Keynote – Closing The Tls Authentication Gap presented at ShmooCon 2011

by Marsh Ray (PhoneFactor), Steve Dispensa (PhoneFactor),

Summary : Keynote – Closing the TLS Authentication Gap, by Steve Dispensa and Marsh Ray. When discovered in late 2009, the SSL and TLS Authentication Gap vulnerability was a serious vulnerability involving how web servers use SSL and TLS. The flaw allowed an active man-in-the-middle attacker to inject arbitrary content into an encrypted data stream.
Dispensa and Ray described the TLS Authentication Gap as representing “One of the most complex security disclosure processes in recent years.” They discussed the discovery of the flaw, provided a technical overview and demonstrations, and then discussed the rationale and lessons learned in coordinating the disclosure.

Marsh Ray: Marsh Ray is a Software Development Engineer at PhoneFactor, Inc., a maker of two-factor authentication software, where he is responsible for security software development.

Steve Dispensa: Steve Dispensa is co-founder and Chief Technology Officer of PhoneFactor, an authentication software development firm. He is a regular speaker and writer on security issues, a five-time Microsoft MVP for kernel-mode software development, and is Cisco CCIE #5444.