A Qualitative Comparison of SSL Validation Alternatives
|
|
- Christal Hines
- 7 years ago
- Views:
Transcription
1 A Qualitative Comparison of SSL Validation Alternatives OWASP AppSec Research 2013 August 22nd, 2013 Henning Perl, Sascha Fahl, Michael Brenner, and Matthew Smith Leibniz Universität Hannover
2 Outline Of This Talk What s SSL again? Things broken in SSL So many solutions! The best solution (or why there isn t any yet) Our evaluation system Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 2
3 How SSL works trusts signs cert authenticates to Client Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 3
4 How SSL works and breaks trusts stolen cert signs cert authenticates to Client Man in the middle insecure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 3
5
6 SSL CA incidents In 2010, VeriSign was compromised, allowing the attackers to issue arbitrary certificates In March 2011, an attacker from Iran was able to compromise the Comodo CA and get certificates for wwwgooglecom, loginyahoocom, loginskypecom, addonsmozillaorg, and loginlivecom A MITMA attack with at least one these certificate was observed In August 2011, attackers used the DigiNotar CA to issue at least 200 fraudulent certificates and used them to impersonate web servers The breach eventually lead to the exclusion of the CA from most browsers and operating systems weakest link security Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 5
7 Things broken in SSL For sake of completeness Users ignore warnings (cf Sunshine et al, Crying Wolf: An Empirical Study of SSL Warning Effectiveness ) Attacks against the cryptosystem BEAST (2011) / CRIME (2012) attacks Padding oracle attack ( Lucky Thirteen, S&P 2013) Attacks against RC4 (Usenix 2013) SSL stripping (Marlinspike, Black Hat 2009) SSL validation / Weakest link CA security Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 6
8 Things broken in SSL For sake of completeness Users ignore warnings (cf Sunshine et al, Crying Wolf: An Empirical Study of SSL Warning Effectiveness ) Attacks against the cryptosystem BEAST (2011) / CRIME (2012) attacks Padding oracle attack ( Lucky Thirteen, S&P 2013) Attacks against RC4 (Usenix 2013) SSL stripping (Marlinspike, Black Hat 2009) SSL validation / Weakest link CA security Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 6
9 Types of solutions: Use of network perspective Perspectives, Convergence Keep a log of certificates Sovereign Keys (SK), Certificate Transparency (CT), Accountable Key Infrastructure (AKI) Serve certificates over DNS DANE Trust on first use TACK Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 7
10 Network Perspective (Perspectives, Convergence) globally distributed notaries N 1 N 2 N 3 N 4 N 5 N k Client No extra software on server Network delay Privacy Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 8
11 Keep A Log Of Certificates SK, CT, AKI trusts signs cert authenticates to Client Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 9
12 Keep A Log Of Certificates SK, CT, AKI Certificate Log submits certificate Proof of inclusion trusts authenticates to signs cert Client Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 9
13 Keep A Log Of Certificates SK, CT, AKI Certificate Log submits certificate Proof of inclusion trusts authenticates to signs cert Client Secure connection No extra software on server no extra network delay needs new infrastructure Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 9
14 Serve Certificates Over DNS DANE trusts signs cert authenticates to Client Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 10
15 Serve Certificates Over DNS DANE DNS submits certificate Domain admin certificate and DNS response authenticates to signs cert Client Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 10
16 Serve Certificates Over DNS DANE DNS submits certificate Domain admin certificate and DNS response authenticates to signs cert Client Secure connection No extra software on server reuses infrastructure DNSSEC Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 10
17 Pinning TACK Pinning on TACK public key; TACK secret key signs actual cert First connection TACK public key Client Secure connection? Subsequent connections Client TACK public key Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 11
