SlideShare ist ein Scribd-Unternehmen logo

SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig

SBA Research
SBA Research

Target Group: SysAdmins, anyone interested in PKI Focus: technical Language: English Abstract: ********** Revocation of TLS certificates used by web browsers has been broken for years. Why is that, and can the newly proposed CRLite technology solve the problem? About the Speaker: ********************* Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.

Technologie
1 von 17
Downloaden Sie, um offline zu lesen
Klassifikation: Öffentlich Welcome to the SBA Live Academy #bleibdaheim # remotelearning Today: CRLite: Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig This talk will be recorded as soon as the presentation starts! Recording will end BEFORE the Q&A Session starts. Please be sure to turn off your video in your control panel.
Klassifikation: Öffentlich CRLite Revocation for X.509 certificates in the browser – this time for real? SBA Research gGmbH, 2020
Klassifikation: Öffentlich 3 The sad story of revocation SBA Research gGmbH, 2020
Klassifikation: Öffentlich 4 Revocation • Problem only arose with asymmetric cryptography • Subject creates public/private keypair • Trusted Certification Authority signs keypair to create trust into the ownership of it -> certificate • Certificate valid for a limited amount of time • Things can go wrong in that timeframe o Broken algorithms o Key compromise o Organisational problems o Misissued certificates • -> Revocation tells the world that a certificate has become invalid before its expiration date SBA Research gGmbH, 2020
Klassifikation: Öffentlich 5 Revocation • Certificate Revocation List (CRL) o List of all revoked certificates for that CA o Too large to be downloaded on every HTTPS connection (MBs) • Online Certificate Status Protocol (OCSP) o Query status of a single relevant certificate o Privacy concerns o Hard failure vs. soft failure (= Single point of failure vs. useless) o Very resource intensive (Comodo 2013: 2.000.000.000 requests/day) SBA Research gGmbH, 2020
Klassifikation: Öffentlich 6 Revocation • OCSP Stapling o Server queries OCSP response, sends it with the TLS handshake to the client o Server can simply hold back OCSP response with revocation information o Bad implementations in web servers • OCSP Must-Staple o Certificate extension indicating that the certificate is only valid in conjunction with a stapled OCSP response o Again: Bad or incomplete support. Hardly used SBA Research gGmbH, 2020
Klassifikation: Öffentlich 7 Revocation Workarounds • OneCRL/CRLSet/… o Browser vendor compiles a list of revoked certificates, pushes it directly to the browser o Does not scale, only usable for high value domains • Short lived certificates o The shorter a certificate’s lifespan, the shorter the period a compromised key can be exploited o TLS certificates were originally valid for up to 5 years o Maximum lifetime of 2 years since 2018 o Ballot to reduce it to 1 year fails in CA/B forum 2019; unilateral push by Apple announced in 2020 o Let’s Encrypt: 3 month SBA Research gGmbH, 2020
Klassifikation: Öffentlich 8 Summary Revocation for the WebPKI is weird … • Most complicated part of operating a CA (legal & standard requirements) • Currently mostly broken & unused • Consumes a lot of effort, yes not really important SBA Research gGmbH, 2020
Klassifikation: Öffentlich 9 CRLite to the rescue SBA Research gGmbH, 2020
Klassifikation: Öffentlich 10 CRLite Overview • Proposed by Larisch, Choffnes et.al. at IEEE S&P 2017 (Universities & Akamai) • Compile a list of all revocations like OneCRL • Store it efficiently by using Cascading Bloom Filters SBA Research gGmbH, 2020
Klassifikation: Öffentlich 11 Bloom Filter • Extremely fast and storage efficient data index • Data can only be added to the filter • User can query if some data is in the filter o „Object not in the filter“ o „Object probably in the filter“ • Probabilistic Data Structure • False positive probabililty depends on filter size, configuration and number of entries SBA Research gGmbH, 2020
Klassifikation: Öffentlich 12 CRLite Workflow • Download all CRLs • Store unique certificate identifier (hash of public key + serial number) of all revoked certificates in Bloom filter • Check for false positives in the filter o Download all certificates from certificate transparency logs • Store false positives in a second, much smaller, cascading bloom filter • Continue until no false positives are left • Push filter to browser SBA Research gGmbH, 2020
Klassifikation: Öffentlich 13 CRLite at Mozilla • Activated in Firefox Nightly (only for telemetry) • Filter compiled 4 times a day • Covers 100M of 152M certificates, 750k revocations o Missing: CRL errors, CAs without a CRL (Let‘s Encrypt!) • Filter generation takes ~1h; requires 16GB memory and 7GB storage • Filter size: 1,3MB • Faster than OCSP 99% of cases SBA Research gGmbH, 2020
Klassifikation: Öffentlich 14 References • https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland1 7.pdf • https://blog.mozilla.org/security/2020/01/09/crlite-part-2- end-to-end-design/ • https://blog.mozilla.org/security/2020/01/21/crlite-part-3- speeding-up-secure-browsing/ • https://scotthelme.co.uk/crlite-finally-a-fix-for-broken- revocation/ • https://www.imperialviolet.org/2014/04/19/revchecking.html • https://scotthelme.co.uk/revocation-is-broken/ SBA Research gGmbH, 2020
Klassifikation: Öffentlich 15 Key take-aways 1. Certificate revocation in the browser is currently broken 2. Pushing lists of revoked certificates to the browser is the only thing that works 3. Bloom filters allow extremely compact storage 4. Certificate transparency necessary enabling technology SBA Research gGmbH, 2020
Klassifikation: Öffentlich 16 Mathias Tausig SBA Research gGmbH Floragasse 7, 1040 Wien +43 1 5053688 1512 mtausig@sba-research.org SBA Research gGmbH, 2020
Klassifikation: Öffentlich 17 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org

