Getting SSLizzard

Presented at DEF CON 19 (2011), Aug. 7, 2011, noon (50 minutes).

The world has seen a seismic shift from browser-based web applications to GUI-rich semi-thick client applications running on handheld mobile devices. In the browser world, the industry had placed a great deal of time and energy towards providing users visual cues to indicate the level security and trust that their data being transmitted to the remote server is protected and not falling into the hands of unintended recipients. In the mobile device world, these visual cues are mostly nonexistent, resulting in the inherent trust that the underlying APIs are ensuring a level of security before transmitting a users sensitive data. In our research, we tested the most popular apps on both the iOS and Android platforms. We ran each app through a data transmission assault course that contained various historic, contemporary, and obscure SSL attacks and documented the results. In this presentation, we will discuss and demonstrate flaws at both the application an OS layer that need to be addressed by both the mobile app developers and well the mobile device manufactures. A utility called "SSLizzard" will also be released for use by mobile application developers to test their mobile apps and their behavior against SSL-based attacks discussed in this talk.


Presenters:

  • Paul Kehrer - SSL Architect, Trustwave
    Paul Kehrer is a web developer and programmer at Trustwave with extensive experience with X.509 and PKI, including writing and maintaining a registration authority. Since 2007, Paul has lead the team responsible for the design and infrastructure of Trustwave's Certification Authority. Paul enjoys baking cakes in his spare time. Twitter: reaperhulk
  • Nicholas J. Percoco - Senior Vice President and Head of SpiderLabs at Trustwave
    Nicholas J. Percoco: With more than 14 years of information security experience, Percoco is the lead security advisor to many of Trustwaveps premier clients and assists them in making strategic decisions around security compliance regimes. He leads the SpiderLabs team that has performed more than 1000 computer incident response and forensic investigations globally, run thousands of penetration and application security tests for clients, and conducted security research to improve Trustwave's products. Percoco and his research has been featured by many news organizations including: The Washington Post, eWeek, PC World, CNET, Wired, Hakin9, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR and The Wall Street Journal. Twitter: c7five

Links:

Similar Presentations: