TLS was designed as a transparent channel abstraction to allow developers with no cryptography expertise to protect their application against attackers that may control some clients, some servers, and may have the capability to tamper with network connections. However, the security guarantees of TLS do not match this channel abstraction, leading to a variety of attacks. We show how some widespread false beliefs about these guarantees can be exploited, not only to attack applications that rely too naively on TLS, but also to defeat several standard authentication methods that rely on TLS. Concretely, we demonstrate new client impersonation attacks against TLS renegotiation, wireless networks, challenge-response protocols, and channel-bound cookies. Our attacks exploit combinations of RSA and DHE key exchange, session resumption, and renegotiation to bypass many recent countermeasures. We also demonstrate new ways to exploit known weaknesses of HTTP over TLS. We investigate the root causes for these attacks and propose new countermeasures. At the protocol level, we present the design and implementation of two new TLS extensions that strengthen the authentication guarantees of the TLS handshake. At the application level, we develop on top of a previously verified TLS implementation an exemplary HTTPS client library that implements several mitigations, and verify that it does provide strong, simple application security.