SlideShare ist ein Scribd-Unternehmen logo

Introduction to SSL and How to Exploit & Secure

Brian Ritchie
Brian Ritchie

Adapted from Ivan Ristic. Part 1. Originally for OWASP MY

TechnologieBildung
1 von 27
SSL/TLS Introduction and How to exploit By BRIAN RITCHIE Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie
Who Am I ? Co worked on the Enterprise Architecture for some of the largest regional as well as international companies Rolled out the first official OSS Centre of Excellence strategy and implementation for a local Financial Institution Experience with large scale Project Management for core systems Designed and Implemented Research and Incubation Services for large scale corporations All rounded Geek
What is SSL ? An introduction
Some History Originally proposed by Netscape in the 90 s Evolved from SSL 1.0, 2.0, 3.0 and now to the Transport Layer Security or TLS Developed with the intention of providing security for communications over networks Is used heavily today for ecommerce, and other web applications/services which require a higher level of security
What is SSL ? Intermediate layer between the Transport layer and the Application layer Has 2 main functions : Establish a secure connection between peers Secure is defined as = Authentic and Confidential Use the secure connection to transmit higher layer protocol data from sender to recipient
Let’s delve in a little deeper here
How does SSL transmit data ? Sender Breaks data down into manageable pieces called fragments Each fragment is compressed, authenticated with a MAC, encrypted, prepended with a header and transmitted Recipient NOTE :: These fragments are what we call SSL records The fragments are decrypted, verified through MACs, decompressed and reassembled.
Just a little bit more theory and we’ll go to some cooler stuff
Graphical View of SSL Application Layer SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol Application Data Protocol Application Layer SSL Record Protocol Transport Layer Network Layer Network Access Layer TCP UDP IP
What are these protocols ? SSL Handshake Protocol – Core protocol. Allows peers to authenticate between themselves and negotiate a suitable cipher suite and compression method for both parties SSL Change Cipher Spec Protocol – Allows peers to change ciphering strategy and the cryptography protection used SSL Alert Protocol – Allows peers to signal for potential problem symptoms and exchange alert messages SSL Application Data Protocol – Workhorse. Takes the higher level data and feeds it to the SSL Record protocol for cryptographic protection and secure transmission
What’s good about SSL ?
Plus points Very widely used Well designed Pretty much secures the Internet Secure out of the box
Now to the cool OWASP part
What’s the Minus points ? No one pays attention to it This means if you can break it, you’re the boss. Can be compromised through HTTP
Tools and Attack Principles Sslsniff and sslstrip make attacking it easy as pie Principle of attack : MITM – The usual suspect App and configuration issues Fake certificates Bad implementation
SSL Threat Models Lets look at a small part today
Endpoint Issues Endpoints Bad Server Side Configuration SSL not enforced Bad certificate configuration Private Key not protected Use weak protocols Unpatched libraries Mixed (SSL&Non-SSL) configurations And many many more…
Lets take a deeper dive and look at some examples
Inconsistent DNS config http://www.example.com and http://example.com point to different webservers Microsoft
Another example A good example : OWASP
Different Sites on port 80 and 443 Both http://www.example.com and https://www.example.com must be the same website A lot of major companies fail to verify this
Self Signed SSL Certs Two words : DON’T BOTHER This causes more issues than it solves. It is significantly harder for you to maintain a secure, well configured SSL cert It is much easier and more secure to buy one from a legitimate provider
Badly Configured SSL Servers Out of the box SSL is pretty secure iff (– if and only if) the configuration fits your deployment. More often than not, you will need to tweak the settings to fit your deployment. Updating patches is also equally crucial
Incomplete certificates A certificate has to encompass both http://example.com and http://www.example.com They have to be the same site They must also be the same for the https:// Your certificate must ensure that it is all-encompassing
Mixing SSL and Plain text Tricky to implement Active user sessions can be compromised Sslstrip can perform MITM attacks and convert HTTPS to HTTP
There’s a few more but I’ll leave it there for now.
If you have any questions, contact me through the above Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie OWASP MY Mailing List

Empfohlen

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL overview
SSL overviewSSL overview
SSL overviewTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
SSL
SSLSSL
SSLtheekuchi
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 

Empfohlen

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL overview
SSL overviewSSL overview
SSL overviewTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
SSL
SSLSSL
SSLtheekuchi
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerAbhishek Gupta
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
SSL Secure Socket Layer
SSL Secure Socket LayerSSL Secure Socket Layer
SSL Secure Socket Layeromkar bhagat
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tlsRana assad ali
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Transport layer security
Transport layer securityTransport layer security
Transport layer securityHrudya Balachandran
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS HandshakeArpit Agarwal
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSpavansmiles
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationRapidSSLOnline.com
 
SSLtalk
SSLtalkSSLtalk
SSLtalkMatthew Aylard
 

Weitere ähnliche Inhalte

Was ist angesagt?

Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
SSL Secure Socket Layer
SSL Secure Socket LayerSSL Secure Socket Layer
SSL Secure Socket Layeromkar bhagat
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 

Was ist angesagt? (20)

Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Traffic
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
SSL Secure Socket Layer
SSL Secure Socket LayerSSL Secure Socket Layer
SSL Secure Socket Layer
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
SSL
SSLSSL
SSL
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal Wadhwa
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
SSL intro
SSL introSSL intro
SSL intro
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 

Ähnlich wie Introduction to SSL and How to Exploit & Secure

Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationRapidSSLOnline.com
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLGlobalSign
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfHost It Smart
 
Improve your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdfImprove your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdfDigital Marketing
 
Secure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)CertificateSecure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)CertificateCheapSSLUSA
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Microsoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowMicrosoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowCheapSSLsecurity
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?CheapSSLsecurity
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!Wilco Alsemgeest
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 