18 Pinning TACK Pinning on TACK public key; TACK secret key signs actual cert First connection TACK public key Client Secure connection? Subsequent connections Client TACK public key Secure connection No extra software on server no (just selfsign) No protection on first visit Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 11
19 What do we draw from this? Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 12
20 Our Evaluation Scheme Goals: Tool to compare solution Discussion about which properties are important Organize, formalize the debate Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 13
21 Our Evaluation Scheme Goals: Tool to compare solution Discussion about which properties are important Organize, formalize the debate Structure: One large table 12 Deployability Benefits 9 Security and Privacy Benefits Adversary Capabilities Active MITMA required Trusted CA certificate required Compromising user chosen third parties required Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 13
22 Capabilities Scheme Ref Deployability benefits No-User-Cost No--Cost -Compatible Browser-Compatible Incrementally-Deployable Negligible-Communication-Overhead Negligible-Computational-Overhead No-Additional-Infrastructure Trusted-Root-CA-support Custom-Root-CA-support Selfsigned-Certificate-support No-Out-Of-Band-Connection X509-Compatible Security benefits Built-In-Revocation OCSP-or-CRL-Compatibility Resilient-To-DOS-Attacks User-Privacy-Preserving Secure-Key-Migration Secure-Key-Migration-After-Credential-Theft Secure-Domain-Migration Active MITMA required Trusted CA certificate required (weakest link) Compromising user chosen third parties required (strongest link) First-Contact-Protection Connection-Protection SSL with CA-PKI (90 s) 0 Perspectives [13] (2008) n DANE [5] (2010) 1 Convergence [9] (2011) n Sovereign Keys [3] (2011) 1 Certificate Transparency [7] (2012) 1 TACK [8] (2012) 0 AKI [6] (2013) 1
23 Conclusion All proposals solve weakest link problem but in very different ways No clear winner Do we want/need/have to have? Deployment is challenging Question: When to fail hard? Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 15
Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs
OWASP AppSec APAC 2012 The OWASP Foundation http://www.owasp.org Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs
More informationSSL/TLS: The Ugly Truth
SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography
More informationSSL, PKI and Secure Communication
SSL, PKI and Secure Communication Aditya Marella 20 th March, 2014 03/19/2014 Usable Privacy and Security 1 Secure Sockets Layer (SSL) Developed by Netscape Sits on top of TCP and below application level
More informationSSL and Browsers: The Pillars of Broken Security
SSL and Browsers: The Pillars of Broken Security Ivan Ristic Wolfgang Kandek Qualys, Inc. Session ID: TECH-403 Session Classification: Intermediate SSL, TLS, And PKI SSL (or TLS, if you prefer) is the
More informationARPKI: Attack Resilient Public-Key Infrastructure
ARPKI: Attack Resilient Public-Key Infrastructure David Basin, Cas Cremers, Tiffany Hyun-Jin Kim, Adrian Perrig, Ralf Sasse, Pawel Szalachowski ETH Zurich, University of Oxford, CMU 1 PUBLIC KEYS AND CERTIFICATES
More informationYou Won t Be Needing These Any More: On Removing Unused Certificates From Trust Stores
You Won t Be Needing These Any More: On Removing Unused Certificates From Trust Stores Henning Perl 1, Sascha Fahl 1, and Matthew Smith 2 1 Leibniz University Hannover, Germany, {perl, fahl}@dcsec.uni-hannover.de
More informationALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB
ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB Scott Rea DigiCert, Inc. Session ID: SEC-T02 Session Classification: Intermediate BACKGROUND: WHAT IS A CERTIFICATION AUTHORITY? What is a certification
More informationSascha Fahl, Marian Harbach, Matthew Smith. Usable Security and Privacy Lab Leibniz Universität Hannover
Hunting Down Broken SSL in Android Apps Sascha Fahl, Marian Harbach, Matthew Smith Usable Security and Privacy Lab Leibniz Universität Hannover OWASP AppSec 2013 Seite 1 Appification There s an App for
More informationEMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21
EMET 4.0 PKI MITIGATION Neil Sikka DefCon 21 ABOUT ME Security Engineer on MSRC (Microsoft Security Response Center) I look at 0Days EMET Developer I enjoy doing security research on my free time too:
More informationSSL implementieren aber sicher!
SSL implementieren aber sicher! Karlsruher Entwicklertag 2014 21.05.2014 Dr. Yun Ding SSL in the news 2011 2012 2013 2014 BEAST CRIME Lucky 13 Compromised CAs RC4 biases BREACH DRBG Backdoor Apple goto
More informationAccountable Key Infrastructure (AKI): A Proposal for a Public-Key Validation Infrastructure
Accountable Key Infrastructure (AKI): A Proposal for a Public-Key Validation Infrastructure Tiffany Hyun-Jin Kim Lin-Shung Huang Adrian Perrig Collin Jackson Virgil Gligor CyLab / Carnegie Mellon University
More informationAttacks against certification service providers and their ramifications
Federal IT Steering Unit FITSU Federal Intelligence Service FIS Reporting and Analysis Centre for Information Assurance MELANI www.melani.admin.ch Technological consideration Attacks against certification
More informationShould You Trust the Padlock? Web Security and the HTTPS Value Chain. Keeping Current 20 November 2013 Ken Calvert
Should You Trust the Padlock? Web Security and the HTTPS Value Chain Keeping Current 20 November 2013 Ken Calvert Outline 1. What are we afraid of? 2. Countermeasures: Securing the Web 3. Public-key Crypto
More informationIntroduction to the DANE Protocol
Introduction to the DANE Protocol ICANN 47 July 17, 2013 Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC, routing and other Internet technologies: Case Studies
More informationSecuring End-to-End Internet communications using DANE protocol
Securing End-to-End Internet communications using DANE protocol Today, the Internet is used by nearly.5 billion people to communicate, provide/get information. When the communication involves sensitive
More informationSSL BEST PRACTICES OVERVIEW
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
More informationSSL: Paved With Good Intentions. Richard Moore rich@westpoint.ltd.uk
SSL: Paved With Good Intentions Richard Moore rich@westpoint.ltd.uk Why do we need SSL? Privacy Online shopping Online banking Identity Protection Data Integrity Early SSL First public version was SSLv2
More informationAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web Ben Wilson Digicert, Inc. - CA/Browser Forum Eran Messeri Google Session Classification: Intermediate Current Web PKI System OS / Browsers have Managed
More informationADDITIONAL Information Security Review, 3b/2011. 28 November 2011 On vulnerabilities in the certificate system
ADDITIONAL Information Security Review, 3b/2011 28 November 2011 On vulnerabilities in the certificate system 1 CERT-FI Information Security Review 3b/2011 On vulnerabilities in the certificate system
More informationWebsense Content Gateway HTTPS Configuration
Websense Content Gateway HTTPS Configuration web security data security email security Support Webinars 2010 Websense, Inc. All rights reserved. Webinar Presenter Title: Sr. Tech Support Specialist Cisco
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 19 th November 2014 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationServer Certificates based on DNSSEC
Server Certificates based on DNSSEC Audun Jøsang and Kashif Sana Dar University of Oslo josang@mn.uio.no and kashifd@ifi.uio.no Abstract. Globally unique domain names and IP addresses that are provided
More informationPOODLE. Yoshiaki Kasahara Kyushu University kasahara@nc.kyushu-u.ac.jp. 2015/3/3 APAN 39th in Fukuoka 1
POODLE Yoshiaki Kasahara Kyushu University kasahara@nc.kyushu-u.ac.jp 2015/3/3 APAN 39th in Fukuoka 1 Summary POODLE: Padding Oracle On Downgraded Legacy Encryption Discovered in October 2014 by Google
More informationPublic Key Infrastructure (PKI)
Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure
More informationDNSSEC - Why Network Operators Should Care And How To Accelerate Deployment
DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment Dan York, CISSP Senior Content Strategist, Internet Society Eurasia Network Operators' Group (ENOG) 4 Moscow, Russia October
More informationThe Building Blocks for Trusted Internet Services
The Building Blocks for Trusted Internet Services Openness, Privacy and Security Neil Cook, Bert Hubert Open-Xchange March 15, 2016 Open-Xchange: Who are we? Trusted and integrated solutions OX App Suite
More informationTowards Short-Lived Certificates
Towards Short-Lived Certificates Emin Topalovic, Brennan Saeta, Lin-Shung Huang, Collin Jackson and Dan Boneh Stanford University, {emint, saeta, dabo}@cs.stanford.edu Carnegie Mellon University, {linshung.huang,
More informationAnalyzing DANE's Response to Known DNSsec Vulnerabilities
Analyzing DANE's Response to Known DNSsec Vulnerabilities Matthew Henry Joseph Kirik Emily Scheerer UMBC UMBC UMBC henmatt1@umbc.edu joskir1@umbc.edu semily1@umbc.edu May 9, 2014 Abstract: SSL/TLS is currently
