Your connection is not private - Exploiting insecure certificate validation in TLS clients

Presented at Disobey 2023, Feb. 18, 2023, 7:15 p.m. (60 minutes).

Securing websites and servers with TLS has never been easier. But what about the clients that connect to them? Most TLS connections security rely on the clients ability to validate the server identity correctly. This talk explores the 'most dangerous code in the world'. Lets hack an iPhone, Windows 11 and more while we deep dive into the world of insecure TLS certificate validation.

Presenters:

• Aapo Oksman - Senior Security Specialist at Nixu
  Aapo Oksman is a Senior Security Specialist at Nixu Corporation, working with application, protocol and device security focusing on industrial IoT. His background is in electrical engineering, embedded devices, and test automation.Twitter: @AapoOksman LinkedIn: AapoOksman

Links:

• https://disobey.fi/2023/profile/your_connection_is_not_private

Similar Presentations:

• DeepSec 2016 „Ten“ / Deploying Secure Applications with TLS (closed)
• DeepSec 2016 „Ten“ / Systematic Fuzzing and Testing of TLS Libraries
• DEF CON 31 (2023) / certmitm: automatic exploitation of TLS certificate validation vulnerabilities