally today We Consider it the only safe way to combine buying the different things is to first encrypt and then do a Mac so the Mac is there to guarantee that the package has not been manipulated and There was a timing side channel. So by checking whether What kind of error occurred on a connection an attacker could find out something about the about the key and So the workaround about it is do everything timing safe, but this is very hard and the Solution would be not to use these encryption modes anymore that have these this weakness and there's currently only one encryption Algorithm in TLS specified that doesn't have this weakness Which is a as in the GCM mode and there's also RC for but that has other weaknesses. So we don't want to use that as well And then there was poodle which was vulnerability in the very old SSL version 3 which kind of was Okay, it shouldn't be a problem because it's so old. Nobody should be using it but a lot of people were still using it and there was also a Downgrade attack you could do But then there was something interesting that there were some devices that actually had the same vulnerability in Also in TLS because the issue was that in the old SSL version 3 There was a padding and it was not defined what's inside this padding So you could have arbitrary values in that and that somehow could be used for an attack So TLS defined that this padding must be a specific value But some implementations didn't check that so they managed kind of to port the vulnerability from the old protocol By doing a bad implementation to the new protocol So and then we had some debate about something called forward secrecy that's a feature of encryption technologies where you generate a key for each connection and the idea there is that you destroy that key after the connection and then If if your private key later gets stolen It doesn't have such an high impact because the connections from the past still cannot be decrypted and now There are modes in TLS that have forward secreces and others don't but there's really no good reason not to use forward secrecy And it's now also agreed upon that the future version here as 1.3 Will only have forward secrecy modes and the modes without forward secrecy will be removed Yeah So that's kind of the debate we had on TLS in the past years. There were some more vulnerabilities, but some of the lessons to learn here is that we have security bugs in the protocol Which means that even if you implement the protocol as it's written in the standard You may have security vulnerabilities So you need to know about all these workarounds and what to disable to have a safe version of TLS today And only the very latest TLS 1.2 with the GCM mode and with forward secrecy Is really considered up-to-date crypto and considered safe these days But you still need to support more or less TLS 1.0 Because there are still so many servers in the internet that if you would disable that you couldn't serve a lot of webpages But that's kind of tricky because you have these timing issues and these record splitting issues So if you want to do that safe, it's quite complicated and then we have this problem with certificate authorities. So As you probably know if you want to have an HTTPS web page you need to get a certificate and there are hundreds of these certificate authorities and All these certificate authorities can have sub certificate authorities. So we don't even really know how many there are and in the old system Was that basically every CA could issue a certificate for every domain? So this has the impact that the whole system is only as secure as the worst of all CAs so if one gets breached Everyone has a problem and this also has the impact that it doesn't really matter which CA you choose So if you say I go to a CA that's especially trustworthy for whatever reason that doesn't really make any sense and And Yeah, so and this also had practical implications We had a lot of cases in the past years were certificate authorities issued certificates like for Google come But not to Google but to someone else There was the issue many issues with Komodo. There was Turk trust. There was CnNIC the Chinese Government controlled CA with India CCA. There was Digino Tower, which later went bankrupt Unsee with the French government control CA so they're for quite different reasons So some of them were hacked some of them like there was an issue where this Chinese CA sold a sub certificate to an Egyptian company that then used it to intercept traffic in their own network But all of them so we had a lot of issues where these CAs Didn't follow the rules and issued certificates to people who shouldn't get those certificates And over the years there have been many debates about how we could fix this and So there was an idea called sovereign keys, which Was interesting but quite complicated. There was a talk on the Congress a few years ago There was Tuck which was a kind of key pinning proposal. There was convergence, which the idea was to Check a certificate from different points in the network and Dane which is based on DNS sec But all of these solutions having common that none of them ever got really deployed widely But recently there's now a standard called HTTP public key pinning Which I like a lot and the idea there is that a web page Can say okay this is my the key of my certificate and here's a backup key and The browser should store this key and the