SlideShare une entreprise Scribd logo

Introduction to SSL and How to Exploit & Secure

Brian Ritchie
Brian Ritchie

Adapted from Ivan Ristic. Part 1. Originally for OWASP MY

TechnologieFormation
1  sur  27
SSL/TLS Introduction and How to exploit By BRIAN RITCHIE Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie
Who Am I ? Co worked on the Enterprise Architecture for some of the largest regional as well as international companies Rolled out the first official OSS Centre of Excellence strategy and implementation for a local Financial Institution Experience with large scale Project Management for core systems Designed and Implemented Research and Incubation Services for large scale corporations All rounded Geek
What is SSL ? An introduction
Some History Originally proposed by Netscape in the 90 s Evolved from SSL 1.0, 2.0, 3.0 and now to the Transport Layer Security or TLS Developed with the intention of providing security for communications over networks Is used heavily today for ecommerce, and other web applications/services which require a higher level of security
What is SSL ? Intermediate layer between the Transport layer and the Application layer Has 2 main functions : Establish a secure connection between peers Secure is defined as = Authentic and Confidential Use the secure connection to transmit higher layer protocol data from sender to recipient
Let’s delve in a little deeper here
How does SSL transmit data ? Sender Breaks data down into manageable pieces called fragments Each fragment is compressed, authenticated with a MAC, encrypted, prepended with a header and transmitted Recipient NOTE :: These fragments are what we call SSL records The fragments are decrypted, verified through MACs, decompressed and reassembled.
Just a little bit more theory and we’ll go to some cooler stuff
Graphical View of SSL Application Layer SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol Application Data Protocol Application Layer SSL Record Protocol Transport Layer Network Layer Network Access Layer TCP UDP IP
What are these protocols ? SSL Handshake Protocol – Core protocol. Allows peers to authenticate between themselves and negotiate a suitable cipher suite and compression method for both parties SSL Change Cipher Spec Protocol – Allows peers to change ciphering strategy and the cryptography protection used SSL Alert Protocol – Allows peers to signal for potential problem symptoms and exchange alert messages SSL Application Data Protocol – Workhorse. Takes the higher level data and feeds it to the SSL Record protocol for cryptographic protection and secure transmission
What’s good about SSL ?
Plus points Very widely used Well designed Pretty much secures the Internet Secure out of the box
Now to the cool OWASP part
What’s the Minus points ? No one pays attention to it This means if you can break it, you’re the boss. Can be compromised through HTTP
Tools and Attack Principles Sslsniff and sslstrip make attacking it easy as pie Principle of attack : MITM – The usual suspect App and configuration issues Fake certificates Bad implementation
SSL Threat Models Lets look at a small part today
Endpoint Issues Endpoints Bad Server Side Configuration SSL not enforced Bad certificate configuration Private Key not protected Use weak protocols Unpatched libraries Mixed (SSL&Non-SSL) configurations And many many more…
Lets take a deeper dive and look at some examples
Inconsistent DNS config http://www.example.com and http://example.com point to different webservers Microsoft
Another example A good example : OWASP
Different Sites on port 80 and 443 Both http://www.example.com and https://www.example.com must be the same website A lot of major companies fail to verify this
Self Signed SSL Certs Two words : DON’T BOTHER This causes more issues than it solves. It is significantly harder for you to maintain a secure, well configured SSL cert It is much easier and more secure to buy one from a legitimate provider
Badly Configured SSL Servers Out of the box SSL is pretty secure iff (– if and only if) the configuration fits your deployment. More often than not, you will need to tweak the settings to fit your deployment. Updating patches is also equally crucial
Incomplete certificates A certificate has to encompass both http://example.com and http://www.example.com They have to be the same site They must also be the same for the https:// Your certificate must ensure that it is all-encompassing
Mixing SSL and Plain text Tricky to implement Active user sessions can be compromised Sslstrip can perform MITM attacks and convert HTTPS to HTTP
There’s a few more but I’ll leave it there for now.
If you have any questions, contact me through the above Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie OWASP MY Mailing List

