Attacking SSL PKI  (Hacking Illustrated Series InfoSec Tutorial Videos)

Attacking SSL PKI
 Mike Zusman

        The last year has been a rough one for SSL PKI. Fraudulently provisioned certificates, MD5 collisions, SSL spoofing attacks, and most recently, attacks against EV SSL. The variety of these attacks shows us how big the attack surface of SSL really is. From crypto attacks to browser design flaws, attackers have choices when it comes to man-in-the-middling SSL protected web sites. This presentation covers one of these vectors: real attacks against CA web sites. While some folks look to CAs for guidance when it comes to conducting secure business on the Internet, the CAs themselves can fall victim to the same attacks consumers look to them for protection against. EV SSL is a step in the right direction, but with a heavy reliance on low-assurance domain validated SSL certificates, can we ever get SSL right?

Speaker: Mike Zusman is a Principal Consultant with the Intrepidus Group. Prior to joining Intrepidus Group, Mike has held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms. In addition to his corporate experience, Mike is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other third parties. He has spoken at a number of top industry events including Black Hat, CanSecWest, DEFCON, regional OWASP conferences, and also teaches Information Security & Penetration Testing at NYU/Polytechnic University. Mike brings 10 years of security, technology, and business experience to Intrepidus Group. He is a CISSP and an active member of the OWASP foundation.

 

Download link: http://blip.tv/file/get/Irongeek-2009LMIMikeZusman214.mp4

Descriptions and details from http://www.louisvilleinfosec.com, with small edits.
Thanks to Lee Pfeiffer and the student volunteers for handling the video the day of the conference, and Brian Blankenship for editing the videos.



If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek