How Everyone Screws Up Ssl presented at THOTCON 1

by Michael Coates,

Tags: Web Security


Summary : SSL has taken many hits over the past ye
ar. From the MD5 rogue certificate creat
ion to SSL Strip, it seems that SSL shou
ld be dead and gone. However, SSL is sti
ll one of the fundamental security patte
rns used to protect data in transit. Unf
ortunately, SSL is widely misunderstood.
It's time to take a breath and make sur
e everyone knows what we are really doin
g when we implement SSL. This will be an
advanced talk that will focus on unders
tanding the entire lifecycle of SSL. How
does it work, what are the weaknesses a
nd what's going on with the recent SSL a
ttacks? We will address issues such as:
How does SSL really work? Is redirecting
from HTTP to HTTPS safe? Does the landi
ng page need to be SSL? How bad are thos
e browser warnings? What tools are avail
able and how do I test my server's SSL c
onfiguration? Should I be concerned abou
t the MD5 rogue certificate or SSL strip
? These questions and more will be answe
red. This presentation will not be a bas
ic intro to SSL talk. This will be 45 mi
nutes of drinking from the SSL security
fire hose. It is intended for security a
udiences already familiar with the basic
s of SSL and encryption.

Michael Coates is the lead Web Security
Engineer for Mozilla with the responsibi
lity of protecting all of Mozilla's web
applications. Prior to Mozilla, Michael
spent many years in consulting and perf
ormed penetration assessments, security
code reviews, and security training sess
ions for leading corporations worldwide.
Michael is a contributor to the OWASP T
op 10, creator of the OWASP TLS Cheat Sh
eet and the OWASP AppSensor project and
holds a Masters Degree in Computer Secur
ity from DePaul University.