backup key and in the future only These keys are accepted for this web page So we have kind of additionally to the certificate authorities. We have a trust on first use system that Yeah, that Not every CA can issue a certificate for this web page that can later be used for attacks And also the browsers these days contain some pre-pinned certificates. So for example, if you if you create a Bad certificate for Google come it will not really work at least in chrome and firefox Because the browser already knows that Google only gets certificates from Google's own certificate authority So you cannot use a random certificate authority to issue a certificate for Google The problem with that is a bit that it's not widely used so there was recently a statistics in the about the Alexa top 1 million web pages and only one of them was using this key pinning header and At some point there were four pages and now it got down to one So it's really not widely deployed which is unfortunate because this is really a very big improvement of the security of the TLS system and Then there's a concept that's mostly developed by Google which is called certificate transparency And the idea here is that we have a public log that's append only so it works a bit like Bitcoin That can be verified by anyone who wants to and that has all certificates in it and The idea is to have several of these certificate transparency logs So that's a very promising idea So it doesn't prevent Attacks with certificate with wrong certificates, but it pretty much makes sure that you cannot hide these attacks So there's a very high likelihood that if you have certificate transparency in place that all attacks Will be detected at some point and it's not really widely deployed But chrome has some preliminary support and Google plans to require it from at least for the so-called extended validation certificates and in later for all certificates, so there are some things happening in this space to Mitigate these problems with certificate authorities Yeah, so finally after many many years where we had this problem. We have now some mitigations that are coming but also the conclusion there is that you it if you want to verify TLS certificates you need to know about these things and your implementation needs to know about it and you have to stay on Top of the development what's going on in TLS security Yeah, and Like some late development is that a lot of people are pushing now for HTTPS everywhere Google did a lot in this case and also Mozilla now plans to mark HTTP pages as insecure generally Then certificates are no longer expensive things, so there are no certificate authorities that give you a certificate for free There are two now and let's encrypt will start pretty soon, which we will have a talk later today also And I think this is generally a very good thing And I also think this is a good thing even if you don't have any secret data on a web page Because what many people tend to forget is HTTP? HTTPS guarantees that your your data is transmitted encrypted, but also that it has integrity So that means that the page the user sees is really the page that came from the server and it was not manipulated on the way So even if your data is not secret you always want your data to be correct Yeah, but there are also people who think that this is a very dangerous development like here's a Picture I made on the blackhead conference recently where the company called blue code you may have heard of them They have some questionable approach to security researchers That they say TLS traffic is pervasive and introduces risk Especially it can also be used for advanced persistent threats. So if anything is APT that it's really dangerous Yeah, and obviously they sell you a solution for that so they have a way to inspect your TLS traffic and Many other companies do as well. This is from F5 and this is I don't know which company this is I'll sell you some products that allow you to kind of inspect your encrypted traffic So there's there are a lot of products that are doing this like We have these enterprise security solutions like what blue code and F5 is selling. We have now antivirus Software that's doing this We have parental control or youth protection We have some ad blockers or a lot of ad injection software So which is usually this stuff that you don't want but may have installed anyway on your computer So how do they do this so that the idea here is that So you cannot Inspect or manipulate the traffic if there's HTTPS because it's the idea of HTTPS to prevent that So the solution these products have is that they install their own certificate authority Root certificate into the browser and then basically what they do is a man in the middle attack on your browsing and Then earlier this year There was a software called super fish that Some people found on their Lenovo laptops. It came pre-installed on Lenovo laptops What this software did was that when you were surfing the internet? It analyzed the images and tried to find objects on these images And then it would present you some ads that were related to these images So I don't know you could surf a web page About camping and then it would give you an ad about where you can buy a tent so What this also highlights is that there's now this kind of very strange market that there are companies who are producing software That nobody really wants but they are paying companies like Lenovo