2025-10-08 –, Belvedere I/ Security, Compliance & the Law
What do we know about the usage of OpenSSL in certified software and devices? Is its prevalence rising or falling? Who uses it? And what versions are used? What else can we learn without having to sign an NDA?
This talk will dive into the certification landscape of Common Criteria and FIPS140, focusing on the role of OpenSSL as a use case to see how much we can learn from publicly available data.
The presented analysis stands on results obtained using the sec-certs tool on the public dataset of certification-related documentation. At sec-certs, we want to become the one-stop shop to explore the Common Criteria / FIPS 140 certification ecosystem. We aggregate and annotate certification data, enabling you to perform unified searches, investigate vulnerabilities, analyze trends, compare products side-by-side, subscribe to certificate changes, and take other actions on certified products.
The sec-certs tool is an ongoing research project by the Centre for Research on Cryptography and Security, Masaryk University, supported, among others, by Red Hat Research and the European Union under Grant Agreement No. 101087529: Cyber Security Excellence Hub in Estonia and South Moravia.
Martin Ukrop is a Principal Research Software Engineer with Red Hat Research, focusing on security research and facilitating the industry–academia cooperation in Europe. He received his PhD in Computer and Information Systems Security from Masaryk University, Czechia, focusing on human aspects in computer security. He remains an active teacher as well as a life-long learner.
His research looked into making security usable for IT professionals (developers, system administrators and such) that lack a specialized training in computer security. He focused on cryptographic interfaces (both programmable and command-line) of developer tools and software libraries. The emphasis of his work was placed on X.509-capable libraries, such as OpenSSL, GnuTLS and NSS, paying special attention to the process of certificate creation and validation.