Wget developers, I am writing to share some work we did to port wget to a new TLS library: libtlssep. Libtlssep has two aims: (1) to provide a simpler API to application developers and (2) to encourage the decomposition of applications into at least two processes, one of which isolates access to secret cryptographic keys.
Georgiev et al., Fahl et al., and other researchers have shown that application developers often misuse existing APIs [e.g., 1, 2]. This work informs aim (1). Aim (2) attempts to bring the privilege separation work of Provos et al. [3] to the domain of TLS in an easy-to-use way. The current implementation of libtlssep sits between an application and OpenSSL. We found it quite easy to port wget to libtlssep for a research prototype, and we would like to share this work with you. If you are interested in libtlssep, you can find our early wget patch at: https://www.flyn.org/projects/libtlssep/wget-tlssep.patch the libtlssep research prototype at: https://www.flyn.org/projects/libtlssep/ The libtlssep website. and more information about libtlssep at: https://www.flyn.org/publications/2015-libtlssep.pdf A paper in submission with SPACE 2015 that includes a description of libtlssep along with performance measurements and other details. Thank you, Mike :wq [1] Georgiev et al.: The most dangerous code in the world: validating SSL certificates in non-browser software. CCS (2012) [2] Fahl et al.: Why Eve and Mallory love Android: an analysis of Android SSL (in)security. CCS (2012) [3] Provos et al.: Preventing privilege escalation. USENIX Security (2003)