that they install it on their Laptops and what also happens is this software bundling where someone you install some software And then the installer asks you with some very tricky You I think that do you also want this toolbar or this whatever and then if you click the wrong button You have something installed that you never wanted Um But the problem with this super fish software was that it used such a man in the middle proxy and it had the same certificate on all installations and So also it had the same private key on all installations and the key is naturally part of the software so you could just extract this key and Like two days later someone did this so the key was public and with this key You could basically attack everyone who is using a laptop that had this super fish software installed so, yeah Was a big Yeah, a big PR disaster for Lenovo. They later said, okay, we're sorry. They provided a removal tool They then said, okay, we've learned from it. We will Be more careful in the future a few days ago if you've seen is this Lenovo is now using bias root kits to install some crap on your Windows system. I don't know if they have really learned anything Yeah But then it became even more interesting than people found out Okay, the super fish was using a software module from a company called Komodia And this was used in many different applications and all had the same problem All had this shared key problem and people were extracting keys from many different products So there was a product called stuff cop and custodial which was some parental control thing and some VPN software and Then at adware, it's an anti-adware tool and there was also a lot of adware like this stuff that gets installed on your system You don't really want whatever Yeah, so it turned out this problem was much bigger than the super fish issue that there was a lot of software that all had the same vulnerability and then So Philippo Valzada who's a cloud flare Engineer he found out that there was a trick how you could create certificates that all of these Komodia products would accept So first we thought okay You have a key for every of these products but then there was kind of this trick because what happened was if If the software would connect to a web page with an invalid certificate It would replace it with a certificate that was signed by this man in the middle proxy but that Had an invalid host name but what this software didn't consider was that certificates also have this field subject alternative name where you can add additional host names for a certificate and So and these were kept intact so you could create a certificate that was signed by any CA or by your own self-signed CA and Then add the host name for your the web page you want to attack in this subject alternative name field and then every software that Had this Komodia module would accept this certificate and Then I found this kind of ridiculous than lava soft, which is producing this at adware software So they said on their Facebook page Yeah, lovers of the most recent release of at adware web companion does not include this capability So this Komodia SSL interception But we are not yet able to confirm with certainty that the compromised component of the Komodia SSL Digester has been removed. So there you have a company that's producing a security product and They say okay, we had a severe security vulnerability and we don't know if we have really fixed it And that's kind of a bit ridiculous and it took me like 15 minutes to verify. Okay, they were still vulnerable I commented it on their below their Facebook blog posts. Maybe it helped them. I don't know Yeah, and then a few days later there There was some ISE channel where people who were interested in this issue were chatting and then someone posted a link that okay There was someone asking he has a software called prif doc on his system And he wanted to know if this is something like super fish and It turned out this was a software that was developed by a company founded by the CEO of Komodo and What this software would do was it would identify ads that it considers as dangerous. It wasn't really clear Why what criteria or that would? Impact your privacy it would replace them with its own ads So thereby they make money because they replace some ads with their own and Then I looked at it and found out okay. It does not use a Shirt certificate So it's not like superfish But what it did is it just accepted on the other end every web page certificate So you could have a random invalid certificate and the software would connect to it and replace it with its own Certificate that was valid for the browser because it had its root certificate installed and then also I looked at the traffic of the software and it was sending every URL you were surfing to in clear texts to some server from this company And then yeah, I wrote a blog post about this It was pretty late in the evening and then I went to sleep and the next day BBC called me So this really generated a lot of interest in the media because the issue here was really Komodo because Komodo is a company that's selling TLS certificates. That's the biggest certificate authority these days And so the same company that's selling you the certificates for HTTPS security Has is related to a product that's breaking the security So it was not a Komodo product, but they had some close ties So Komodo was advertising this product