More informationCer$ficates- as- an- Insurance (CaaI): Incen$vizing Accountability in SSL/TLS
Cer$ficates- as- an- Insurance (CaaI): Incen$vizing Accountability in SSL/TLS Stephanos Matsumoto (CMU/ETH Zurich) Raphael M. Reischuk (ETH Zurich) Workshop on the Security of Emerging Network Technologies
More informationPublic Key Infrastructures. Andreas Hülsing
Public Key Infrastructures Andreas Hülsing X.509 Revocation 17-11-2015 PAGE 1 Certificate revocation Abortive ending of the binding between subject and key (public key certificate) OR subject and attributes
More informationKEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1
KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C $ E pk[a] (M) σ $ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data
More informationPublic Key Infrastructure PKI. Michael Maass and Blase Ur
Public Key Infrastructure PKI Michael Maass and Blase Ur 1 Outline Intro to cryptography Intro to PKI / Davis reading Current issues Gaw reading PKI in the enterprise Discussion 2 Introduction to Encryption
More informationSupport Advisory: ArubaOS Default Certificate Expiration
Support Advisory: ArubaOS Default Certificate Expiration Issued October 10, 2013 This document, including the information it contains and the programs made available through the links that it includes,
More informationNIST ITL July 2012 CA Compromise
NIST ITL July 2012 CA Compromise Prepared for: Intelligent People paul.turner@venafi.com 1 NIST ITL Bulletin on CA Compromise http://csrc.nist.gov/publications/nistbul/july-2012_itl-bulletin.pdf These
More informationThe weakest link in the chain:
: Vulnerabilities in the SSL certificate authority system and what should be done about them An Access Policy Brief Regarding the Consequences of the DigiNotar breach for Civil Society and Commercial Enterprise
More informationWhy Eve and Mallory Love Android An Analysis of Android SSL (In)Security
Why Eve and Mallory Love Android An Analysis of Android SSL (In)Security Sascha Fahl Marian Harbach Thomas Muders Lars Baumgärtner Bernd Freisleben Matthew Smith Some Android Facts 330 million devices
More informationSSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust
SSL Interception Proxies Jeff Jarmoc Sr. Security Researcher Dell SecureWorks and Transitive Trust About this talk History & brief overview of SSL/TLS Interception proxies How and Why Risks introduced
More informationSSL Server Rating Guide
SSL Server Rating Guide version 2009j (20 May 2015) Copyright 2009-2015 Qualys SSL Labs (www.ssllabs.com) Abstract The Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication.
More informationImplementation Vulnerabilities in SSL/TLS
Implementation Vulnerabilities in SSL/TLS Marián Novotný novotny@eset.sk ESET, spol. s r.o. Bratislava, Slovak Republic Abstract SSL/TLS protocol has become a standard way for establishing a secure communication
More informationCertificate Authorities (CA) and SSL Certificates
Certificate Authorities (CA) and SSL Certificates Presented by: Laith Mohammad Hamasha Supervised by: Dr. Monther Aldwairi Student ID: 8308 INCS 745: Intrusion Detection and Hacker Exploits NYIT - Jordan
More informationMobile Application Security
Mobile Application Security Jack Mannino Anand Vemuri June 25, 2015 About Us Jack Mannino CEO at nvisium UI and UX development impaired Enjoys: Scala, Elixir Tolerates: Java Allergic To: Cats, Pollen,.NET
More informationSearch for Trust: An Analysis and Comparison of CA System Alternatives and Enhancements
1 Search for Trust: An Analysis and Comparison of CA System Alternatives and Enhancements Alexandra C. Grant Senior Honors Thesis Advisor: Charles C. Palmer Dartmouth Computer Science Technical Report
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationNext Steps In Accelerating DNSSEC Deployment
Next Steps In Accelerating DNSSEC Deployment Dan York, CISSP Senior Content Strategist, Internet Society DNSSEC Deployment Workshop, ICANN 45 Toronto, Canada October 17, 2012 Internet Society Deploy360
More informationUsing Entrust certificates with VPN
Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark
More informationSupport Advisory: ArubaOS Default Certificate Expiration
Support Advisory: ArubaOS Default Certificate Expiration Issued February 14, 2011 Updated April 8, 2011 This document, including the information it contains and the programs made available through the
More informationChapter 7 Managing Users, Authentication, and Certificates
Chapter 7 Managing Users, Authentication, and Certificates This chapter contains the following sections: Adding Authentication Domains, Groups, and Users Managing Certificates Adding Authentication Domains,
More information1 Domain Extension for MACs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).
