Suche senden
Hochladen
Man in the Middle? - No, thank you!
â˘
3 gefällt mir
â˘
3,225 views
Daniel Schneller
Folgen
Technologie
Business
Melden
Teilen
Melden
Teilen
1 von 99
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Proposed PHP function: is_literal()
Proposed PHP function: is_literal()
Craig Francis
Â
Pim Elshoff "Technically DDD"
Pim Elshoff "Technically DDD"
Fwdays
Â
Command Bus To Awesome Town
Command Bus To Awesome Town
Ross Tuck
Â
垪ç°ĺç §ăŽăŻăŞă
垪ç°ĺç §ăŽăŻăŞă
Masahiro Honma
Â
Things I Believe Now That I'm Old
Things I Believe Now That I'm Old
Ross Tuck
Â
php plus mysql
php plus mysql
Jayson de Leon
Â
Daily notes
Daily notes
meghendra168
Â
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
Masahiro Nagano
Â
Empfohlen
Proposed PHP function: is_literal()
Proposed PHP function: is_literal()
Craig Francis
Â
Pim Elshoff "Technically DDD"
Pim Elshoff "Technically DDD"
Fwdays
Â
Command Bus To Awesome Town
Command Bus To Awesome Town
Ross Tuck
Â
垪ç°ĺç §ăŽăŻăŞă
垪ç°ĺç §ăŽăŻăŞă
Masahiro Honma
Â
Things I Believe Now That I'm Old
Things I Believe Now That I'm Old
Ross Tuck
Â
php plus mysql
php plus mysql
Jayson de Leon
Â
Daily notes
Daily notes
meghendra168
Â
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
Masahiro Nagano
Â
JWT - To authentication and beyond!
JWT - To authentication and beyond!
LuĂs Cobucci
Â
R57shell
R57shell
ady36
Â
Make Your SW Component Testable
Make Your SW Component Testable
Li-Wei Cheng
Â
Central Stats
Central Stats
andy biggin
Â
Adding Dependency Injection to Legacy Applications
Adding Dependency Injection to Legacy Applications
Sam Hennessy
Â
Document Classification In PHP
Document Classification In PHP
Ian Barber
Â
Document Classification In PHP - Slight Return
Document Classification In PHP - Slight Return
Ian Barber
Â
PHPUnit elevato alla Symfony2
PHPUnit elevato alla Symfony2
eugenio pombi
Â
Your code is not a string
Your code is not a string
Ingvar Stepanyan
Â
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Lionel Briand
Â
Top 10 php classic traps confoo
Top 10 php classic traps confoo
Damien Seguy
Â
Drupal 8 database api
Drupal 8 database api
Viswanath Polaki
Â
Input sanitization
Input sanitization
Philip Tellis
Â
Open Source Search: An Analysis
Open Source Search: An Analysis
Justin Finkelstein
Â
Your code sucks, let's fix it - PHP Master Series 2012
Your code sucks, let's fix it - PHP Master Series 2012
Rafael Dohms
Â
Perl object ?
Perl object ?
âicolas â.
Â
Introduction to Domain-Driven Design
Introduction to Domain-Driven Design
Yoan-Alexander Grigorov
Â
Object::Franger: Wear a Raincoat in your Code
Object::Franger: Wear a Raincoat in your Code
Workhorse Computing
Â
Drupal - dbtng 25th Anniversary Edition
Drupal - dbtng 25th Anniversary Edition
ddiers
Â
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
James Titcumb
Â
Man In The Middle - Hacking Illustrated
Man In The Middle - Hacking Illustrated
InfoSec Institute
Â
Al Live: Filtering: The Man in the Middle
Al Live: Filtering: The Man in the Middle
ALATechSource
Â
Weitere ähnliche Inhalte
Was ist angesagt?
JWT - To authentication and beyond!
JWT - To authentication and beyond!