and also Komodo had a browser that That was bundled with this priftock But this version in the Komodo browser was not affected by this vulnerability because that worked as a browser plug-in and not as a man in the virtual proxy, but yeah, so So yeah, we had another issue where this TLS interception proxy caused a severe security vulnerability And then I looked at some other products that would intercept TLS traffic and there are some antivirus applications and I looked especially at Avira, Kaspersky and Asset because these were the ones that were freely available available and I could easily test And none of them had a severe vulnerability like superfisher or priftock But all of them had something that made the TLS connection worse. So The biggest issue was that Kaspersky was then still vulnerable to the freak vulnerability So freak was a vulnerability where you could downgrade connections to some Export mode from the back in the 90s when it was forbidden to have strong crypto And it was fun. Yeah, that somehow you can trick open SSL into doing these old connections and Very shortly some days after this freak vulnerability was published someone posted in Kaspersky's forum that Okay, you have this problem with the freak vulnerability and it was ignored for more than a month So I re-found this issue in Kaspersky And then I earlier told you about this key pinning standard we have now so You might think okay, if we have this key pinning then these whole TLS interception proxies shouldn't really work because if the browser has a Google certificate pinned and Then it gets replaced from some TLS interception that shouldn't really work but the problem there is that the browsers had to do some kind of compromise because there's already so much software that Does this TLS interception that they couldn't break all of it So what they did is there's a okay if there's a manually installed root certificate in the browser Then it would ignore that key pinning header So it's not really nice, but you can kind of understand why the browsers did this Now what should happen if you have if you do it right then these products should test this header Themselves on the back-end side But none of the software that I looked at did this and I have not until today seen any software doing this so take away there is like If you're doing this if you're doing a TLS interception proxy then you are responsible for the security of this connection and then It matters like how good is the implementation of the TLS and how good is the implementation of the certificate validation And the question you have to ask here is are these companies who are producing this product qualified for that at My answer to that is probably not because Browsers have large security teams and they they are very involved in the debate about TLS in general and So they follow up what's kind of state-of-the-art in encryption and a company that's producing some strange Superfish software probably is not And then under this blog post about the antivirus application Someone asked me the TS software called at guard that also Installed some certificate and if I can look at it so I did that and then I found out okay It created a new certificate on every installation, but it always used the same key So that was a bit strange But and then later I found out okay So I then contacted them and got a reply from some of the developers what they did was that they Choose one out of eight keys that Based on your CPU. So the idea was if you reinstall it on the same system you get the same key Doesn't really make any sense. And so You can just extract these keys from a file that was shipped with this software and there were eight different keys And I have published them. So yeah, there's a GitHub repo where I've published all these keys. I will post the link later Now this at guards Dependent on a software called net filter SDK and there was specifically a file called protocol filters dot DLL Where the keys were in so it was quite easy. I just created a Python script that would look if something Starts with the byte for which is the byte that Private key in TLS starts with and then I would pass that to open SSL and see if it could decode it And if that was the case I could dump the key but And then this reminded me of something because this Protocol filters also bundled a very old version of nss and I saw that before because I saw that in prif doc And then I found out okay prif doc also had this shared key issue So it was basically not only broken that it didn't validate the certificates on the other side But it also had this shared key which is Also like adds an additional risk because even people who have uninstalled prif doc at some point may still have the Certificate in the browser with the shared key So and then I know is there anything else that's using this protocol filters Module and I found a lot of web pages reporting about software using this most of it was what's Called like potentially unwanted software or crap where like the stuff you have on your PC You don't really know why it came there. You don't want it how to remove it But unfortunately, I didn't find any of these pieces of software for download So the issue with that is these are usually companies who are only in business for a short time and then they stop So I found a lot of information about these software pieces, but I didn't find anything for download So if anyone has access to