More informationPublic Key Infrastructure
UT DALLAS Erik Jonsson School of Engineering & Computer Science Public Key Infrastructure Murat Kantarcioglu What is PKI How to ensure the authenticity of public keys How can Alice be sure that Bob s purported
More informationwww.enterprisessl.com www.comodo.com support@comodogroup.com Tel: +1 888 266 6361 Tel: +44 (0) 161 874 7070 2006 Comodo Group.
www.enterprisessl.com www.comodo.com support@comodogroup.com Tel: +1 888 266 6361 Tel: +44 (0) 161 874 7070 2006 Comodo Group. The Internet has created many new global business opportunities for enterprises
More informationKey Management and Distribution
Key Management and Distribution Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationAuthenticity of Public Keys
SSL/TLS EJ Jung 10/18/10 Authenticity of Public Keys Bob s key? private key Bob public key Problem: How does know that the public key she received is really Bob s public key? Distribution of Public Keys!
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationNetwork and Information Security Legislation in the EU
Network and Information Security Legislation in the EU Dr. Marnix Dekker Security expert, Information security officer ENISA @RSA Europe, SPER-R07 Security perspectives Amsterdam, October 31, 2013 www.enisa.europa.eu
More informationWhat is an SSL Certificate?
Security is of the utmost importance when doing business on the Web. Your customers want to know that their information is protected when crossing data lines. A Thawte SSL Web Server Certificate or SuperCert
More informationKerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?).
Kerberos Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?). 1 Kerberos Kerberos is an authentication protocol and a software suite implementing this
More informationOpportunistic Security
Opportunistic Security Increasing the cost of mass surveillance without fixing everything Daniel Kahn Gillmor ACLU April 2014 Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 1 / 21 Networked
More informationTLS Proxies. draft-mcgrew-tls-proxy-server. D. McGrew D. Wing P. Gladstone Y. Nir
TLS Proxies draft-mcgrew-tls-proxy-server D. McGrew D. Wing P. Gladstone Y. Nir Current Practice TLS Proxies are middleboxes that inspect and optionally modify TLS traffic They are client-side in that
More informationRunning head: SSL CERTIFICATE AUTHORITY ISSUES 1. Investigating Implementations Designed. to Resolve SSL Certificate Authority Issues.
Running head: SSL CERTIFICATE AUTHORITY ISSUES 1 Investigating Implementations Designed to Resolve SSL Certificate Authority Issues Michael Ham Stefani Kokel Josh Stroschein Dakota State University SSL
More informationDesigning a CA Single Sign-On Architecture for Enhanced Security
WHITE PAPER FEBRUARY 2015 Designing a CA Single Sign-On Architecture for Enhanced Security Using existing settings for a higher-security architecture 2 WHITE PAPER: DESIGNING A CA SSO ARCHITECTURE FOR
More informationProtocol Rollback and Network Security
CSE 484 / CSE M 584 (Spring 2012) Protocol Rollback and Network Security Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee,
More informationComodo 2048 bit SSL Certificates. Security for your online business now and long into the future
Security for your online business now and long into the future Today, online commerce is worth over US $1 trillion and continues to grow at a substantial rate. are an indispensable cornerstone of this
More informationBlackBerry 10.3 Work Space Only
GOV.UK Guidance BlackBerry 10.3 Work Space Only Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network architecture
More informationNumber of relevant issues
Electronic signature Lecture 8 Number of relevant issues cryptography itself algorithms for signing documents key management generating keys, distribution, key revocation security policy certificates may
More informationBest Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.