LuĂs Cobucci
Â
R57shell
R57shell
ady36
Â
Make Your SW Component Testable
Make Your SW Component Testable
Li-Wei Cheng
Â
Central Stats
Central Stats
andy biggin
Â
Adding Dependency Injection to Legacy Applications
Adding Dependency Injection to Legacy Applications
Sam Hennessy
Â
Document Classification In PHP
Document Classification In PHP
Ian Barber
Â
Document Classification In PHP - Slight Return
Document Classification In PHP - Slight Return
Ian Barber
Â
PHPUnit elevato alla Symfony2
PHPUnit elevato alla Symfony2
eugenio pombi
Â
Your code is not a string
Your code is not a string
Ingvar Stepanyan
Â
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Lionel Briand
Â
Top 10 php classic traps confoo
Top 10 php classic traps confoo
Damien Seguy
Â
Drupal 8 database api
Drupal 8 database api
Viswanath Polaki
Â
Input sanitization
Input sanitization
Philip Tellis
Â
Open Source Search: An Analysis
Open Source Search: An Analysis
Justin Finkelstein
Â
Your code sucks, let's fix it - PHP Master Series 2012
Your code sucks, let's fix it - PHP Master Series 2012
Rafael Dohms
Â
Perl object ?
Perl object ?
âicolas â.
Â
Introduction to Domain-Driven Design
Introduction to Domain-Driven Design
Yoan-Alexander Grigorov
Â
Object::Franger: Wear a Raincoat in your Code
Object::Franger: Wear a Raincoat in your Code
Workhorse Computing
Â
Drupal - dbtng 25th Anniversary Edition
Drupal - dbtng 25th Anniversary Edition
ddiers
Â
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
James Titcumb
Â
Was ist angesagt?
(20)
JWT - To authentication and beyond!
JWT - To authentication and beyond!
Â
R57shell
R57shell
Â
Make Your SW Component Testable
Make Your SW Component Testable
Â
Central Stats
Central Stats
Â
Adding Dependency Injection to Legacy Applications
Adding Dependency Injection to Legacy Applications
Â
Document Classification In PHP
Document Classification In PHP
Â
Document Classification In PHP - Slight Return
Document Classification In PHP - Slight Return
Â
PHPUnit elevato alla Symfony2
PHPUnit elevato alla Symfony2
Â
Your code is not a string
Your code is not a string
Â
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Â
Top 10 php classic traps confoo
Top 10 php classic traps confoo
Â
Drupal 8 database api
Drupal 8 database api
Â
Input sanitization
Input sanitization
Â
Open Source Search: An Analysis
Open Source Search: An Analysis
Â
Your code sucks, let's fix it - PHP Master Series 2012
Your code sucks, let's fix it - PHP Master Series 2012
Â
Perl object ?
Perl object ?
Â
Introduction to Domain-Driven Design
Introduction to Domain-Driven Design
Â
Object::Franger: Wear a Raincoat in your Code
Object::Franger: Wear a Raincoat in your Code
Â
Drupal - dbtng 25th Anniversary Edition
Drupal - dbtng 25th Anniversary Edition
Â
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Â
Andere mochten auch
Man In The Middle - Hacking Illustrated
Man In The Middle - Hacking Illustrated
InfoSec Institute
Â
Al Live: Filtering: The Man in the Middle
Al Live: Filtering: The Man in the Middle
ALATechSource
Â
Man in the Middle? - Nein, danke!
Man in the Middle? - Nein, danke!
Daniel Schneller
Â
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
Â
Unauthorized access, Men in the Middle (MITM)
Unauthorized access, Men in the Middle (MITM)
Balvinder Singh
Â
Cross site scripting
Cross site scripting
kinish kumar
Â
man in the middle
man in the middle
apurv_verma007
Â
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
Â
Man in the Middle Atack
Man in the Middle Atack
SDU CYBERLAB
Â
Disruption in Digital Banking
Disruption in Digital Banking
Backbase
Â
Cyber security
Cyber security
Siblu28
Â
Andere mochten auch
(11)
Man In The Middle - Hacking Illustrated
Man In The Middle - Hacking Illustrated
Â
Al Live: Filtering: The Man in the Middle
Al Live: Filtering: The Man in the Middle
Â
Man in the Middle? - Nein, danke!
Man in the Middle? - Nein, danke!
Â
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Â
Unauthorized access, Men in the Middle (MITM)
Unauthorized access, Men in the Middle (MITM)
Â
Cross site scripting
Cross site scripting
Â
man in the middle
man in the middle
Â
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Â
Man in the Middle Atack
Man in the Middle Atack
Â
Disruption in Digital Banking
Disruption in Digital Banking
Â
Cyber security
Cyber security
Â
Ăhnlich wie Man in the Middle? - No, thank you!
