Description
The padlock shown in the URL bar of our favorite web browser indicates that we are connected using a secure HTTPS connection and providing some sense of security. Unfortunately, the reality is slightly more complex. The trust model of the underlying Web PKI is invalid, making TLS a colossus with feet of clay. In this talk, we will dive into the trust model of the web PKI ecosystem to understand its weaknesses. Based on the research conducted in my team, I will demonstrate that, from the perspective of trust, each step of the certificate validation process is extremely complex, leaving users uncertain about whether or not they are connected to the correct web server.