SlideShare a Scribd company logo

Introduction to SSL and How to Exploit & Secure

Brian Ritchie
Brian Ritchie

Adapted from Ivan Ristic. Part 1. Originally for OWASP MY

TechnologyEducation
1 of 27
SSL/TLS Introduction and How to exploit By BRIAN RITCHIE Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie
Who Am I ? Co worked on the Enterprise Architecture for some of the largest regional as well as international companies Rolled out the first official OSS Centre of Excellence strategy and implementation for a local Financial Institution Experience with large scale Project Management for core systems Designed and Implemented Research and Incubation Services for large scale corporations All rounded Geek
What is SSL ? An introduction
Some History Originally proposed by Netscape in the 90 s Evolved from SSL 1.0, 2.0, 3.0 and now to the Transport Layer Security or TLS Developed with the intention of providing security for communications over networks Is used heavily today for ecommerce, and other web applications/services which require a higher level of security
What is SSL ? Intermediate layer between the Transport layer and the Application layer Has 2 main functions : Establish a secure connection between peers Secure is defined as = Authentic and Confidential Use the secure connection to transmit higher layer protocol data from sender to recipient
Let’s delve in a little deeper here
How does SSL transmit data ? Sender Breaks data down into manageable pieces called fragments Each fragment is compressed, authenticated with a MAC, encrypted, prepended with a header and transmitted Recipient NOTE :: These fragments are what we call SSL records The fragments are decrypted, verified through MACs, decompressed and reassembled.
Just a little bit more theory and we’ll go to some cooler stuff
Graphical View of SSL Application Layer SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol Application Data Protocol Application Layer SSL Record Protocol Transport Layer Network Layer Network Access Layer TCP UDP IP
What are these protocols ? SSL Handshake Protocol – Core protocol. Allows peers to authenticate between themselves and negotiate a suitable cipher suite and compression method for both parties SSL Change Cipher Spec Protocol – Allows peers to change ciphering strategy and the cryptography protection used SSL Alert Protocol – Allows peers to signal for potential problem symptoms and exchange alert messages SSL Application Data Protocol – Workhorse. Takes the higher level data and feeds it to the SSL Record protocol for cryptographic protection and secure transmission
What’s good about SSL ?
Plus points Very widely used Well designed Pretty much secures the Internet Secure out of the box
Now to the cool OWASP part
What’s the Minus points ? No one pays attention to it This means if you can break it, you’re the boss. Can be compromised through HTTP
Tools and Attack Principles Sslsniff and sslstrip make attacking it easy as pie Principle of attack : MITM – The usual suspect App and configuration issues Fake certificates Bad implementation
SSL Threat Models Lets look at a small part today
Endpoint Issues Endpoints Bad Server Side Configuration SSL not enforced Bad certificate configuration Private Key not protected Use weak protocols Unpatched libraries Mixed (SSL&Non-SSL) configurations And many many more…
Lets take a deeper dive and look at some examples
Inconsistent DNS config http://www.example.com and http://example.com point to different webservers Microsoft
Another example A good example : OWASP
Different Sites on port 80 and 443 Both http://www.example.com and https://www.example.com must be the same website A lot of major companies fail to verify this
Self Signed SSL Certs Two words : DON’T BOTHER This causes more issues than it solves. It is significantly harder for you to maintain a secure, well configured SSL cert It is much easier and more secure to buy one from a legitimate provider
Badly Configured SSL Servers Out of the box SSL is pretty secure iff (– if and only if) the configuration fits your deployment. More often than not, you will need to tweak the settings to fit your deployment. Updating patches is also equally crucial
Incomplete certificates A certificate has to encompass both http://example.com and http://www.example.com They have to be the same site They must also be the same for the https:// Your certificate must ensure that it is all-encompassing
Mixing SSL and Plain text Tricky to implement Active user sessions can be compromised Sslstrip can perform MITM attacks and convert HTTPS to HTTP
There’s a few more but I’ll leave it there for now.
If you have any questions, contact me through the above Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie OWASP MY Mailing List

Recommended

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL overview
SSL overviewSSL overview
SSL overviewTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
SSL
SSLSSL
SSLtheekuchi
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 

Recommended

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL overview
SSL overviewSSL overview
SSL overviewTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
SSL
SSLSSL
SSLtheekuchi
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerAbhishek Gupta
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
SSL Secure Socket Layer
SSL Secure Socket LayerSSL Secure Socket Layer
SSL Secure Socket Layeromkar bhagat
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tlsRana assad ali
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Transport layer security
Transport layer securityTransport layer security
Transport layer securityHrudya Balachandran
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS HandshakeArpit Agarwal
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSpavansmiles
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationRapidSSLOnline.com
 
SSLtalk
SSLtalkSSLtalk
SSLtalkMatthew Aylard
 

More Related Content

What's hot

Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
SSL Secure Socket Layer
SSL Secure Socket LayerSSL Secure Socket Layer
SSL Secure Socket Layeromkar bhagat
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 

What's hot (20)

Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Traffic
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
SSL Secure Socket Layer
SSL Secure Socket LayerSSL Secure Socket Layer
SSL Secure Socket Layer
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
SSL
SSLSSL
SSL
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal Wadhwa
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
SSL intro
SSL introSSL intro
SSL intro
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 

Similar to Introduction to SSL and How to Exploit & Secure

Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationRapidSSLOnline.com
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLGlobalSign
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfHost It Smart
 
Improve your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdfImprove your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdfDigital Marketing
 
Secure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)CertificateSecure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)CertificateCheapSSLUSA
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Microsoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowMicrosoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowCheapSSLsecurity
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?CheapSSLsecurity
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!Wilco Alsemgeest
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 