Dip Your Toes in the Sea of Security (CoderCruise 2017)
Dip Your Toes in the Sea of Security (CoderCruise 2017)
James Titcumb
Â
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
James Titcumb
Â
Teaching Your Machine To Find Fraudsters
Teaching Your Machine To Find Fraudsters
Ian Barber
Â
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
James Titcumb
Â
Dip Your Toes in the Sea of Security
Dip Your Toes in the Sea of Security
James Titcumb
Â
Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)
James Titcumb
Â
Dip Your Toes in the Sea of Security (IPC Fall 2017)
Dip Your Toes in the Sea of Security (IPC Fall 2017)
James Titcumb
Â
Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP Cambridge)
James Titcumb
Â
MongoDB Analytics
MongoDB Analytics
datablend
Â
Powershell for Log Analysis and Data Crunching
Powershell for Log Analysis and Data Crunching
Michelle D'israeli
Â
Dip Your Toes In The Sea Of Security (PHPNW16)
Dip Your Toes In The Sea Of Security (PHPNW16)
James Titcumb
Â
R57.Php
R57.Php
guest63876e
Â
Rust â JavaScript
Rust â JavaScript
Ingvar Stepanyan
Â
Encryption Boot Camp on the JVM
Encryption Boot Camp on the JVM
Matthew McCullough
Â
Introdução ao Perl 6
Introdução ao Perl 6
garux
Â
An OCaml newbie meets Camlp4 parser
An OCaml newbie meets Camlp4 parser
Kiwamu Okabe
Â
Static Typing in Vault
Static Typing in Vault
GlynnForrest
Â
php global $bsize,$playerToken,$myToken,$gameOver,$winArr,$rowAr.pdf
php global $bsize,$playerToken,$myToken,$gameOver,$winArr,$rowAr.pdf
anjalitimecenter11
Â
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015
Derrick Isaacson
Â
Dip Your Toes in the Sea of Security (phpDay 2016)
Dip Your Toes in the Sea of Security (phpDay 2016)
James Titcumb
Â
Ăhnlich wie Man in the Middle? - No, thank you!
(20)
Dip Your Toes in the Sea of Security (CoderCruise 2017)
Dip Your Toes in the Sea of Security (CoderCruise 2017)
Â
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Â
Teaching Your Machine To Find Fraudsters
Teaching Your Machine To Find Fraudsters
Â
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Â
Dip Your Toes in the Sea of Security
Dip Your Toes in the Sea of Security
Â
Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)
Â
Dip Your Toes in the Sea of Security (IPC Fall 2017)
Dip Your Toes in the Sea of Security (IPC Fall 2017)
Â
Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP Cambridge)
Â
MongoDB Analytics
MongoDB Analytics
Â
Powershell for Log Analysis and Data Crunching
Powershell for Log Analysis and Data Crunching
Â
Dip Your Toes In The Sea Of Security (PHPNW16)
Dip Your Toes In The Sea Of Security (PHPNW16)
Â
R57.Php
R57.Php
Â
Rust â JavaScript
Rust â JavaScript
Â
Encryption Boot Camp on the JVM
Encryption Boot Camp on the JVM
Â
Introdução ao Perl 6
Introdução ao Perl 6
Â
An OCaml newbie meets Camlp4 parser
An OCaml newbie meets Camlp4 parser
Â
Static Typing in Vault
Static Typing in Vault
Â
php global $bsize,$playerToken,$myToken,$gameOver,$winArr,$rowAr.pdf
php global $bsize,$playerToken,$myToken,$gameOver,$winArr,$rowAr.pdf
Â
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015
Â
Dip Your Toes in the Sea of Security (phpDay 2016)
Dip Your Toes in the Sea of Security (phpDay 2016)
Â
KĂźrzlich hochgeladen
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Â
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
Â
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Â
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Â
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Â
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Â
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(âď¸+971_581248768%)**%*]'#abortion pills for sale in dubai@
Â
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Â
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
Â
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
Â
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Â
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vĂĄzquez
Â
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Â
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Â
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Â
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
Â
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Â
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Â
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Â
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
Â
KĂźrzlich hochgeladen
(20)
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Â
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
Â
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Â
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Â
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Â
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Â
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Â
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Â
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Â
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Â
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Â
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Â
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Â
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Â
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Â
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Â
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Â
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Â
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Â
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Â
Man in the Middle? - No, thank you!
1.