Best Practice Guide (SSL Implementation) for Mobile App Development 流 動 應 用 程 式 (SSL 實 施 ) 最 佳 行 事 指 引 香 港 電 腦 事 故 協 調 中 心 ] Jointly published by [ 專 業 資 訊 保 安 協 會 ] Hong Kong Computer Emergency Response
More informationApache Security with SSL Using Ubuntu
Apache Security with SSL Using Ubuntu These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Some SSL background
More informationWalking The Security & Privacy Talk Moving from Compliance to Stewardship
Walking The Security & Privacy Talk Moving from Compliance to Stewardship 02/28/2014 SESSION ID: DSP-F01 Craig Spiezle (moderator) Executive Director & President, Online Trust Alliance Rick Andrews Senior
More informationDeploying DNSSEC: From End-Customer To Content
Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical
More informationCSC574 - Computer and Network Security Module: Public Key Infrastructure
CSC574 - Computer and Network Security Module: Public Key Infrastructure Prof. William Enck Spring 2013 1 Meeting Someone New Anywhere in the Internet 2 What is a certificate? A certificate makes an association
More informationSetup SSL in SharePoint 2013 Using Domain Certificate
2012 Setup SSL in SharePoint 2013 Using Domain Certificate Saifullah Shafiq walisystemsinc.com 12/15/2012 Setup SSL in SharePoint 2013 Using Domain Certificate In the previous articles, you learned how
More informationPCI Security Standards Council
PCI Security Standards Council Ralph Poore, Director, Emerging Standards 2013 About PCI Emerging Technologies OWASP and Mobile Guidelines About PCI About the PCI Council Open, global forum Founded 2006
More informationConCERTO Secure Solutions for Converged Systems
ConCERTO Secure Solutions for Converged Systems Distribution for Switzerland: insinova ag www.insinova.ch Jens Albrecht Email: jens.albrecht@insinova.ch Phone: +41 41 748 72 05 September 2011 SCM Microsystems
More informationSSL Certificates and Bomgar
SSL Certificates and Bomgar 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective
More informationThe USP Maker for the hosting industry Welcome to my presentation Christian Heutger WorldHostingDay 22.03.2011
The USP Maker for the hosting industry Welcome to my presentation Christian Heutger WorldHostingDay 22.03.2011 PSW GROUP GmbH & Co. KG The USP Maker for the hosting industry! Germany's leading provider
More informationCERTIFICATION PRACTICE STATEMENT UPDATE
CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.
More informationNo Attack Necessary: The Surprising Dynamics of SSL Trust Relationships
No Attack Necessary: The Surprising Dynamics of SSL Trust Relationships Bernhard Amann 1, Robin Sommer 1,3, Matthias Vallentin 2, Seth Hall 1 1 International Computer Science Institute 2 UC Berkeley 3
More informationIs Your SSL Website and Mobile App Really Secure?
Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationMaster Game and Media Technology. Improving PKI. Solution analysis in case of CA compromisation. Samira Zaker Soltani.
Master Game and Media Technology Improving PKI Solution analysis in case of CA compromisation Samira Zaker Soltani January 2013 Utrecht University Faculty Computer Science Deloitte Nederland Deloitte Risk
More informationApache Milagro (incubating) An Introduction ApacheCon North America
Apache Milagro (incubating) An Introduction ApacheCon North America Apache Milagro will establish a new independent security framework for the Internet A Distributed Cryptosystem Secure the Future of the
More informationLecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.