Recommandé

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL overview
SSL overviewSSL overview
SSL overviewTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
SSL
SSLSSL
SSLtheekuchi
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 

Recommandé

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL overview
SSL overviewSSL overview
SSL overviewTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
SSL
SSLSSL
SSLtheekuchi
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerAbhishek Gupta
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
SSL Secure Socket Layer
SSL Secure Socket LayerSSL Secure Socket Layer
SSL Secure Socket Layeromkar bhagat
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tlsRana assad ali
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Transport layer security
Transport layer securityTransport layer security
Transport layer securityHrudya Balachandran
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS HandshakeArpit Agarwal
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSpavansmiles
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationRapidSSLOnline.com
 
SSLtalk
SSLtalkSSLtalk
SSLtalkMatthew Aylard
 

Contenu connexe

Tendances

Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
SSL Secure Socket Layer
SSL Secure Socket LayerSSL Secure Socket Layer
SSL Secure Socket Layeromkar bhagat
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 

Tendances (20)

Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Traffic
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
SSL Secure Socket Layer
SSL Secure Socket LayerSSL Secure Socket Layer
SSL Secure Socket Layer
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
SSL
SSLSSL
SSL
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal Wadhwa
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
SSL intro
SSL introSSL intro
SSL intro
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 

Similaire à Introduction to SSL and How to Exploit & Secure

Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationRapidSSLOnline.com
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLGlobalSign
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfHost It Smart
 
Improve your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdfImprove your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdfDigital Marketing
 
Secure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)CertificateSecure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)CertificateCheapSSLUSA
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Microsoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowMicrosoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowCheapSSLsecurity
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?CheapSSLsecurity
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!Wilco Alsemgeest
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 

Similaire à Introduction to SSL and How to Exploit & Secure (20)

Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL Authentication
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdf
 
Improve your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdfImprove your site’s credibility on SERPs with an SSL certificate.pdf
Improve your site’s credibility on SERPs with an SSL certificate.pdf
 
Secure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)CertificateSecure Sockets Layer(SSL)Certificate
Secure Sockets Layer(SSL)Certificate
 
Unit 6
Unit 6Unit 6
Unit 6
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
Microsoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowMicrosoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to know
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
 
Matrix
MatrixMatrix
Matrix
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
ION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network Operators
 

Plus de Brian Ritchie

Make it Personal by Making it Local
Make it Personal by Making it LocalMake it Personal by Making it Local
Make it Personal by Making it LocalBrian Ritchie
 
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...Brian Ritchie
 
Advanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian RitchieAdvanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian RitchieBrian Ritchie
 
Growth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian RitchieGrowth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian RitchieBrian Ritchie
 
Tell Your Story - Brian Ritchie
Tell Your Story - Brian RitchieTell Your Story - Brian Ritchie
Tell Your Story - Brian RitchieBrian Ritchie
 
Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011Brian Ritchie
 

Plus de Brian Ritchie (7)

Make it Personal by Making it Local
Make it Personal by Making it LocalMake it Personal by Making it Local
Make it Personal by Making it Local
 
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
 
Advanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian RitchieAdvanced Growth Marketing 101 by Brian Ritchie
Advanced Growth Marketing 101 by Brian Ritchie
 
Growth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian RitchieGrowth by Segmentation - Part 1 by Brian Ritchie
Growth by Segmentation - Part 1 by Brian Ritchie
 
Tell Your Story - Brian Ritchie
Tell Your Story - Brian RitchieTell Your Story - Brian Ritchie
Tell Your Story - Brian Ritchie
 
Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011Standardizing and Managing Your Infrastructure - MOSC 2011
Standardizing and Managing Your Infrastructure - MOSC 2011
 
WiMAX_Intro
WiMAX_IntroWiMAX_Intro
WiMAX_Intro
 

Dernier

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Dernier (20)

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Introduction to SSL and How to Exploit & Secure

