Revocation is broken, here's how we're fixing it

Presented at LocoMocoSec 2018, April 6, 2018, 1:50 p.m. (40 minutes)

The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.

Presenters:

• Scott Helme - Report URI Ltd.
  Hacker, researcher, builder of things. Founded securityheaders.com and report-uri.com, Pluralsight author, BBC hacker in residence, award winning entrepreneur. Find me at scotthelme.co.uk

Links:

• https://locomocosecurityconference2018.sched.com/event/BPCt/revocation-is-broken-heres-how-were-fixing-it
• https://infocon.org/cons/LocoMocoSec/LocoMocoSec 2018 Kona/Scott Helme Revocation is broken, here's how we're fixing it.mp4
• https://infocon.org/cons/LocoMocoSec/LocoMocoSec 2018 Kona/Scott Helme Revocation is broken, here's how we're fixing it.eng.srt (subtitles)

Similar Presentations:

• DEF CON 26 (2018) / Lost and Found Certificates: dealing with residual certificates for pre-owned domains
• DEF CON 25 (2017) / Abusing Certificate Transparency Logs
• ToorCon San Diego 20 (2018) / Lost and Found Certificates: dealing with residual certificates for pre-owned domains