SSL++: Tales of Transport-Layer Security at Twitter

Presented at HOPE X (2014), July 18, 2014, 8 p.m. (60 minutes).

You've enabled HTTPS on your site. Now what? How do you protect against sslstrip attacks, CA compromise, and the dangers of mixed content? @jimio will share some approaches they've taken @twitter: Strict-Transport-Security, "secure SEO" with canonical link elements, Content Security Policy, and certificate pinning. There will be code, exploits, and open source! There will be a few fun stories to share as well, and since this is an SSL talk, you KNOW there's gonna be heartbleed.

Presenters:

• Jim O'Leary   as @jimio
  @jimio works on Twitter's product-security team; he delights in short biographies.

Links:

• http://x.hope.net/schedule.html#ssltalesof
• https://www.youtube.com/watch?v=tRQPl_PEfC4

Similar Presentations:

• DEF CON 17 (2009) / More Tricks For Defeating SSL
• THOTCON 0x1 (2010) / How Everyone Screws Up SSL
• Black Hat Europe 2014 / Bypassing HTTP Strict Transport Security