Modern Attacks on SSL/TLS: Let the BEAST of CRIME and TIME be not so LUCKY

Presented at AppSec USA 2013, Nov. 21, 2013, 2 p.m. (50 minutes)

SSL/TLS is the core component for providing confidentiality and authentication in modern web communications. Recent vulnerabilities have undermined this and left much of web based communication vulnerable. This talk will survey recent attacks such as BEAST, TIME, CRIME, LUCKY 13 and RC4 biases, highlighting the conditions required for exploitation as well as the current state of mitigations. Comprehensive recommendations will be provided highlighting the real world risks and mitigations taking all attacks into account instead of providing conflicting solutions to mitigate these attacks individually. Finally, long term recommendations will be made as we move to a post TLS 1.0 world without overhauling the basic structure and operational infrastructure of modern web communication.

Presenters:

  • Shawn Fitzgerald
    Shawn Fitzgerald is a senior security consultant at iSEC Partners, an information security firm specializing in application, network, and mobile security. At iSEC, Shawn specializes in web based applications, client/server testing, cryptographic systems, security design and security protocol reviews.
  • Pratik Guha Sarkar - Security Consultant - iSEC Partners
    Pratik Guha Sarkar is a Security Consultant with iSEC Partners. At iSEC, Pratik works in the areas of web application/web services security, practical cryptography, mobile security and client/server testing. Before iSEC, he was with IBM working in telecom domain. Pratik graduated from Johns Hopkins University in Security Informatics.

Links:

Similar Presentations: