Modern Attacks on SSL/TLS: Let the BEAST of CRIME and TIME be not so LUCKY presented at AppSec USA 2013

by Shawn Fitzgerald, Pratik Guha Sarkar,

Tags: SSL

URL : http://2013.appsecusa.org/2013/wp-content/uploads/2013/12/AppSec13_Modern-Attacks-on-SSL.pdf

Summary : SSL/TLS is the core component for providing confidentiality and authentication in modern web communications. Recent vulnerabilities have undermined this and left much of web based communication vulnerable.
This talk will survey recent attacks such as BEAST, TIME, CRIME, LUCKY 13 and RC4 biases, highlighting the conditions required for exploitation as well as the current state of mitigations. Comprehensive recommendations will be provided highlighting the real world risks and mitigations taking all attacks into account instead of providing conflicting solutions to mitigate these attacks individually.
Finally, long term recommendations will be made as we move to a post TLS 1.0 world without overhauling the basic structure and operational infrastructure of modern web communication.