these things, I would be very interested Yeah Then this so recently there are also people trying to do the same thing for other protocols. So this is a semantic Solution that's for email encryption Basically, that's the thing that was PGP in the past. That's now sold as semantic desktop email encryption So it tells you basically to disable TLS in your email application This is Thunderbird So if I try to see if I have this installed and try to set up my email at Thunderbird It tells me to disable TLS encryption and then it will intercept that email Encrypted and to a connection to my email server Thunderbird then shows this very scary warning, which is completely the right thing to do I mean you're trying to fetch your emails without encryption. So it should warn the user about that So, yeah And Then I started up a sniffer and looked like how does this TLS connection look like and it only does TLS 1.0 without forward secrecy So you have a product that's trying to sell your email encryption and it uses a very outdated version of TLS and a very outdated cipher yeah, and so what kind of left as a question is that we have these Enterprise appliances, which I had earlier this picture from blue code and a 5.0. I don't have access to these things So I don't know How good or how bad they are, but I would assume that They probably have similar issues But there's maybe some evidence so in enterprise TLS applications There were a lot of very weird bugs in the past Yes, so probably one of the strangest things that happened in TLS is that F5 had Device that if you connected to it with the TLS handshake that was larger than 256 But smaller than 512 bytes. It would not do a connection This was a big problem and people try to introduce new features into TLS And then the handshake got bigger and these F5 appliances wouldn't allow connections So what happened then that now there's an extension to pad the handshake So this is I think the first time that there's a explicit TLS extension Only for one bug in a certain product from a certain vendor so yeah, then I also mentioned earlier this pool TLS issue So people were able like basically to port a bug from an older version of the SSL version 3 bug to the newer protocol TLS And that was found in a whole range of devices like F5, A10, Cisco, Checkpoint, Unipot And these are very often that these are the companies that are producing these enterprise interception Devices also Yeah, and something that came up very recently is a bug called Maze where Devices would not check the Mac so they wouldn't verify if the connection was if the data was correct at all Yeah, so I would not trust these companies to intercept my TLS traffic So and then you may ask what's the alternative and I think first of all this may be the wrong question Because a lot of these products I would doubt if they should exist at all Like and this is quite obvious for something like Superfish I mean it's a software that gets installed on your laptop without your consent and that's showing you some ads I don't think there's anyone or is anyone in the audience who thinks they need more ads in the internet. I don't think so But also for things like if you have these firewalls or antivirus applications there really I want to ask the question Is it a good idea to inspect the traffic? With like antiviruses basically don't really work anymore I don't know if they ever worked in a reasonable way So for many of these products I would just question is this a reasonable way to do IT security and if you're breaking encryption Then you're introducing a big risk and if you're doing that for security seems very questionable, but There are of course legit reasons why you want to modify traffic in some way But if you do that then please do it after the encryption. So what you can do of course is a browser extension There are a lot of things that do that like HTTPS everywhere or like privacy Badger or things like that But especially this should happen with the user's consent. So and then this is a fun. This is fine Yeah, so my takeaways are kind of I think this issue with these Potentially unwanted applications or crap there or bloatware However, you want to call them is a big security threat and it's not really it's underestimated. I think so The idea that you're paying a laptop vendor to install some software on the device that nobody wants That's not a viable. That's not a legitimate business model And also the idea that you're bundling a software with something else and then tricking the user into clicking Okay, and then you can say okay the user consented to it But these these are often made in a way that it's very easy to click on the wrong button like You may have heard that that source for now had kind of taking over a lot of free software projects And is now providing installers that are shipping some other software with it There was recently gimp found out that there were gimp installers on source forge that were bundling something and they didn't know about that So this is really not something that's absolutely not acceptable I think so if you want to install a software on another person's computer you need their consent, I think and that yeah and This whole TLS interception issue. I think it is generally dangerous I have not seen any software that gets it right and even a lot of security products Don't get it right. So I think it's completely a misguided approach The the encryption