SlideShare a Scribd company logo
1 of 39
Download to read offline
SSL/TLS FOR MORTALSSSL/TLS FOR MORTALS
@mthmuldersmaartenm@infosupport.com
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.infosupport.maartenm.Demo.main(Demo.java:13)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcepti
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488)
... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 19 more
WHY BOTHER?WHY BOTHER?
Using SSL/TLS correctly is o en hard to achieve
...and understand!
Crucial for secure connection between systems
Globally deployed (intra-)cloud applications
data unit layers
Data
Data
Data
Segments
Packets
Frames
Bits
Application 
Network Process to Application
Presentation 
Data Representation 
and Encryption
Session 
Interhost Communication
Transport 
End­to­End Connections 
and Reliability
Network 
Path Determination and 
Logical Addressing (IP)
Data Link 
Physical Addressing 
(MAC and LLC)
Physical 
Media, Signal and 
Binary Transmission
Host LayersMedia Layers
 
SSL 1.0
never released
SSL 2.0
1995 - POODLE (2011)
SSL 3.0
1996 - POODLE (2014)
TLS 1.0
1999 - BEAST (2011)
TLS 1.1
2006
TLS 1.2
2008
TLS 1.3
dra
DEMO TIME!DEMO TIME!
What's the issue?
HOW TO PREVENTHOW TO PREVENT
THIS?THIS?
1. public/private key encryption
2. signed certificates
3. certificate authorities
PUBLIC/PRIVATE KEYPUBLIC/PRIVATE KEY
ENCRYPTIONENCRYPTION
 
 
Math time!
p = 11, q = 17 // two prime numbers
modulus = 187 // p * q
e = 3 // random number between 1 and modulus
// find d, so that (d * e) - 1 % (p - 1) * (q - 1) is zero
320 % 160 = 0
(321 - 1) % (10 * 16) = 0
(107 * 3) = 321 → d = 107
Note that d varies with e:
e = 7
// find d, so that (d * e) - 1 % (p - 1) * (q - 1) is zero
1280 % 160 = 0
(1281 - 1) % (10 * 16) = 0
(183 * 7) = 1281 → d = 183
Now, what if and are unknown?p q
p = 13 // prime number
q = 23 // prime number
modulus = 299 // p * q
e = 5 // random number between 1 and modulus
// find d, so that (d * e) - 1 % (p - 1) * (q - 1) is zero
1584 % 264 == 0
(1585 - 1) % (12 * 22) = 0
(317 * 5) = 1585 → d = 317
Turns out this is pretty hard!
For big enough and , finding those factors will cost an
eternity!
p q
So we can distribute ( p * q ) and even e!
d = 107
LET'S ENCRYPT THE LETTER 'LET'S ENCRYPT THE LETTER 'GG''
G → 7
7e → 73 → 343
343 % 187 → 156
LET'S DECRYPT THE MESSAGE 'LET'S DECRYPT THE MESSAGE '156156''
156107 → 4.6 * 10234
156107 % 187 → 7
7 → G
 
Negotiating a secure
connection
Client   Server
1 ClientHello →  
2   ← ServerHello
3   ← Certificate
4   ← ServerKeyExchange
5   ← ServerHelloDone
6 ClientKeyExchange →  
7 ChangeCipherSpec →  
8 Finished →  
9   ← ChangeCipherSpec
10   ← Finished
DEMO TIME!DEMO TIME!
No-one is eavesdropping!
SIGNED CERTIFICATESSIGNED CERTIFICATES
Certificate contents
Serial Number
Subject
Validity
Usage
Public Key
Fingerprint Algorithm
Fingerprint
But wait... anyone could create a certificate!
So we also need
Signature Algorithm
Signature
Issuer
... and a way to sign stuff
 
A is a mathematical relationship between a
message , a private key and a public key .
signature
x sk pk
 
It consists of two functions:
1. signing function
2. verifying function
t = f (sk, x)
[accept, reject] = g(pk, t, x)
 
