The panellists for this were;
Ivan Ristic; Director of Engineering, Qualys, Inc.
Marsh Ray; Senior Software Development Engineer, PhoneFactor
Gerv Markham; Governator, Mozilla
Phillip Hallam-Baker; VP and Principal Scientist, Comodo
Overall some great experience here including the guy who wrote ModSecurity and the guy who discovered the TLS renegotiation vulnerability..
The discussion covered the following topics;
Vulnerabilities / Attacks;
– Protocol- based – TLS Renegotiation, weakness in CBC handling on web servers, Crime (TLS compression issue that can result in password exposure), BEAST (Browser Exploit Against SSL/TLS) tool.
– Implementation-based (e.g. mixed content)
– Practice based (certification authority bad practices)
Solutions and Remedies;
– Those currently available (e.g. RC4 with TLS 1.0)
- DV, OV and EV = Domain-Validated, Organization Validated, and Extended Validation SSL Certificates
– Those in Development / Deployment
- Online Certificate Status Protocol (OCSP) Stapling
- HTTP Strict Transport Security (HSTS) – HTTP header that says from now on only connect to this site with HTTPS, never HTTP.
- Content Security Policy (CSP) – way to manage the content you will accept from web sites based on declarative content statements in the headers.
- Improved security and audit requirements for CAs (certificate authorities)
– Those being Discussed (DANE, CAA, CT etc.)
- DANE – DNS based Authentication of Named Entities
- CAA – Certificate Authority Authorization (DNS Resource Record)
- CT – Certificate Transparency (Issuance Logging)
Summary / Take away points;
– Check Systems (Your Own and Those of Others) – Can go to https://www.SSLlabs.com and enter a URL to test its level of TLS/SSL
– Analyse Code and Configurations for Vulnerabilities
– “Tweak” System Configurations and Code
– Support Implementation of Newer Versions of TLS and other emerging Protocols
– Patch and/or Replace Systems
– Web Security based on SSL/TLS Continues to Evolve and Improve
Overall this was an interesting and thought provoking discussion. However, as is often the case, putting a bunch of passionate, opinionated and knowledgeable geeks on a discussion panel together resulted in a somewhat rambling debate. This was very hard to capture / document in any detail, but hopefully the comments highlighting some current vulnerabilities and remedies being looked at will provide a starting point for you to do some further research if you are interested.