Advanced SSL: The good, the bad, and the ugly

From OWASP
Jump to: navigation, search

The presentation

Michael Coates
SSL has taken many hits over the past year. From the MD5 rogue certificate creation to SSL Strip, it seems that SSL should be dead and gone. However, SSL is still one of the fundamental security patterns used to protect data in transit. Unfortunately, SSL is widely misunderstood. It's time to take a breath and make sure everyone knows what we are really doing when we implement SSL. This will be an advanced talk that will focus on understanding the entire lifecycle of SSL. How does it work, what are the weaknesses and what's going on with the recent SSL attacks? We will address issues such as: How does SSL really work? Is redirecting from HTTP to HTTPS safe? Does the landing page need to be SSL? How bad are those browser warnings? What tools are available and how do I test my server's SSL configuration? Should I be concerned about the MD5 rogue certificate or SSL strip? These questions and more will be answered. This presentation will not be a basic intro to SSL talk. This will be a turbo talk of drinking from the SSL security fire hose. It is intended for security audiences already familiar with the basics of SSL and encryption.

The speaker

Michael Coates is a Senior Application Security Engineer for Aspect Security and has performed numerous penetration assessments, security code reviews, and security training sessions for leading corporations worldwide. Michael is the creator and leader of the AppSensor project and holds a Masters Degree in Computer Security from DePaul University.