Perceived Security, Trust, and the Ken Thompson Hack

February 24, 2019

Correction: In the talk I mentioned Chrome has its own root ca store, which is only partly true. On macOS and Windows Chrome uses a blacklist with the underlying OS providing the root CA store. On Linux it uses NSS, which is sometimes the “system” one, but sometimes not.

Root Certificate Policy Chromium

Links in talk:

Ken Thompson’s Reflections on Trusting Trust
OWASP Threat Modeling paper
OWASP Top Ten Cheat Sheet
Chattanooga Security and Privacy Society
David A. Wheeler’s Countering Trusting Trust through Diverse Double-Compiling

ChaDev Lunch Talk Recording

Slides

Obligatory XKCD

Actual actual reality: nobody cares about his secrets. (Also, I would be hard-pressed to find that wrench for $5.)

Tagged

[security]
[talks]