RSA Conference Europe 2012 – SSL is Cracked panel discussion

The panellists for this were;

Ivan Ristic; Director of Engineering, Qualys, Inc.

Marsh Ray; Senior Software Development Engineer, PhoneFactor

Gerv Markham; Governator, Mozilla

Phillip Hallam-Baker; VP and Principal Scientist, Comodo

Overall some great experience here including the guy who wrote ModSecurity and the guy who discovered the TLS renegotiation vulnerability..

The discussion covered the following topics;

Vulnerabilities / Attacks;

–          Protocol- based – TLS Renegotiation, weakness in CBC handling on web servers, Crime (TLS compression issue that can result in password exposure), BEAST (Browser Exploit Against SSL/TLS) tool.

–          Implementation-based (e.g. mixed content)

–          Practice based (certification authority bad practices)

Solutions and Remedies;

–          Those currently available (e.g. RC4 with TLS 1.0)

  • DV, OV and EV = Domain-Validated, Organization Validated, and Extended Validation SSL Certificates

–          Those in Development / Deployment

  • Online Certificate Status Protocol (OCSP) Stapling
  • HTTP Strict Transport Security (HSTS) – HTTP header that says from now on only connect to this site with HTTPS, never HTTP.
  • Content Security Policy (CSP) – way to manage the content you will accept from web sites based on declarative content statements in the headers.
  • Improved security and audit requirements for CAs (certificate authorities)

–          Those being Discussed (DANE, CAA, CT etc.)

  • DANE – DNS based Authentication of Named Entities
  • CAA – Certificate Authority Authorization (DNS Resource Record)
  • CT – Certificate Transparency (Issuance Logging)

Summary / Take away points;

–          Check Systems (Your Own and Those of Others) – Can go to https://www.SSLlabs.com and enter a URL to test its level of TLS/SSL

–          Analyse Code and Configurations for Vulnerabilities

–          “Tweak” System Configurations and Code

–          Support Implementation of Newer Versions of TLS and other emerging Protocols

–          Patch and/or Replace Systems

–          Web Security based on SSL/TLS Continues to Evolve and Improve

 

Overall this was an interesting and thought provoking discussion.  However, as is often the case, putting a bunch of passionate, opinionated and knowledgeable geeks on a discussion panel together resulted in a somewhat rambling debate.  This was very hard to capture / document in any detail, but hopefully the comments highlighting some current vulnerabilities and remedies being looked at will provide a starting point for you to do some further research if you are interested.

K

Advertisements

Author: Kevin Fielder

Innovative and dynamic security professional, with a passion for driving change by successfully engaging with all levels of the business. I am a determined individual with proven ability to provide security insights to the business, in their language. These insights have gained board buy in for delivering security strategy aligned to key business goals. This is achieved by understanding the need to drive change through people, process and technology, rather than focusing exclusively on any one area. I take pride in being a highly articulate, motivational and persuasive team-builder. I have a strategic outlook with the ability to engage with and communicate innovative and effective security solutions to all levels of management. Along with a proven ability to translate security into business language and articulate the business benefits I am also passionate about leading security innovations and making security a key part of the business proposition to its customers. Security should be made a key differentiator to drive sales and customer retention, not just a cost centre! Outside of work I am a proud husband and father to an awesome family, and a passionate CrossFit coach and athlete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s