So, given x and t and knowing pk,
we can tell if x is indeed signed by sk.
CERTIFICATECERTIFICATE
AUTHORITIESAUTHORITIES
An entity that issues digital certificates, certifying the
ownership of a public key by the subject of the certificate.
"I can trust you, because I trust John, and John trusts Alice,
and Alice trusts you"
I
John
?
Alice
Who knows who "John" is?
Many "John"'s in todays browsers and operating systems!
Top-notch security procedures, including "key ceremonies"
And yet...
FAIRYTALE TIME!FAIRYTALE TIME!
Once upon a time, a Dutch certificate
authority named DigiNotar was living
happily and carefree in the town of
Beverwijk.
But on a bad day, evil hurt it...
Real hard.
An attacker compromised a webserver of
DigiNotar due to a vulnerability that is
present within the DotNetNuke so ware.
DotNetNuke version 4.8.2.0 is installed on
host winsrv119. This version is affected by a
file upload vulnerability.
Due to the weak security of Windows
passwords it must be assumed that the
attacker was able to compromise the
passwords [...] of the accounts found on the
system. On the system, [...] the domain
administrator account [...] is present.
The attacker was able to traverse the
infrastructure and obtain access to at least
two CA's that were used to generate
certificates.
/** intentionally le blank */
Google blacklists 247 certificates in Chromium
Microso removes the DigiNotar root certificate from all
supported Windows-releases *
Mozilla revokes trust in the DigiNotar root certificate in all
supported versions
Apple issued Security Update 2011-005
 
Update Certificate Revocation Lists (except these are
self-signed)
DEMO TIME!DEMO TIME!
Trust (for what it's worth)
TOOLSTOOLS
curl -v -k <address>
openssl s_client -showcerts -servername
<address> -connect <address>:443
Denotes where a can be found: a file that contains
.
is the password to that file.
JVM SETTINGS (1)JVM SETTINGS (1)
-Djavax.net.ssl.trustStore=<file>
truststore
trusted certs
-Djavax.net.ssl.trustStorePassword=...
Denotes where a can be found: a file that contains
.
is the password to that file.
JVM SETTINGS (2)JVM SETTINGS (2)
-Djavax.net.ssl.keyStore=<file>
keystore
private keys
-Djavax.net.ssl.keyStorePassword=...
Include debug logging for TLS handshake and connections.
JVM SETTINGS (3)JVM SETTINGS (3)
-Djavax.net.debug=all
Portecle
SO LONGSO LONG
AND THANKS FOR ALL THE FISHAND THANKS FOR ALL THE FISH
IMAGE ATTRIBUTIONSIMAGE ATTRIBUTIONS
Beverwijk by @ .
Public Key Krüpto by , , and ( )
Gerard Hogervorst Wikimedia Commons
Sándor P. Fekete Sebastian Morr Sebastian Stiller @ideainstruction

More Related Content

What's hot

Security as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native AppsSecurity as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native Appsenlamp
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Android Recoverable Keystore
Android Recoverable KeystoreAndroid Recoverable Keystore
Android Recoverable KeystoreNikolay Elenkov
 
SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)Maarten Mulders
 
Authentication Systems
Authentication SystemsAuthentication Systems
Authentication SystemsBit Hacker
 
What Every Software Engineer Should Know About Security and Encryption
What Every Software Engineer Should Know About Security and EncryptionWhat Every Software Engineer Should Know About Security and Encryption
What Every Software Engineer Should Know About Security and EncryptionAll Things Open
 
SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)Maarten Mulders
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) Maarten Mulders
 
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 |  Nagios 3.0 and beyond by Ethan GalstadNagios Conference 2006 |  Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan GalstadNETWAYS
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
Cac linux clusterintro
Cac linux clusterintroCac linux clusterintro
Cac linux clusterintroadolgert
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLShannob
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)hannob
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 

What's hot (20)

Security as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native AppsSecurity as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native Apps
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Android Recoverable Keystore
Android Recoverable KeystoreAndroid Recoverable Keystore
Android Recoverable Keystore
 
SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)
 
Authentication Systems
Authentication SystemsAuthentication Systems
Authentication Systems
 
What Every Software Engineer Should Know About Security and Encryption
What Every Software Engineer Should Know About Security and EncryptionWhat Every Software Engineer Should Know About Security and Encryption
What Every Software Engineer Should Know About Security and Encryption
 
SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand)
 
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 |  Nagios 3.0 and beyond by Ethan GalstadNagios Conference 2006 |  Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
Cac linux clusterintro
Cac linux clusterintroCac linux clusterintro
Cac linux clusterintro
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLS
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 

Similar to SSL/TLS for Mortals (DevNexus)

SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)Maarten Mulders
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Stanfy
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
WebRTC 101 - How to get started building your first WebRTC application
WebRTC 101 - How to get started building your first WebRTC applicationWebRTC 101 - How to get started building your first WebRTC application
WebRTC 101 - How to get started building your first WebRTC applicationDan Jenkins
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Michel Schudel
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...Athens IoT Meetup
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Building Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEisBuilding Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEisFIWARE
 
Remove centralization on Authorization - API Days Paris 2018 (announcement fo...
Remove centralization on Authorization - API Days Paris 2018 (announcement fo...Remove centralization on Authorization - API Days Paris 2018 (announcement fo...
Remove centralization on Authorization - API Days Paris 2018 (announcement fo...Quentin Adam
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 

Similar to SSL/TLS for Mortals (DevNexus) (20)

SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
WebRTC 101 - How to get started building your first WebRTC application
WebRTC 101 - How to get started building your first WebRTC applicationWebRTC 101 - How to get started building your first WebRTC application
WebRTC 101 - How to get started building your first WebRTC application
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
InSpec Keynote at ChefConf
InSpec Keynote at ChefConfInSpec Keynote at ChefConf
InSpec Keynote at ChefConf
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Building Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEisBuilding Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEis
 
Remove centralization on Authorization - API Days Paris 2018 (announcement fo...
Remove centralization on Authorization - API Days Paris 2018 (announcement fo...Remove centralization on Authorization - API Days Paris 2018 (announcement fo...
Remove centralization on Authorization - API Days Paris 2018 (announcement fo...
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security Stance
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 

More from Maarten Mulders

What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)Maarten Mulders
 
Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Maarten Mulders
 
Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)Maarten Mulders
 
Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)Maarten Mulders
 
Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)Maarten Mulders
 
Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)Maarten Mulders
 
React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania) React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania) Maarten Mulders
 
React in 40 minutes (JCON)
React in 40 minutes (JCON) React in 40 minutes (JCON)
React in 40 minutes (JCON) Maarten Mulders
 
React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)Maarten Mulders
 
React in 50 Minutes (JNation)
 React in 50 Minutes (JNation)  React in 50 Minutes (JNation)
React in 50 Minutes (JNation) Maarten Mulders
 
Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)Maarten Mulders
 
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)Maarten Mulders
 
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)Maarten Mulders
 
SSL/TLS for Mortals (UtrechtJUG)
SSL/TLS for Mortals (UtrechtJUG)SSL/TLS for Mortals (UtrechtJUG)
SSL/TLS for Mortals (UtrechtJUG)Maarten Mulders
 
Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)Maarten Mulders
 
React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue) React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue) Maarten Mulders
 
React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus) React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus) Maarten Mulders
 
React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)Maarten Mulders
 
Building web applications with React (Jfokus)
Building web applications with React (Jfokus)Building web applications with React (Jfokus)
Building web applications with React (Jfokus)Maarten Mulders
 
SSL/TLS for Mortals (Devoxx)
 SSL/TLS for Mortals (Devoxx) SSL/TLS for Mortals (Devoxx)
SSL/TLS for Mortals (Devoxx)Maarten Mulders
 

More from Maarten Mulders (20)

What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)
 
Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)
 
Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)
 
Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)
 
Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)
 
Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)
 
React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania) React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania)
 
