RSA Conference Europe 2012 – SSL is Cracked panel discussion

The panellists for this were;

Ivan Ristic; Director of Engineering, Qualys, Inc.

Marsh Ray; Senior Software Development Engineer, PhoneFactor

Gerv Markham; Governator, Mozilla

Phillip Hallam-Baker; VP and Principal Scientist, Comodo

Overall some great experience here including the guy who wrote ModSecurity and the guy who discovered the TLS renegotiation vulnerability..

The discussion covered the following topics;

Vulnerabilities / Attacks;

–          Protocol- based – TLS Renegotiation, weakness in CBC handling on web servers, Crime (TLS compression issue that can result in password exposure), BEAST (Browser Exploit Against SSL/TLS) tool.

–          Implementation-based (e.g. mixed content)

–          Practice based (certification authority bad practices)

Solutions and Remedies;

–          Those currently available (e.g. RC4 with TLS 1.0)

  • DV, OV and EV = Domain-Validated, Organization Validated, and Extended Validation SSL Certificates

–          Those in Development / Deployment

  • Online Certificate Status Protocol (OCSP) Stapling
  • HTTP Strict Transport Security (HSTS) – HTTP header that says from now on only connect to this site with HTTPS, never HTTP.
  • Content Security Policy (CSP) – way to manage the content you will accept from web sites based on declarative content statements in the headers.
  • Improved security and audit requirements for CAs (certificate authorities)

–          Those being Discussed (DANE, CAA, CT etc.)

  • DANE – DNS based Authentication of Named Entities
  • CAA – Certificate Authority Authorization (DNS Resource Record)
  • CT – Certificate Transparency (Issuance Logging)

Summary / Take away points;

–          Check Systems (Your Own and Those of Others) – Can go to and enter a URL to test its level of TLS/SSL

–          Analyse Code and Configurations for Vulnerabilities

–          “Tweak” System Configurations and Code

–          Support Implementation of Newer Versions of TLS and other emerging Protocols

–          Patch and/or Replace Systems

–          Web Security based on SSL/TLS Continues to Evolve and Improve


Overall this was an interesting and thought provoking discussion.  However, as is often the case, putting a bunch of passionate, opinionated and knowledgeable geeks on a discussion panel together resulted in a somewhat rambling debate.  This was very hard to capture / document in any detail, but hopefully the comments highlighting some current vulnerabilities and remedies being looked at will provide a starting point for you to do some further research if you are interested.