Empfohlen

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Research
 
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Research
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Research
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 

Empfohlen

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Research
 
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Research
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Research
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programPriyanka Aash
 
Software Engineering Process at SSL
Software Engineering Process at SSLSoftware Engineering Process at SSL
Software Engineering Process at SSLSSL
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
Fighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyFighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyPriyanka Aash
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsKaspersky
 
Certificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 CertificatesCertificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 CertificatesOnBoard Security, Inc. - a Qualcomm Company
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentationgtbsalesindia
 
4ire presentation
4ire presentation4ire presentation
4ire presentationOlena Petrashchuk
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...Priyanka Aash
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023Shane Coughlan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programPriyanka Aash
 
Software Engineering Process at SSL
Software Engineering Process at SSLSoftware Engineering Process at SSL
Software Engineering Process at SSLSSL
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
Fighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyFighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyPriyanka Aash
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsKaspersky
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentationgtbsalesindia
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 

Was ist angesagt? (20)

Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
 
Software Engineering Process at SSL
Software Engineering Process at SSLSoftware Engineering Process at SSL
Software Engineering Process at SSL
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
 
Fighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyFighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case Study
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
 
Certificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 CertificatesCertificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 Certificates
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentation
 
4ire presentation
4ire presentation4ire presentation
4ire presentation
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 

Ähnlich wie SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig

Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...Priyanka Aash
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023Shane Coughlan
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Cloud Security Alliance Lviv Chapter
 
GTB DLP Suite Presentation
GTB DLP Suite PresentationGTB DLP Suite Presentation
GTB DLP Suite Presentationgtbsalesindia
 
Trunk-Based Development
Trunk-Based DevelopmentTrunk-Based Development
Trunk-Based DevelopmentBryan Liu
 
DevDay:Moving CorDapps from Pilot to Production, Dr. Duncan Wong
DevDay:Moving CorDapps from Pilot to Production, Dr. Duncan WongDevDay:Moving CorDapps from Pilot to Production, Dr. Duncan Wong
DevDay:Moving CorDapps from Pilot to Production, Dr. Duncan WongR3
 
GlobalSign's Hosted OCSP for IoT PKIs
GlobalSign's Hosted OCSP for IoT PKIsGlobalSign's Hosted OCSP for IoT PKIs
GlobalSign's Hosted OCSP for IoT PKIsGlobalSign
 
Analysis of TLS in SMTP World
Analysis of TLS in SMTP WorldAnalysis of TLS in SMTP World
Analysis of TLS in SMTP WorldBinu Ramakrishnan
 
Wipro Customer Presentation
Wipro Customer PresentationWipro Customer Presentation
Wipro Customer PresentationSplunk
 
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfBuild Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfRussFustino
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltdclarkems
 
