Criminal Charges are not pursued: Hacking PKI

Presented at DEF CON 17 (2009), July 31, 2009, 5:30 p.m. (50 minutes)

From the night of Friday to Saturday at the 20 of December a new subscriber named Mike Zusman registered at the CA site. Subsequently he succeeded in overcoming the domain validation interface by validating for domains not under his control." - Critical Event Report The last year has been a rough one for SSL PKI. Fraudulently provisioned certificates, MD5 collisions, SSL spoofing attacks, and most recently, attacks against EV SSL. The variety of these attacks shows us how big the attack surface of SSL really is. From crypto attacks to browser design flaws, attackers have choices when it comes to man-in-the-middling SSL protected web sites. This presentation covers one of these vectors: real attacks against CA web sites. While some folks look to CAs for guidance when it comes to conducting secure business on the Internet, the CAs themselves can fall victim to the same attacks consumers look to them for protection against. EV SSL is a step in the right direction, but with a heavy reliance on low-assurance domain validated SSL certificates, can we ever get SSL right?

Presenters:

• Mike Zusman - Intrepidus Group
  Mike Zusman is a Senior Consultant with the Intrepidus Group. Prior to joining Intrepidus Group, Mike has held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms. In addition to his corporate experience, Mike is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other third parties. He has spoken at a number of top industry events including Black Hat, CanSecWest, regional OWASP conferences, and also teaches Information Security & Penetration Testing at NYU/Polytechnic University. Mike brings 10 years of security, technology, and business experience to Intrepidus Group. He is a CISSP and an active member of the OWASP foundation.

Links:

• https://defcon.org/html/defcon-17/dc-17-speakers.html#Zusman
• https://infocon.org/cons/DEF CON/DEF CON 17/DEF CON 17 video and slides/DEF CON 17 - Mike Zusman - Criminal Charges Not Pursued Hacking PKI - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=QpoYdnBr-rA

Similar Presentations:

• THOTCON 0x1 (2010) / How Everyone Screws Up SSL
• Notacon 8 (2011) / SSL Wars - The Dark Side of SSL
• Black Hat USA 2010 / State of SSL on the Internet: 2010 Survey, Results and Conclusions