is there for a reason. It's there to protect your information and to guarantee that information gets transmitted Unmodified and that shouldn't be messed with Yeah, so here's as I mentioned earlier the github repository where I collected all the certificates and Now I assume we were Faster than I expected So we have a lot of time for discussion Yeah, thank you for this talk. I think we learned a lot and there are already At least three questions. We start at the left Hello Hi Do you think it would be a good idea for all browser windows to offer? either an extension or an API for software and us Which works that they submit all the traffic in addition to or somewhere else. So like a span port on the router So that you have a common API Yeah, so basically you want something like a browser extension, but that's across all browsers Yes, because it seems to be the case that Windows want to have such a functionality That might be an idea. I haven't thought about it, but Might be a viable idea Next one also from that side because there's nobody lining up. Okay Thanks a lot for the great talk What I was wondering was Really related to the last question. So I think we all agree and superfishes that are up But Lou code I think there's like legitimate compliance need and there are companies who want that kind of SSL Interception so saying just don't do it at all. I think it's would be nice, but don't work so maybe we should like say like Go away from it. Maybe we should have like this explicit standard to like Share the TLS secrets for the trusted party So if having chrome a special field in my address bar, which says hey This is monitored by your blue coat appliance from your company. You're working at I think that will be Better or more interesting than the approach we are going for what you pushed for saying well That's evil practice. Don't do it at all so What what you're kind of want from me that I make proposals how to fix something I don't like and I mean, I Think it's generally wrong You want to have a better solution for something which I find illiterate in the first place Yeah, no, I mean you're your point is that you don't like it. You want to get it away, right? Yeah, so I won't make proposals to do something better that I want to get away with My from practical point of view it's not going to go away because there are companies who have a need So I'm asking why don't you go for and say we should have a better standard a better way to do it rather than just ignore it at all because let's Say you try to like ignore the issue that there's a need for it So you can try that but I won't do that. Okay, I won't propose anything that I think Shouldn't happen in the first place Now question from the right Hi, I'm really curious about what kind of need you have to break TLS It's not a question for the speaker, but for the guy who just went away Yeah, you come back this if you like. Thank you so I'm involved with SSL interception a bit but doing open source work only I have no commercial interest in that But my point of view is that the issue is if you do SSL interception in the traditional way Like doing two kinds of connections and have like explicit SSL certificate management on the proxy instance Then you get these issues which we have for superficial cetera If you have a legitimate site channel where you would leak like the TLS master secret Then you would get at least a very explicit way and you would still have a connection end to end But with the third party that could listen in I think protocol-wise that would be more interesting or HTTP to there was actually a RFC on SSL interception proxying which had a lot of debate and But that was only for opportunistic encryption. So that was not for explicit HTTP BS connections. I Yeah, sure, so I mean Bluecoat etc. I have a business case for that and it's not going to go away They were still going to do it. So I think you can't just push it away and that's basically the issue Go please go to the microphone if you want to say something Just for the record, I don't like it myself I would be happy if it goes away, but for companies, there's a compliance use case why they're doing it and If you ask those compliance guys, they will say well, we will continue doing it and like getting this away It's I think way harder than like going over to a better protocol So you're sorry. Can I just you're not going to make it go away by inventing technical solutions that make it better When it stays So the the way to make it go away is to make the technology go away You don't have the trusted side channel. You don't put that law Legitimate access law enforcement kind of thing into the protocol You make a secure protocol and you implement it and people will live with it People will deal with it. If you implement that you'll just get more intercepted connections, not fewer And so I also want to say like my hope is that if we do more analysis on these things I expect we will find more vulnerabilities So we can have more like get these devices a verse reputation That would be my approach to it May maybe I can again say something to this because I See the point and if we start and have a super Protocol which does not allow such a thing then people or windows will start to do as you said build a browser extension Which is doing the same thing and I think that's especially what the speed what he wants to have a common way of Excessing everything. That's