Similar to Introduction to SSL and How to Exploit & Secure (20)

Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL Authentication
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdf
 
Improve your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdfImprove your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdf
 
Secure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)CertificateSecure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)Certificate
 
Unit 6
Unit 6Unit 6
Unit 6
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
Microsoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowMicrosoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to know
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
 
Matrix
MatrixMatrix
Matrix
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
ION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network Operators
 

More from Brian Ritchie

Make it Personal by Making it Local
Make it Personal by Making it LocalMake it Personal by Making it Local
Make it Personal by Making it LocalBrian Ritchie
 
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...Brian Ritchie
 
Advanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian RitchieAdvanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian RitchieBrian Ritchie
 
Growth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian RitchieGrowth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian RitchieBrian Ritchie
 
Tell Your Story - Brian Ritchie
Tell Your Story - Brian RitchieTell Your Story - Brian Ritchie
Tell Your Story - Brian RitchieBrian Ritchie
 
Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011Brian Ritchie
 

More from Brian Ritchie (7)

Make it Personal by Making it Local
Make it Personal by Making it LocalMake it Personal by Making it Local
Make it Personal by Making it Local
 
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
 
Advanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian RitchieAdvanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian Ritchie
 
Growth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian RitchieGrowth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian Ritchie
 
Tell Your Story - Brian Ritchie
Tell Your Story - Brian RitchieTell Your Story - Brian Ritchie
Tell Your Story - Brian Ritchie
 
Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011
 
WiMAX_Intro
WiMAX_IntroWiMAX_Intro
WiMAX_Intro
 

Recently uploaded

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

Introduction to SSL and How to Exploit & Secure

  • 1. SSL/TLS Introduction and How to exploit By BRIAN RITCHIE Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie
  • 2. Who Am I ? Co worked on the Enterprise Architecture for some of the largest regional as well as international companies Rolled out the first official OSS Centre of Excellence strategy and implementation for a local Financial Institution Experience with large scale Project Management for core systems Designed and Implemented Research and Incubation Services for large scale corporations All rounded Geek
  • 3. What is SSL ? An introduction
  • 4. Some History Originally proposed by Netscape in the 90 s Evolved from SSL 1.0, 2.0, 3.0 and now to the Transport Layer Security or TLS Developed with the intention of providing security for communications over networks Is used heavily today for ecommerce, and other web applications/services which require a higher level of security
  • 5. What is SSL ? Intermediate layer between the Transport layer and the Application layer Has 2 main functions : Establish a secure connection between peers Secure is defined as = Authentic and Confidential Use the secure connection to transmit higher layer protocol data from sender to recipient
  • 6. Let’s delve in a little deeper here
  • 7. How does SSL transmit data ? Sender Breaks data down into manageable pieces called fragments Each fragment is compressed, authenticated with a MAC, encrypted, prepended with a header and transmitted Recipient NOTE :: These fragments are what we call SSL records The fragments are decrypted, verified through MACs, decompressed and reassembled.
  • 8. Just a little bit more theory and we’ll go to some cooler stuff
  • 9. Graphical View of SSL Application Layer SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol Application Data Protocol Application Layer SSL Record Protocol Transport Layer Network Layer Network Access Layer TCP UDP IP
  • 10. What are these protocols ? SSL Handshake Protocol – Core protocol. Allows peers to authenticate between themselves and negotiate a suitable cipher suite and compression method for both parties SSL Change Cipher Spec Protocol – Allows peers to change ciphering strategy and the cryptography protection used SSL Alert Protocol – Allows peers to signal for potential problem symptoms and exchange alert messages SSL Application Data Protocol – Workhorse. Takes the higher level data and feeds it to the SSL Record protocol for cryptographic protection and secure transmission
  • 12. Plus points Very widely used Well designed Pretty much secures the Internet Secure out of the box
  • 13. Now to the cool OWASP part
  • 14. What’s the Minus points ? No one pays attention to it This means if you can break it, you’re the boss. Can be compromised through HTTP
  • 15. Tools and Attack Principles Sslsniff and sslstrip make attacking it easy as pie Principle of attack : MITM – The usual suspect App and configuration issues Fake certificates Bad implementation
  • 16. SSL Threat Models Lets look at a small part today
  • 17. Endpoint Issues Endpoints Bad Server Side Configuration SSL not enforced Bad certificate configuration Private Key not protected Use weak protocols Unpatched libraries Mixed (SSL&Non-SSL) configurations And many many more…
  • 18. Lets take a deeper dive and look at some examples
  • 19. Inconsistent DNS config http://www.example.com and http://example.com point to different webservers Microsoft
  • 20. Another example A good example : OWASP
  • 21. Different Sites on port 80 and 443 Both http://www.example.com and https://www.example.com must be the same website A lot of major companies fail to verify this
  • 22. Self Signed SSL Certs Two words : DON’T BOTHER This causes more issues than it solves. It is significantly harder for you to maintain a secure, well configured SSL cert It is much easier and more secure to buy one from a legitimate provider
  • 23. Badly Configured SSL Servers Out of the box SSL is pretty secure iff (– if and only if) the configuration fits your deployment. More often than not, you will need to tweak the settings to fit your deployment. Updating patches is also equally crucial
  • 24. Incomplete certificates A certificate has to encompass both http://example.com and http://www.example.com They have to be the same site They must also be the same for the https:// Your certificate must ensure that it is all-encompassing
  • 25. Mixing SSL and Plain text Tricky to implement Active user sessions can be compromised Sslstrip can perform MITM attacks and convert HTTPS to HTTP
  • 26. There’s a few more but I’ll leave it there for now.
  • 27. If you have any questions, contact me through the above Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie OWASP MY Mailing List