Building A Machine Learning Platform At Quora (1)
Building A Machine Learning Platform At Quora (1)Building A Machine Learning Platform At Quora (1)
Building A Machine Learning Platform At Quora (1)Nikhil Garg
 
Microservices summit talk 1/31
Microservices summit talk 1/31Microservices summit talk 1/31
Microservices summit talk 1/31Varun Talwar
 
Go GC: Prioritizing Low Latency and Simplicity
Go GC: Prioritizing Low Latency and SimplicityGo GC: Prioritizing Low Latency and Simplicity
Go GC: Prioritizing Low Latency and SimplicityC4Media
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.Konark modi
 
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016MLconf
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?Sam Bowne
 

Ähnlich wie SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig (20)

Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
 
GTB DLP Suite Presentation
GTB DLP Suite PresentationGTB DLP Suite Presentation
GTB DLP Suite Presentation
 
Provide Company Overview
Provide Company OverviewProvide Company Overview
Provide Company Overview
 
Trunk-Based Development
Trunk-Based DevelopmentTrunk-Based Development
Trunk-Based Development
 
DevDay:Moving CorDapps from Pilot to Production, Dr. Duncan Wong
DevDay:Moving CorDapps from Pilot to Production, Dr. Duncan WongDevDay:Moving CorDapps from Pilot to Production, Dr. Duncan Wong
DevDay:Moving CorDapps from Pilot to Production, Dr. Duncan Wong
 
GlobalSign's Hosted OCSP for IoT PKIs
GlobalSign's Hosted OCSP for IoT PKIsGlobalSign's Hosted OCSP for IoT PKIs
GlobalSign's Hosted OCSP for IoT PKIs
 
From Monolith to Kubernetes #geecon #prague
From Monolith to Kubernetes #geecon #pragueFrom Monolith to Kubernetes #geecon #prague
From Monolith to Kubernetes #geecon #prague
 
Analysis of TLS in SMTP World
Analysis of TLS in SMTP WorldAnalysis of TLS in SMTP World
Analysis of TLS in SMTP World
 
Wipro Customer Presentation
Wipro Customer PresentationWipro Customer Presentation
Wipro Customer Presentation
 
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfBuild Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltd
 
Building A Machine Learning Platform At Quora (1)
Building A Machine Learning Platform At Quora (1)Building A Machine Learning Platform At Quora (1)
Building A Machine Learning Platform At Quora (1)
 
Microservices summit talk 1/31
Microservices summit talk 1/31Microservices summit talk 1/31
Microservices summit talk 1/31
 
Go GC: Prioritizing Low Latency and Simplicity
Go GC: Prioritizing Low Latency and SimplicityGo GC: Prioritizing Low Latency and Simplicity
Go GC: Prioritizing Low Latency and Simplicity
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
 
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?
 

Mehr von SBA Research

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...SBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Research
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Research
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas KopeinigSBA Research
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Research
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...SBA Research
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Research
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Research
 
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Research
 
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...SBA Research
 
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...SBA Research
 

Mehr von SBA Research (20)

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
 
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
 
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
 
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
 

Kürzlich hochgeladen

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Kürzlich hochgeladen (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig

  • 1. Klassifikation: Öffentlich Welcome to the SBA Live Academy #bleibdaheim # remotelearning Today: CRLite: Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig This talk will be recorded as soon as the presentation starts! Recording will end BEFORE the Q&A Session starts. Please be sure to turn off your video in your control panel.
  • 2. Klassifikation: Öffentlich CRLite Revocation for X.509 certificates in the browser – this time for real? SBA Research gGmbH, 2020
  • 3. Klassifikation: Öffentlich 3 The sad story of revocation SBA Research gGmbH, 2020
  • 4. Klassifikation: Öffentlich 4 Revocation • Problem only arose with asymmetric cryptography • Subject creates public/private keypair • Trusted Certification Authority signs keypair to create trust into the ownership of it -> certificate • Certificate valid for a limited amount of time • Things can go wrong in that timeframe o Broken algorithms o Key compromise o Organisational problems o Misissued certificates • -> Revocation tells the world that a certificate has become invalid before its expiration date SBA Research gGmbH, 2020
  • 5. Klassifikation: Öffentlich 5 Revocation • Certificate Revocation List (CRL) o List of all revoked certificates for that CA o Too large to be downloaded on every HTTPS connection (MBs) • Online Certificate Status Protocol (OCSP) o Query status of a single relevant certificate o Privacy concerns o Hard failure vs. soft failure (= Single point of failure vs. useless) o Very resource intensive (Comodo 2013: 2.000.000.000 requests/day) SBA Research gGmbH, 2020
  • 6. Klassifikation: Öffentlich 6 Revocation • OCSP Stapling o Server queries OCSP response, sends it with the TLS handshake to the client o Server can simply hold back OCSP response with revocation information o Bad implementations in web servers • OCSP Must-Staple o Certificate extension indicating that the certificate is only valid in conjunction with a stapled OCSP response o Again: Bad or incomplete support. Hardly used SBA Research gGmbH, 2020
  • 7. Klassifikation: Öffentlich 7 Revocation Workarounds • OneCRL/CRLSet/… o Browser vendor compiles a list of revoked certificates, pushes it directly to the browser o Does not scale, only usable for high value domains • Short lived certificates o The shorter a certificate’s lifespan, the shorter the period a compromised key can be exploited o TLS certificates were originally valid for up to 5 years o Maximum lifetime of 2 years since 2018 o Ballot to reduce it to 1 year fails in CA/B forum 2019; unilateral push by Apple announced in 2020 o Let’s Encrypt: 3 month SBA Research gGmbH, 2020
  • 8. Klassifikation: Öffentlich 8 Summary Revocation for the WebPKI is weird … • Most complicated part of operating a CA (legal & standard requirements) • Currently mostly broken & unused • Consumes a lot of effort, yes not really important SBA Research gGmbH, 2020
  • 9. Klassifikation: Öffentlich 9 CRLite to the rescue SBA Research gGmbH, 2020
  • 10. Klassifikation: Öffentlich 10 CRLite Overview • Proposed by Larisch, Choffnes et.al. at IEEE S&P 2017 (Universities & Akamai) • Compile a list of all revocations like OneCRL • Store it efficiently by using Cascading Bloom Filters SBA Research gGmbH, 2020
  • 11. Klassifikation: Öffentlich 11 Bloom Filter • Extremely fast and storage efficient data index • Data can only be added to the filter • User can query if some data is in the filter o „Object not in the filter“ o „Object probably in the filter“ • Probabilistic Data Structure • False positive probabililty depends on filter size, configuration and number of entries SBA Research gGmbH, 2020
  • 12. Klassifikation: Öffentlich 12 CRLite Workflow • Download all CRLs • Store unique certificate identifier (hash of public key + serial number) of all revoked certificates in Bloom filter • Check for false positives in the filter o Download all certificates from certificate transparency logs • Store false positives in a second, much smaller, cascading bloom filter • Continue until no false positives are left • Push filter to browser SBA Research gGmbH, 2020
  • 13. Klassifikation: Öffentlich 13 CRLite at Mozilla • Activated in Firefox Nightly (only for telemetry) • Filter compiled 4 times a day • Covers 100M of 152M certificates, 750k revocations o Missing: CRL errors, CAs without a CRL (Let‘s Encrypt!) • Filter generation takes ~1h; requires 16GB memory and 7GB storage • Filter size: 1,3MB • Faster than OCSP 99% of cases SBA Research gGmbH, 2020
  • 14. Klassifikation: Öffentlich 14 References • https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland1 7.pdf • https://blog.mozilla.org/security/2020/01/09/crlite-part-2- end-to-end-design/ • https://blog.mozilla.org/security/2020/01/21/crlite-part-3- speeding-up-secure-browsing/ • https://scotthelme.co.uk/crlite-finally-a-fix-for-broken- revocation/ • https://www.imperialviolet.org/2014/04/19/revchecking.html • https://scotthelme.co.uk/revocation-is-broken/ SBA Research gGmbH, 2020
  • 15. Klassifikation: Öffentlich 15 Key take-aways 1. Certificate revocation in the browser is currently broken 2. Pushing lists of revoked certificates to the browser is the only thing that works 3. Bloom filters allow extremely compact storage 4. Certificate transparency necessary enabling technology SBA Research gGmbH, 2020
  • 16. Klassifikation: Öffentlich 16 Mathias Tausig SBA Research gGmbH Floragasse 7, 1040 Wien +43 1 5053688 1512 mtausig@sba-research.org SBA Research gGmbH, 2020
  • 17. Klassifikation: Öffentlich 17 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org