just the thing. Okay, we are moving forwards But either we can say hey windows think of another way because we disable your old way or we say hey This is a better way. Maybe you use this one either be constructive or not Was this a question or so? I mean it. Yeah, so I mean The first question I always want to ask is this product doing something something legitimate at all because For a lot of these products. I think the answer is no Yes, but people pay a lot of money for this product. So yeah Obviously, there is a market for this and they will not stop paying money for it And now the person in red who's waiting a long time now Yeah, it's like I'm going to be on the side of point exception in a way because I just like to remind people that Not everyone has 40 gigabits per second anywhere where I work for We are really expensive boundaries. It's with a huge latency and The current web really works badly overall and each time we add encryption or more generally TLS and We'd like to have Proxy for the users which they would opt in but in an easy way and currently with more TLS We have more problem doing it I'd like to have a really clean solution with other than a hackish interception But so far it seems like there are people who are Constable in the living room with really good internet access and they're just thinking about adding them to turn encryption But not thinking about others. I Don't want to do many in the middle at all but it's a bit easy when you have a good condition to forget about others and Yeah, that's it Yeah, I think there was no question now No question just a command because I think we're a bit privileged here And we should think that folksies can help sometimes So your your issue is that proxies can cash things and they're yeah, that would be one use Yeah, so the issue with caching is that you can cash less and less Anyway, because content is getting more dynamic and Caches have very few uses these days So I think the increased security from TLS and also if you do things like HTTP 2 where you have performance improvements through TLS Much bigger than what you can gain with caching I'm not simply I don't completely agree. I see a punter. I yeah, definitely with web 2.0 We have less and less caching but then we have some fairly large media which could benefit a lot from caching Okay, the next question from the ride. Okay, I just wanted to add some points How I I came across this mental middle attacks from antivirus software. I think with a vast Because they break client certificates. I think that's something that was wasn't mentioned Okay, no, I didn't notice that. Thanks for this note Yeah, I looked at a vast but I didn't notice that they break client sets because the client certificate is Obviously in the browser and the antivirus software doesn't have or doesn't check for that. Yeah, and Do you have any ideas how to? prevent any interference from local processes in the TLS session if any ideas because I also think that this is a bad practice and shouldn't be done and then Common interface would just be misused by ad injection software So I mean this only can happen if you have some access on the client, right? So the this software must install something into your browser. So The solution is basically be careful what you install on your computer. I mean that yeah If you install bad software on your computer, then it can do bad things I understand but if it that's if we have a corporate environment where such a SSL injection is common and the user probably doesn't have any Meaningful way to influence what is installed on the computer that maybe we can Do something on the browser side. So that doesn't even it's not very easy to do such things So there's basically no way if you control if you have a software on the client That wants to mess with your browser. There's no way to stop that. I mean, that's basically the malware problem If you have something on your client, then it is in control Yeah, thanks. Thanks. Yeah, there seem to be no other questions. Oh, there's one Hi when it comes to TLS security Why can't I pin a key to a site and why can't I look up the key? You can pin a key to a site. So if you're the side or a key and not a certificate So the way this key pinning standard works is that it is pinning the key to a site and You're wearing a firefox t-shirt firefox doesn't support this firefox supports this since two or three versions Okay, I'll come back. Yeah So so there's this HTTP public key pinning standard. It's an RFC now and the idea by the server Yeah, yeah, no, I'm a user I'm yeah, okay the user want to pin a key so and I want to see it so I can check it Yeah, and this is not possible and I don't know why especially because I can see the fingerprint of the certificate The problem with these so you think about things like certificate patrol and similar plugins, right? So I don't yeah, so this one uses a notary service I don't I'm not talking about notary service. There are some usability issues with that because if the Certificate changes, what do you do? You don't know if it's a ledger change or a yes Or a malicious change I have a chance to check it and I have a chance to show with my bank I am I'm very skeptical about any solution that requires the user to know what a certificate is Because that's not widely usable But we can discuss that later, okay, okay, that seems to be the last question Yes, so this again a big applause for Hano