React in 40 minutes (JCON)
React in 40 minutes (JCON) React in 40 minutes (JCON)
React in 40 minutes (JCON)
 
React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)
 
React in 50 Minutes (JNation)
 React in 50 Minutes (JNation)  React in 50 Minutes (JNation)
React in 50 Minutes (JNation)
 
Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)
 
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
 
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
 
SSL/TLS for Mortals (UtrechtJUG)
SSL/TLS for Mortals (UtrechtJUG)SSL/TLS for Mortals (UtrechtJUG)
SSL/TLS for Mortals (UtrechtJUG)
 
Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)
 
React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue) React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue)
 
React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus) React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus)
 
React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)
 
Building web applications with React (Jfokus)
Building web applications with React (Jfokus)Building web applications with React (Jfokus)
Building web applications with React (Jfokus)
 
SSL/TLS for Mortals (Devoxx)
 SSL/TLS for Mortals (Devoxx) SSL/TLS for Mortals (Devoxx)
SSL/TLS for Mortals (Devoxx)
 

Recently uploaded

WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?Rustici Software
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemSafe Software
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfwill854175
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...BookNet Canada
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceOpsTree solutions
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationDianaGray10
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerAnchore
 
full stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdffull stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdfHulkTheDevil
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
The work to make the piecework work: An ethnographic study of food delivery w...
The work to make the piecework work: An ethnographic study of food delivery w...The work to make the piecework work: An ethnographic study of food delivery w...
The work to make the piecework work: An ethnographic study of food delivery w...stockholm university
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MIRomil Mishra
 
Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxmprakaash5
 
Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Antonio de Llamas
 

Recently uploaded (20)

WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data Ecosystem
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdf
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer Experience
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automation
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey Hightower
 
full stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdffull stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdf
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
The work to make the piecework work: An ethnographic study of food delivery w...
The work to make the piecework work: An ethnographic study of food delivery w...The work to make the piecework work: An ethnographic study of food delivery w...
The work to make the piecework work: An ethnographic study of food delivery w...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MI
 
Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptx
 
Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+
 

SSL/TLS for Mortals (DevNexus)

