Advanced Ssl: The Good, The Bad, And The Ugly presented at OWASP Appsec 2009

by Michael Coates (Aspect Security),

Tags: Security Web Browser

URL :,_the_bad,_and_the_ugly

Summary : SSL has taken many hits over the past year. From the MD5 rogue certificate creation to SSL Strip, it seems that SSL should be dead and gone. However, SSL is still one of the fundamental security patterns used to protect data in transit. Unfortunately, SSL is widely misunderstood. It's time to take a breath and make sure everyone knows what we are really doing when we implement SSL. This will be an advanced talk that will focus on understanding the entire lifecycle of SSL. How does it work, what are the weaknesses and what's going on with the recent SSL attacks? We will address issues such as: How does SSL really work? Is redirecting from HTTP to HTTPS safe? Does the landing page need to be SSL? How bad are those browser warnings? What tools are available and how do I test my server's SSL configuration? Should I be concerned about the MD5 rogue certificate or SSL strip? These questions and more will be answered. This presentation will not be a basic intro to SSL talk. This will be a turbo talk of drinking from the SSL security fire hose. It is intended for security audiences already familiar with the basics of SSL and encryption.