No,$thank$you! MAN$IN$THE$MIDDLE$? Daniel$Schneller$â$CenterDevice$GmbH
2.
SSL$â$and$youâre$doneâ˘
3.
SSL$â$and$youâre$doneâ˘
4.
SSL$â$and$youâre$done⢠âŚare$you?
5.
Mac$App$Store
6.
Mac$App$Store
7.
Mac$App$Store
8.
Outbank
9.
What$happened$to$SSL?
10.
SSL$â$Chain$of$Trust
11.
SSL$â$Chain$of$Trust Root$CA$Cer)ďŹcate
12.
SSL$â$Chain$of$Trust Root$CA$Cer)ďŹcate $Intermediate$CA$Cer)ďŹcate(s)issues
13.
SSL$â$Chain$of$Trust Root$CA$Cer)ďŹcate $Intermediate$CA$Cer)ďŹcate(s) Leaf$Cer)ďŹcate issues issues
14.
SSL$â$Chain$of$Trust
15.
SSL$â$Chain$of$Trust
16.
SSL$â$Chain$of$Trust
17.
SSL$â$Chain$of$Trust
18.
SSL$â$Chain$of$Trust
19.
SSL$â$Chain$of$Trust
20.
Just$how$many$Root$CAs$ are$there?
21.
System$Roots
22.
System$Roots
23.
System$Roots Windows$8:$~350 Mozilla:$~160 iOS$6:$~220
24.
Man$In$The$Middle?
25.
Man$In$The$Middle [Corporate]$Proxy Client
26.
Man$In$The$Middle [Corporate]$Proxy Client
27.
Man$In$The$Middle [Corporate]$Proxy Client
28.
Man$In$The$Middle Website [Corporate]$Proxy Client
29.
Man$In$The$Middle Website [Corporate]$Proxy Client
30.
Man$In$The$Middle Website [Corporate]$Proxy Client
31.
Man$In$The$Middle Website [Corporate]$Proxy Client
32.
Man$In$The$Middle
33.
Man$In$The$Middle
34.
Man$In$The$Middle
35.
Man$In$The$Middle
36.
Man$In$The$Middle
37.
Man$In$The$Middle
38.
Consequences â˘Monitoring â˘ManipulaZon â˘Sent$and$received$data$aďŹected â˘ChainOfTrust$formally$veriďŹed
39.
Good$and$evil â˘Debugging â˘Reverse$Engineering â˘Security$Audits â˘Learning$and$Understanding
40.
ReST$Debugging
41.
Good$and$evil â˘Phishing â˘IdenZty$The` â˘Industrial$Espionage â˘âŚ
42.
Mac$App$Store
43.
Mac$App$Store
44.
Mac$App$Store
45.
iTunes
46.
iTunes
47.
iTunes
48.
Demo$1 Video$1 Video$2
49.
Countermeasures
50.
Reference$CerZďŹcates
51.
Reference$CerZďŹcates â˘Client$bundles$server$cerZďŹcate$as$a$ reference â˘Compare$reference$and$cerZďŹcate$sent$by$ the$server$ â˘Connect$only$when$thereâs$a$perfect$match
52.
Reference$CerZďŹcates $Client$App$Server
53.
Reference$CerZďŹcates $Client$App$Server ==
54.
Reference$CerZďŹcates SecTrustResultType evaluationResult; OSStatus status
= SecTrustEvaluate(srvTrust, &evaluationResult); if (status == errSecSuccess) { if (evaluationResult == kSecTrustResultUnspecified) { // ... } } â˘Step$1:$$Validate$ChainofTrust
55.
Reference$CerZďŹcates SecTrustResultType evaluationResult; OSStatus status
= SecTrustEvaluate(srvTrust, &evaluationResult); if (status == errSecSuccess) { if (evaluationResult == kSecTrustResultUnspecified) { // ... } } â˘Step$1:$$Validate$ChainofTrust
56.
Reference$CerZďŹcates â˘Step$1:$$Validate$ChainofTrust SecTrustResultType evaluationResult; OSStatus status
= SecTrustEvaluate(srvTrust, &evaluationResult); if (status == errSecSuccess) { if (evaluationResult == kSecTrustResultUnspecified) { // ... } }
57.
Reference$CerZďŹcates â˘Step$1:$$Validate$ChainofTrust SecTrustResultType evaluationResult; OSStatus status
= SecTrustEvaluate(srvTrust, &evaluationResult); if (status == errSecSuccess) { if (evaluationResult == kSecTrustResultUnspecified) { // ... } }
58.
