AppSecUSA 2012 has ended
Back To Schedule
Friday, October 26 • 2:00pm - 2:45pm
Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

In the last year, 2011, major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. as seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF Web Security working group meetings: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July 2011, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services.

The presented technologies are cutting edge and although the specification is not final yet, they are in their final stages and currently in roll-out and ready to be used. Other models that compete or complement this approach shall also be discussed (DNSSEC, etc. ).

avatar for Tobias Gondrom

Tobias Gondrom

Managing Director, Thames Stanley: Information Security and Risk Management Advisory
Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and... Read More →

Friday October 26, 2012 2:00pm - 2:45pm CDT
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

Attendees (0)