TLS/SSL is ubiquitous nowadays and is widely used to protect traffic on the Internet. Although TLS/SSL originated to protect web sites, it is now also being used for email, web services and VPNs among others. Yet, despite its widespread adoption, it is still difficult to keep track of the constantly emerging vulnerabilities that affect it. If not monitored, certificates can expire and new attacks are discovered even for mainstream ciphers and hashing algorithms. Add to that accidental server misconfigurations, unpatched systems, and flawed implementations, and the task of keeping systems current can become daunting. To make matters worse, commonly-used server configurations can be deprecated in major browsers/clients, breaking backwards-compatibility, providing a worse user experience for some, and leaving product maintainers scrambling to update certificates and settings quickly. For all these reasons, systems need constant vigilance to keep them up to date. This session will examine some steps which can be taken to keep up with the constantly changing landscape and demonstrate a few tools which can help manage and automate necessary updates to TLS/SSL endpoints.
This deck was originally presented at LASCON 2015: https://lascon2015.sched.org/event/4D3G/managing-certificates-and-tls-endpoints