Interview with cryptographer Tibor Jager on TLS, attacks, and countermeasures

vpnMentor: In your presentation* you mentioned we still use a TLS protocol that was introduced in 1999. Doesn’t that mean that everything works very well and we can feel secure?

*Attached at the end of this page are Dr. Jager's presentations in a conference at the Center for Research in Applied Cryptography and Cybersecurity of Bart Ilan University, May 2, 2016).

Indeed TLS 1.0 is not bad. We know a few issues with the protocol but we don’t know how to exploit them. It is not that I don’t sleep at night because of the risks, but looking at the objective issues that researchers show, there is some real concern that users can be exploited.

Dr. Tibor Jager presenting at BIU, May 02 2016

vpnMentor: You won the “Best Contribution to IETF Award." Tell us about that.

This award was given for significant contribution to TLS 1.3. There were many other contributions that are significant and I would consider stronger than ours. But what made our paper noticeable was that we showed not only the effects on TLS 1.3 but also on X.509 (an important standard for a public key infrastructure). The attack we described is not directly based on a weakness of TLS, but rather on a subtle combination with a deficiency of X.509. The intention of IETF by giving this to us, in my opinion, was to point out some things that can be fixed there as well.

vpnMentor: Germany is known as a privacy advocates nation. What makes Germans such leaders in this subject in your opinion?

It is hard for me to say. As a German, I find it obvious that I should have my privacy online as well. It surprises me that other nations don’t.

vpnMentor: What do attackers try to achieve? Are they in it for the gain or for intellectual achievement?

There are so many types of attackers.

1. Nation states that want to prevent terrorism, or possibly even to control opinion.
2. Attackers that want some financial gain, and unlike nation states that want to “read only” maybe, these gain attackers want to also inject information many a time.
3. And there are some users that are just curious about the use of technology.

vpnMentor: Looking at the skill set required to be a hacker, do you think some of your fellow professors in the academy go back home at night and put on the “Guy Faux mask,” penetrating the Pentagon?

I have a deep understanding of my colleagues and I am confident they aren't engaged in such activities. At an initial glance, hacking appears highly complex, potentially demanding an extraordinary set of skills. However, once you comprehend its workings, it becomes evident that anyone could potentially become a hacker simply by viewing a handful of YouTube videos and reading several articles.

vpnMentor: What is your opinion on the matter of online privacy vs defending citizens from terrorists?

If I had an answer to this, I would be in politics. It is important to have a good balance but the decision is not easy.

vpnMentor: What tools/browsers are you using differently from your mom?

I’m teaching my mom how to use a web browser in the right way and not give out information. Overall, I’m very careful about what sites I visit and what files I’m downloading.