Reference$CerZďŹcates â˘Step$1:$$Validate$ChainofTrust SecTrustResultType evaluationResult; OSStatus status
= SecTrustEvaluate(srvTrust, &evaluationResult); if (status == errSecSuccess) { if (evaluationResult == kSecTrustResultUnspecified) { // ... } }
59.
Reference$CerZďŹcates â˘Step$1:$$Validate$ChainofTrust SecTrustResultType evaluationResult; OSStatus status
= SecTrustEvaluate(srvTrust, &evaluationResult); if (status == errSecSuccess) { if (evaluationResult == kSecTrustResultUnspecified) { // ... } }
60.
NSString *refPath = [[NSBundle
mainBundle] pathForResource:@"reference" ofType:@"der"]; NSData *refCertData = [[NSData alloc] initWithContentsOfFile:refPath]; Reference$CerZďŹcates â˘Step$2:$Load$Reference$CerZďŹcate
61.
NSString *refPath = [[NSBundle
mainBundle] pathForResource:@"reference" ofType:@"der"]; NSData *refCertData = [[NSData alloc] initWithContentsOfFile:refPath]; Reference$CerZďŹcates â˘Step$2:$Load$Reference$CerZďŹcate
62.
Reference$CerZďŹcates â˘Step$2:$Load$Reference$CerZďŹcate NSString *refPath = [[NSBundle
mainBundle] pathForResource:@"reference" ofType:@"der"]; NSData *refCertData = [[NSData alloc] initWithContentsOfFile:refPath];
63.
Reference$CerZďŹcates BOOL found =
NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); found = [refCertData isEqualToData:certData]; } â˘Step$3:$Compare$cerZďŹcates
64.
Reference$CerZďŹcates BOOL found =
NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); found = [refCertData isEqualToData:certData]; } â˘Step$3:$Compare$cerZďŹcates
65.
Reference$CerZďŹcates â˘Step$3:$Compare$cerZďŹcates BOOL found =
NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); found = [refCertData isEqualToData:certData]; }
66.
Reference$CerZďŹcates â˘Step$3:$Compare$cerZďŹcates BOOL found =
NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); found = [refCertData isEqualToData:certData]; }
67.
Reference$CerZďŹcates â˘Step$3:$Compare$cerZďŹcates BOOL found =
NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); found = [refCertData isEqualToData:certData]; }
68.
Reference$CerZďŹcates â˘Step$3:$Compare$cerZďŹcates BOOL found =
NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); found = [refCertData isEqualToData:certData]; }
69.
Reference$CerZďŹcates â˘Step$3:$Compare$cerZďŹcates BOOL found =
NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); found = [refCertData isEqualToData:certData]; }
70.
Demo$2 Video
71.
FingerprinZng
72.
FingerprinZng â˘Similar$to$Reference$CerZďŹcate$approach â˘Compares$CerZďŹcate$Fingerprint$against$ reference$value â˘Server$CerZďŹcate$not$needed$in$the$client â˘Example:$$Apple$So`ware$Update
73.
FingerprinZng$ $Client$App$Server 1122 3344 5566 7788
9900 AABB CCDD EEFF 9988 7766 SHA-1 Hash
74.
FingerprinZng$ $Client$App$Server 1122 3344 5566 7788
9900 AABB CCDD EEFF 9988 7766 SHA-1 Hash
75.
FingerprinZng$ $Client$App$Server == 1122 3344 5566 7788
9900 AABB CCDD EEFF 9988 7766 SHA-1 Hash 1122 3344 5566 7788 9900 AABB CCDD EEFF 9988 7766
76.
FingerprinZng â˘Schrie$1:$ChainofTrust$validieren SecTrustResultType evaluationResult; OSStatus status
= SecTrustEvaluate(srvTrust, &evaluationResult); if (status == errSecSuccess) { if (evaluationResult == kSecTrustResultUnspecified) { // ... } }
77.
FingerprinZng static NSString* const
kReferenceFP = @"AC .... DC"; BOOL found = NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); NSString* fingerprint = [self sha1:certData]; found = [kReferenceFP isEqualToString:fingerprint] } â˘Schrie$2:$Fingerprint$berechnen
78.
