Re: [openssl-users] libtlssep
On Tue, Jun 30, 2015 at 9:55 AM, W. Michael Petullo wrote: > Dear OpenSSL community, > > I am writing to introduce a new TLS library which presently makes use > of OpenSSL: libtlssep. Libtlssep has two aims: (1) to provide a simpler > API to application developers and (2) to encourage the decomposition of > applications into at least two processes, one of which isolates access > to secret cryptographic keys. It was added to the Related Links section of the wiki to help with awareness. https://wiki.openssl.org/index.php/Related_Links#Open_Source_Cryptographic_Libraries Jeff ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] libtlssep
> I am writing to introduce a new TLS library which presently makes use of > OpenSSL: libtlssep. Libtlssep has two aims: (1) to provide a simpler API to > application developers and (2) to encourage the decomposition of > applications into at least two processes, one of which isolates access to > secret cryptographic keys. This is interesting work; thanks for posting about it! You might also be interested in the libtls project in OpenBSD, which has very similar goals. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] libtlssep
On 30 June 2015 at 14:55, W. Michael Petullo wrote: > and a research prototype at: > > https://www.flyn.org/projects/libtlssep/ > The libtlssep website. > > We would love to hear any constructive comments you might have, and would > be interested in hearing about any possibility for future collaboration. > I like the concept of using priv sep. :-) I haven't had a chance to look at your code properly, but one thing I noticed from a quick read through the docs was that you're relying on passing fds to t lssep_connect () that will make it impossible for people to write code that works through proxies (HTTP, socks etc.) unless you build support into the library itself. An abstraction along the lines of BIO that provides for working on buffers would really be needed for this use case. Cheers Rich. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] libtlssep
Dear OpenSSL community, I am writing to introduce a new TLS library which presently makes use of OpenSSL: libtlssep. Libtlssep has two aims: (1) to provide a simpler API to application developers and (2) to encourage the decomposition of applications into at least two processes, one of which isolates access to secret cryptographic keys. Georgiev et al., Fahl et al., and other researchers have shown that application developers often misuse existing APIs [e.g., 1, 2]. This work informs aim (1). Aim (2) attempts to bring the privilege separation work of Provos et al. [3] to the domain of TLS in an easy-to-use way. The current implementation of libtlssep sits between an application and OpenSSL. Using libtlssep requires modifying an application to use the API, but we found the amount of work nominal while we ported wget and lighttpd. Of course, new applications could benefit from libtlssep right away. If you are interested in libtlssep, you can find more information at: https://www.flyn.org/publications/2015-libtlssep.pdf A paper in submission with SPACE 2015 that includes a description of libtlssep along with performance measurements and other details. and a research prototype at: https://www.flyn.org/projects/libtlssep/ The libtlssep website. We would love to hear any constructive comments you might have, and would be interested in hearing about any possibility for future collaboration. Thank you, Mike Petullo [1] Georgiev et al.: The most dangerous code in the world: validating SSL certificates in non-browser software. CCS (2012) [2] Fahl et al.: Why Eve and Mallory love Android: an analysis of Android SSL (in)security. CCS (2012) [3] Provos et al.: Preventing privilege escalation. USENIX Security (2003) :wq ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
