Interview with Researcher Thyla Van Der Merwe on TLS and Online Privacy

Thyla van der Merwe received a BCom in Mathematics, Statistics and Economics, a BSc (Hons) in Mathematics and an MSc in Mathematics from the University of Cape Town, South Africa. She has a graduate MSc in Information Security at Royal Holloway, University of London as a FirstRand Laurie Dippenaar scholar. Prior to starting at Royal Holloway, Thyla spent four years at Tellumat (PTY) Ltd as a security specialist and software developer. Thyla currently represents South Africa on the ISO/IEC JTC 1 SC 27 standards committee where her activities involve the standardization of cryptographic mechanisms and protocols. Thyla's research interests include various topics in theoretical and applied cryptography.

Transport Layer Security (TLS) is a protocol initiated by the IETF in 1999 to replace SSL for securing website data and other online information encryption. We all regularly use TLS while surfing the web on secure websites.

vpnMentor: What do I as an average user need to know on TLS?

We try to educate users to check that they have a TLS connection; in browsers like Chrome and FireFox you can check the search bar to see a notification about this. If you don’t have an HTTPS connection, think twice about the information you input into the site. Avoid putting user name and password to a non-HTTPS url. I am not afraid to input data into https sites, but I’m aware of the fact that things can go wrong.

Checking if a site is secured on Google Chrome, by clicking the lock icon

vpnMentor: When selecting a VPN, some VPN providers mention they have TLS support. What does this mean?

I think that some VPN connections allow for TLS channels; some products may ‘speak’ TLS - they make of the authenticated key exchange mechanism to construct a secure channel.  Of course, offering TLS doesn’t hurt the marketing either.

vpnMentor: Website owners see so many option for buying SSL, what is important when buying a certificate, is it important to buy from a big brand?

Something like an APACHE server will come with TLS configuration options. Note what version of TLS to implement, and don’t use RC4!  There have been issues with certain certification authorities, so personally, I would buy from the big brands like NortonLIfeLock and Comodo.

vpnMentor: What do you focus on your research?

We are using formal method tools to analyze TLS 1.3, to make sure that it is secure.

vpnMentor: TLS can be exploit to recover passwords. Please explain how

When RC4 is used in TLS there is a weakness in RC4 that an attacker can exploit to uncover your passwords; the attacker intercepts a large number of TLS connections that use RC4, and can make use of biases in the RC4 keystream to find your password.

vpnMentor: Do you think that super power organizations like Amazon and Google can hack RSA using their  resources? Do you fear for such a scenario?

I have concerns about various actions that large organizations may have the capability to execute, but my aspiration is that they refrain from misusing the considerable power at their disposal.

vpnMentor: What do you personally do to protect your privacy online?

I make sure to choose good passwords, I rotate them every once in a while. I have a system so I use many different passwords for different sites and not “one for all”. I also try to be aware when I am working on a secure connection or not. At times, I use a VPN but not often. Mainly when I need to connect to my campus network (I use the F5 VPN client). I also actually read the warning messages of my browser!

vpnMentor: What is your opinion on finding the right balance of keeping privacy rights and fighting global terrorism?

I fall on the side of the argument that people have the right to privacy. For me this is the most important thing. I do appreciate there are threats that need to be addressed, but the cost of user privacy is perhaps too high a price to pay.

vpnMentor: In your opinion will we see a major hacking attack on infrastructures in the next 10 years, or would this stay only a subject for fiction movies?

Well, we’ve already seen attacks in the form of Stuxnet, for example. I don’t think that we can remove the threat for major attacks from the realm of possibility.

Thyla Van Der Merwe at BIU, May 02 2016