Lecture 13 Public Key Distribution (certification) 1 PK-based Needham-Schroeder TTP 1. A, B 4. B, A 2. {PKb, B}SKT B}SKs 5. {PK a, A} SKT SKs A 3. [N a, A] PKb 6. [N a, N b ] PKa 7. [N b ] PKb B Here,
More informationLesson 10: Attacks to the SSL Protocol
Lesson 10: Attacks to the SSL Protocol Luciano Bello - luciano@debian.org Chalmers University Dr. Alfonso Muñoz - amunoz@diatel.upm.es T>SIC Group. Universidad Politécnica de Madrid Security of the SSL
More informationBefore the. Committee on Energy and Commerce Subcommittee on Communications and Technology United States House of Representatives
Testimony of Fiona M. Alexander Associate Administrator, Office of International Affairs National Telecommunications and Information Administration United States Department of Commerce Before the Committee
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationDNS Security FAQ for Registrants
DNS Security FAQ for Registrants DNSSEC has been developed to provide authentication and integrity to the Domain Name System (DNS). The introduction of DNSSEC to.nz will improve the security posture of
More informationDIGIPASS Authentication for Check Point Connectra
DIGIPASS Authentication for Check Point Connectra With IDENTIKEY Server 2009 Integration VASCO Data Security. Guideline All rights reserved. Page 1 of 21 Disclaimer Disclaimer of Warranties and Limitations
More informationCS255 Programming Project 2
CS255 Programming Project 2 Programming Project 2 Due: Wednesday March 14 th (11:59pm) Can use extension days Can work in pairs One solution per pair Test and submit on Leland machines Overview Implement
More informationWebsite Security: It s Not all About the Hacker Anymore
Website Security: It s Not all About the Hacker Anymore Mike Smart Sr. Manager, Products and Solutions Trust Services & Website Security Website Security 1 Website Security Challenges Evolving Web Use
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationFrequently Asked Questions. Frequently Asked Questions: Securing the Future of Trust on the Internet
FREQUENTLY ASKED QUESTIONS: SECURING THE FUTURE OF TRUST ON THE INTERNET Frequently Asked Questions Frequently Asked Questions: Securing the Future of Trust on the Internet Securing the Future of Trust
More informationEnterprise Content Management System Monitor 5.1 Security Considerations Revision 1.1. 2014-06-23 CENIT AG Brandner, Marc
Enterprise Content Management System Monitor 5.1 Security Considerations Revision 1.1 2014-06-23 CENIT AG Brandner, Marc INTRODUCTION... 3 SSL SECURITY... 4 ACCESS CONTROL... 9 SERVICE USERS...11 Introduction
More informationThe Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems
The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems
More informationManaging CA-Signed Certificates
Managing CA-Signed Certificates T.Rob Wyatt, IoPT Consulting t.rob@ioptconsulting.com Managing CA Certificates for MQ - Intermediate So you want to enable SSL on your MQ channels using a commercial Certificate
More informationMichael Coates mcoates@mozilla.com michael-coates.blogspot.com
Michael Coates mcoates@mozilla.com michael-coates.blogspot.com Who am I? Web Security Engineer @ Mozilla Contributor OWASP 2010 Top 10 Author OWASP TLS Cheat Sheet Creator & Leader OWASP AppSensor Security
More informationThe Changing Face of SSL
The Changing Face of SSL New Realities Demand New Approaches Trend Micro, Incorporated» SSL underpins almost all online transactions today and the way SSL is sold is exposing organizations to excessive
More informationFaking Extended Validation SSL Certificates in Internet Explorer 7
Page 1 of 11 Faking Extended Validation SSL Certificates in Internet Explorer 7 June 7 th 2007, V1.1 Martin Christinat, CTO, christinat@.ch Abstract Extended Validation (EV) SSL certificates are a new
More informationE2e-encrypted email via enhanced certificate transparency
E2e-encrypted email via enhanced certificate transparency Mark D. Ryan School of Computer Science University of Birmingham Network and Distributed System Security Symposium 25 February 2014 Email today
More informationWeb Security. Introduction: Understand applicable laws, legal issues and ethical issues regarding computer crime
International Journal for Science and Emerging ISSN No. (Online):2250-3641 Technologies with Latest Trends 12(1): 1-6 (2013) ISSN No. (Print): 2277-8136 Web Security Amandeep Kang*, Navdeep Kaholn** and
More informationA Step-by-Step guide for implementing DANE with a Proof of Concept
A Step-by-Step guide for implementing DANE with a Proof of Concept Sandoche BALAKRICHENAN, Stephane BORTZMEYER, Mohsen SOUISSI AFNIC R&D {sandoche.balakrichenan, stephane.bortzmeyer, mohsen.souissi}@afnic.fr
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More information