FingerprinZng static NSString* const
kReferenceFP = @"AC .... DC"; BOOL found = NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); NSString* fingerprint = [self sha1:certData]; found = [kReferenceFP isEqualToString:fingerprint] } â˘Schrie$2:$Fingerprint$berechnen
79.
FingerprinZng â˘Schrie$2:$Fingerprint$berechnen static NSString* const
kReferenceFP = @"AC .... DC"; BOOL found = NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); NSString* fingerprint = [self sha1:certData]; found = [kReferenceFP isEqualToString:fingerprint] }
80.
FingerprinZng â˘Schrie$2:$Fingerprint$berechnen static NSString* const
kReferenceFP = @"AC .... DC"; BOOL found = NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); NSString* fingerprint = [self sha1:certData]; found = [kReferenceFP isEqualToString:fingerprint] }
81.
FingerprinZng â˘Schrie$2:$Fingerprint$berechnen static NSString* const
kReferenceFP = @"AC .... DC"; BOOL found = NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); NSString* fingerprint = [self sha1:certData]; found = [kReferenceFP isEqualToString:fingerprint] }
82.
FingerprinZng â˘Schrie$2:$Fingerprint$berechnen static NSString* const
kReferenceFP = @"AC .... DC"; BOOL found = NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); NSString* fingerprint = [self sha1:certData]; found = [kReferenceFP isEqualToString:fingerprint] }
83.
FingerprinZng â˘Schrie$2:$Fingerprint$berechnen static NSString* const
kReferenceFP = @"AC .... DC"; BOOL found = NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); NSString* fingerprint = [self sha1:certData]; found = [kReferenceFP isEqualToString:fingerprint] }
84.
FingerprinZng â˘Schrie$2:$Fingerprint$berechnen static NSString* const
kReferenceFP = @"AC .... DC"; BOOL found = NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); NSString* fingerprint = [self sha1:certData]; found = [kReferenceFP isEqualToString:fingerprint] }
85.
FingerprinZng â˘Schrie$2:$Fingerprint$berechnen static NSString* const
kReferenceFP = @"AC .... DC"; BOOL found = NO; CFIndex crtCount = SecTrustGetCertificateCount(srvTrust); for (CFIndex j = 0; j < crtCount && !found; j++) { SecCertificateRef cert = SecTrustGetCertificateAtIndex(srvTrust, j); NSData* certData = CFBridgingRelease(SecCertificateCopyData(cert)); NSString* fingerprint = [self sha1:certData]; found = [kReferenceFP isEqualToString:fingerprint] }
86.
Demo$3 Video
87.
Caveats
88.
Caveats â˘Change$of$CerZďŹcate â˘Expired â˘Compromised â˘Update$app$with$plenty$of$lead$Zme â˘Temporarily$accept$old$and$new$ cerZďŹcates
89.
VariaZon
90.
VariaZon â˘Check$RootCerZďŹcate$against$reference â˘TradeOďŹ:$Flexibility$vs.$Security â˘Updates$only$required$when$changing$ RootCA
91.
Conclusions
92.
Conclusions â˘SSL$provides â˘ConďŹdenZality$(encrypted) â˘AuthenZcity â˘CA$system$(usually)$suďŹecient â˘More$Security$=$More$Work
93.
Make$informed$ decisions!
94.
Links Sample,Code â˘github.com/dschneller/mitmnothankyou Tools â˘github.com/ADVTOOLS/ADVcerZďŹcator â˘github.com/ADVTOOLS/ADVTrustStore â˘www.apple.com/support/iphone/enterprise â˘technet.microso`.com/enus/library/ cc754841.aspx
95.
Links TLS,Session,Cache â˘developer.apple.com/library/ios/#qa/qa1727 Root6CA,Lists â˘support.apple.com/kb/HT5012 â˘www.mozilla.org/projects/security/certs/ included/ â˘social.technet.microso`.com/wiki/contents/ arZcles/14215.windowsandwindowsphone8 sslrootcerZďŹcateprogrammembercas.aspx â˘Android:$SepngsâSecurityâTrusted$CredenZals
96.
Thank$you!
97.
QuesZons$? daniel.schneller@centerdevice.de $$$$$@dschneller
98.
Thatâs$all.$Really.$:)
99.
Demo$1 Standard$SSL,$ MITM$RootCA$ not$installiert zurĂźck
Jetzt herunterladen