  • 1. SSL/TLS FOR MORTALSSSL/TLS FOR MORTALS @mthmuldersmaartenm@infosupport.com
  • 2. Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at com.infosupport.maartenm.Demo.main(Demo.java:13) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcepti at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488) ... 13 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 19 more
  • 3. WHY BOTHER?WHY BOTHER? Using SSL/TLS correctly is o en hard to achieve ...and understand! Crucial for secure connection between systems Globally deployed (intra-)cloud applications
  • 5. SSL 1.0 never released SSL 2.0 1995 - POODLE (2011) SSL 3.0 1996 - POODLE (2014) TLS 1.0 1999 - BEAST (2011) TLS 1.1 2006 TLS 1.2 2008 TLS 1.3 dra
  • 7. HOW TO PREVENTHOW TO PREVENT THIS?THIS? 1. public/private key encryption 2. signed certificates 3. certificate authorities
  • 9.  
  • 10.  
  • 11. Math time! p = 11, q = 17 // two prime numbers modulus = 187 // p * q e = 3 // random number between 1 and modulus // find d, so that (d * e) - 1 % (p - 1) * (q - 1) is zero 320 % 160 = 0 (321 - 1) % (10 * 16) = 0 (107 * 3) = 321 → d = 107 Note that d varies with e: e = 7 // find d, so that (d * e) - 1 % (p - 1) * (q - 1) is zero 1280 % 160 = 0 (1281 - 1) % (10 * 16) = 0 (183 * 7) = 1281 → d = 183
  • 12. Now, what if and are unknown?p q p = 13 // prime number q = 23 // prime number modulus = 299 // p * q e = 5 // random number between 1 and modulus // find d, so that (d * e) - 1 % (p - 1) * (q - 1) is zero 1584 % 264 == 0 (1585 - 1) % (12 * 22) = 0 (317 * 5) = 1585 → d = 317 Turns out this is pretty hard!
  • 13. For big enough and , finding those factors will cost an eternity! p q So we can distribute ( p * q ) and even e!
  • 14. d = 107 LET'S ENCRYPT THE LETTER 'LET'S ENCRYPT THE LETTER 'GG'' G → 7 7e → 73 → 343 343 % 187 → 156 LET'S DECRYPT THE MESSAGE 'LET'S DECRYPT THE MESSAGE '156156'' 156107 → 4.6 * 10234 156107 % 187 → 7 7 → G
  • 15.  
  • 16. Negotiating a secure connection Client   Server 1 ClientHello →   2   ← ServerHello 3   ← Certificate 4   ← ServerKeyExchange 5   ← ServerHelloDone 6 ClientKeyExchange →   7 ChangeCipherSpec →   8 Finished →   9   ← ChangeCipherSpec 10   ← Finished
  • 17. DEMO TIME!DEMO TIME! No-one is eavesdropping!
  • 20. But wait... anyone could create a certificate! So we also need Signature Algorithm Signature Issuer ... and a way to sign stuff
  • 21.  
  • 22. A is a mathematical relationship between a message , a private key and a public key . signature x sk pk   It consists of two functions: 1. signing function 2. verifying function t = f (sk, x) [accept, reject] = g(pk, t, x)   So, given x and t and knowing pk, we can tell if x is indeed signed by sk.
  • 24. An entity that issues digital certificates, certifying the ownership of a public key by the subject of the certificate.
  • 25. "I can trust you, because I trust John, and John trusts Alice, and Alice trusts you" I John ? Alice Who knows who "John" is? Many "John"'s in todays browsers and operating systems!
  • 26. Top-notch security procedures, including "key ceremonies" And yet...
  • 27. FAIRYTALE TIME!FAIRYTALE TIME! Once upon a time, a Dutch certificate authority named DigiNotar was living happily and carefree in the town of Beverwijk. But on a bad day, evil hurt it... Real hard.
  • 28. An attacker compromised a webserver of DigiNotar due to a vulnerability that is present within the DotNetNuke so ware. DotNetNuke version 4.8.2.0 is installed on host winsrv119. This version is affected by a file upload vulnerability.
  • 29. Due to the weak security of Windows passwords it must be assumed that the attacker was able to compromise the passwords [...] of the accounts found on the system. On the system, [...] the domain administrator account [...] is present.
  • 30. The attacker was able to traverse the infrastructure and obtain access to at least two CA's that were used to generate certificates.
  • 32. Google blacklists 247 certificates in Chromium Microso removes the DigiNotar root certificate from all supported Windows-releases * Mozilla revokes trust in the DigiNotar root certificate in all supported versions Apple issued Security Update 2011-005   Update Certificate Revocation Lists (except these are self-signed)
  • 33. DEMO TIME!DEMO TIME! Trust (for what it's worth)
  • 34. TOOLSTOOLS curl -v -k <address> openssl s_client -showcerts -servername <address> -connect <address>:443
  • 35. Denotes where a can be found: a file that contains . is the password to that file. JVM SETTINGS (1)JVM SETTINGS (1) -Djavax.net.ssl.trustStore=<file> truststore trusted certs -Djavax.net.ssl.trustStorePassword=...
  • 36. Denotes where a can be found: a file that contains . is the password to that file. JVM SETTINGS (2)JVM SETTINGS (2) -Djavax.net.ssl.keyStore=<file> keystore private keys -Djavax.net.ssl.keyStorePassword=...
  • 37. Include debug logging for TLS handshake and connections. JVM SETTINGS (3)JVM SETTINGS (3) -Djavax.net.debug=all
  • 39. SO LONGSO LONG AND THANKS FOR ALL THE FISHAND THANKS FOR ALL THE FISH IMAGE ATTRIBUTIONSIMAGE ATTRIBUTIONS Beverwijk by @ . Public Key Krüpto by , , and ( ) Gerard Hogervorst Wikimedia Commons Sándor P. Fekete Sebastian Morr Sebastian Stiller @ideainstruction