Ähnlich wie Introduction to SSL and How to Exploit & Secure (20)

Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL Authentication
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdf
 
Improve your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdfImprove your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdf
 
Secure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)CertificateSecure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)Certificate
 
Unit 6
Unit 6Unit 6
Unit 6
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
Microsoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowMicrosoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to know
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
 
Matrix
MatrixMatrix
Matrix
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
ION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network Operators
 

Mehr von Brian Ritchie

Make it Personal by Making it Local
Make it Personal by Making it LocalMake it Personal by Making it Local
Make it Personal by Making it LocalBrian Ritchie
 
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...Brian Ritchie
 
Advanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian RitchieAdvanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian RitchieBrian Ritchie
 
Growth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian RitchieGrowth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian RitchieBrian Ritchie
 
Tell Your Story - Brian Ritchie
Tell Your Story - Brian RitchieTell Your Story - Brian Ritchie
Tell Your Story - Brian RitchieBrian Ritchie
 
Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011Brian Ritchie
 

Mehr von Brian Ritchie (7)

Make it Personal by Making it Local
Make it Personal by Making it LocalMake it Personal by Making it Local
Make it Personal by Making it Local
 
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
 
Advanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian RitchieAdvanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian Ritchie
 
Growth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian RitchieGrowth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian Ritchie
 
Tell Your Story - Brian Ritchie
Tell Your Story - Brian RitchieTell Your Story - Brian Ritchie
Tell Your Story - Brian Ritchie
 
Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011
 
WiMAX_Intro
WiMAX_IntroWiMAX_Intro
WiMAX_Intro
 

Kürzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Introduction to SSL and How to Exploit & Secure

  • 1. SSL/TLS Introduction and How to exploit By BRIAN RITCHIE Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie
  • 2. Who Am I ? Co worked on the Enterprise Architecture for some of the largest regional as well as international companies Rolled out the first official OSS Centre of Excellence strategy and implementation for a local Financial Institution Experience with large scale Project Management for core systems Designed and Implemented Research and Incubation Services for large scale corporations All rounded Geek
  • 3. What is SSL ? An introduction
  • 4. Some History Originally proposed by Netscape in the 90 s Evolved from SSL 1.0, 2.0, 3.0 and now to the Transport Layer Security or TLS Developed with the intention of providing security for communications over networks Is used heavily today for ecommerce, and other web applications/services which require a higher level of security
  • 5. What is SSL ? Intermediate layer between the Transport layer and the Application layer Has 2 main functions : Establish a secure connection between peers Secure is defined as = Authentic and Confidential Use the secure connection to transmit higher layer protocol data from sender to recipient
  • 6. Let’s delve in a little deeper here
  • 7. How does SSL transmit data ? Sender Breaks data down into manageable pieces called fragments Each fragment is compressed, authenticated with a MAC, encrypted, prepended with a header and transmitted Recipient NOTE :: These fragments are what we call SSL records The fragments are decrypted, verified through MACs, decompressed and reassembled.
  • 8. Just a little bit more theory and we’ll go to some cooler stuff
  • 9. Graphical View of SSL Application Layer SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol Application Data Protocol Application Layer SSL Record Protocol Transport Layer Network Layer Network Access Layer TCP UDP IP
  • 10. What are these protocols ? SSL Handshake Protocol – Core protocol. Allows peers to authenticate between themselves and negotiate a suitable cipher suite and compression method for both parties SSL Change Cipher Spec Protocol – Allows peers to change ciphering strategy and the cryptography protection used SSL Alert Protocol – Allows peers to signal for potential problem symptoms and exchange alert messages SSL Application Data Protocol – Workhorse. Takes the higher level data and feeds it to the SSL Record protocol for cryptographic protection and secure transmission
  • 12. Plus points Very widely used Well designed Pretty much secures the Internet Secure out of the box
  • 13. Now to the cool OWASP part
  • 14. What’s the Minus points ? No one pays attention to it This means if you can break it, you’re the boss. Can be compromised through HTTP
  • 15. Tools and Attack Principles Sslsniff and sslstrip make attacking it easy as pie Principle of attack : MITM – The usual suspect App and configuration issues Fake certificates Bad implementation
  • 16. SSL Threat Models Lets look at a small part today
  • 17. Endpoint Issues Endpoints Bad Server Side Configuration SSL not enforced Bad certificate configuration Private Key not protected Use weak protocols Unpatched libraries Mixed (SSL&Non-SSL) configurations And many many more…
  • 18. Lets take a deeper dive and look at some examples
  • 19. Inconsistent DNS config http://www.example.com and http://example.com point to different webservers Microsoft
  • 20. Another example A good example : OWASP
  • 21. Different Sites on port 80 and 443 Both http://www.example.com and https://www.example.com must be the same website A lot of major companies fail to verify this
  • 22. Self Signed SSL Certs Two words : DON’T BOTHER This causes more issues than it solves. It is significantly harder for you to maintain a secure, well configured SSL cert It is much easier and more secure to buy one from a legitimate provider
  • 23. Badly Configured SSL Servers Out of the box SSL is pretty secure iff (– if and only if) the configuration fits your deployment. More often than not, you will need to tweak the settings to fit your deployment. Updating patches is also equally crucial
  • 24. Incomplete certificates A certificate has to encompass both http://example.com and http://www.example.com They have to be the same site They must also be the same for the https:// Your certificate must ensure that it is all-encompassing
  • 25. Mixing SSL and Plain text Tricky to implement Active user sessions can be compromised Sslstrip can perform MITM attacks and convert HTTPS to HTTP
  • 26. There’s a few more but I’ll leave it there for now.
  • 27. If you have any questions, contact me through the above Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie OWASP MY Mailing List