  • 1. SSL/TLS Introduction and How to exploit By BRIAN RITCHIE Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie
  • 2. Who Am I ? Co worked on the Enterprise Architecture for some of the largest regional as well as international companies Rolled out the first official OSS Centre of Excellence strategy and implementation for a local Financial Institution Experience with large scale Project Management for core systems Designed and Implemented Research and Incubation Services for large scale corporations All rounded Geek
  • 3. What is SSL ? An introduction
  • 4. Some History Originally proposed by Netscape in the 90 s Evolved from SSL 1.0, 2.0, 3.0 and now to the Transport Layer Security or TLS Developed with the intention of providing security for communications over networks Is used heavily today for ecommerce, and other web applications/services which require a higher level of security
  • 5. What is SSL ? Intermediate layer between the Transport layer and the Application layer Has 2 main functions : Establish a secure connection between peers Secure is defined as = Authentic and Confidential Use the secure connection to transmit higher layer protocol data from sender to recipient
  • 6. Let’s delve in a little deeper here
  • 7. How does SSL transmit data ? Sender Breaks data down into manageable pieces called fragments Each fragment is compressed, authenticated with a MAC, encrypted, prepended with a header and transmitted Recipient NOTE :: These fragments are what we call SSL records The fragments are decrypted, verified through MACs, decompressed and reassembled.
  • 8. Just a little bit more theory and we’ll go to some cooler stuff
  • 9. Graphical View of SSL Application Layer SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol Application Data Protocol Application Layer SSL Record Protocol Transport Layer Network Layer Network Access Layer TCP UDP IP
  • 10. What are these protocols ? SSL Handshake Protocol – Core protocol. Allows peers to authenticate between themselves and negotiate a suitable cipher suite and compression method for both parties SSL Change Cipher Spec Protocol – Allows peers to change ciphering strategy and the cryptography protection used SSL Alert Protocol – Allows peers to signal for potential problem symptoms and exchange alert messages SSL Application Data Protocol – Workhorse. Takes the higher level data and feeds it to the SSL Record protocol for cryptographic protection and secure transmission
  • 12. Plus points Very widely used Well designed Pretty much secures the Internet Secure out of the box
  • 13. Now to the cool OWASP part
  • 14. What’s the Minus points ? No one pays attention to it This means if you can break it, you’re the boss. Can be compromised through HTTP
  • 15. Tools and Attack Principles Sslsniff and sslstrip make attacking it easy as pie Principle of attack : MITM – The usual suspect App and configuration issues Fake certificates Bad implementation
  • 16. SSL Threat Models Lets look at a small part today
  • 17. Endpoint Issues Endpoints Bad Server Side Configuration SSL not enforced Bad certificate configuration Private Key not protected Use weak protocols Unpatched libraries Mixed (SSL&Non-SSL) configurations And many many more…
  • 18. Lets take a deeper dive and look at some examples
  • 19. Inconsistent DNS config http://www.example.com and http://example.com point to different webservers Microsoft
  • 20. Another example A good example : OWASP
  • 21. Different Sites on port 80 and 443 Both http://www.example.com and https://www.example.com must be the same website A lot of major companies fail to verify this
  • 22. Self Signed SSL Certs Two words : DON’T BOTHER This causes more issues than it solves. It is significantly harder for you to maintain a secure, well configured SSL cert It is much easier and more secure to buy one from a legitimate provider
  • 23. Badly Configured SSL Servers Out of the box SSL is pretty secure iff (– if and only if) the configuration fits your deployment. More often than not, you will need to tweak the settings to fit your deployment. Updating patches is also equally crucial
  • 24. Incomplete certificates A certificate has to encompass both http://example.com and http://www.example.com They have to be the same site They must also be the same for the https:// Your certificate must ensure that it is all-encompassing
  • 25. Mixing SSL and Plain text Tricky to implement Active user sessions can be compromised Sslstrip can perform MITM attacks and convert HTTPS to HTTP
  • 26. There’s a few more but I’ll leave it there for now.
  • 27. If you have any questions, contact me through the above Twitter : twitter.com/brianritchie Facebook : facebook.com/brianritchie OWASP MY Mailing List