Merken

To Make Hearts Bleed - A Native Developer's Account On SSL

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
the
good evening everyone I think of this qualifies as property evening
tell tend to 6 but and welcome to this talk of after which I hope you all every 1 of you will be done in 2 years of crying about have well all the general situation With regard tell deployment in general is so now who have you before we started who of you in the considers himself a system administrator and OK so who knows the this development on mobile platforms on mobile phones all effect who of you has consciously program you and you said she used as and anyway all can so let's see how long vocabulary a minority going new before so who am I Y MIT here so the history is that I am 1 of the guys who develops the Odessa from and obviously of is a very
security-sensitive software and if you do on the
data properly of and security while they transfer to the server but the funny thing is we realize that essentially but we did have a greater results than but we were to invent things over and over and over again which are already part of the browser so I thought maybe someone else solve this and how how to others go about this and this and that was that actually know what really when they were either during a minimal solution on and factors then when we think what that means we'll see in a minute and it's not a good thing and so on a matter life I used to be contributing to cute 2 that not all like form daily as part of Nearly work and nowadays it's more of a hobby or part of what it pays off because we're actually using cute from and so I decided to go a bit into this is over but whole contributing to acute static and this is very important I am not a security expert by any means this is just a collection all
studies that other people have conducted and anecdotes that I would like to share to make your life less of a hassle then I had to go through well so why do we need to talk quite obviously many
things run as are really good at and should see what we can do to change that and what is actually the problem and water of people avoiding to do it because it's a crappy because people are lazy and well what can we do about it actually because obviously this is not post known and I have to say this post known this is not something that we can compare keep continued
doing right so why specifically do we need to talk we need to talk about because when ever somebody sense of a server it looks exactly like this it looks
exactly like this and why does it look like this well the 2 reasons nobody gives a certificate everyone roles of his own uh if they're all their own the and even the proper CA at least for themselves and they usually just go self signed and what happens then is what you see here some brothers actually correctly indicate that this is it yes but there are some issues with this you see it's the intron is even in their power however on other problems once you've not in the way that scary you of security warnings they show this indistinguishable from normal SSL connections at least for the moment person I and this is anywhere between wrong and dangerous so I With so
I hope given that there probably was sentence in here out this going to be the content for every 1 of you know what I'm trying to cover both I'm more of this of development of patients systems administrations and this is not going to be a basic computer security lectures and if the 2 of us that can that much much better sense for advanced lectures and I will cover things that need explanation if I don't and you can't follow along please make sure to interrupt me but for more complex questions we have 15 minutes of Q and this that's what I hope well known well because of this is just a gentle warning if you had any illusions about is and you're not like following closely that this possibly destroy some illusions you may still had OK so Our main topic today is SSL or TLS and I keep saying SSL just because the thing everyone refers to as as even softer refers to I know it's still but please for heaven's sake let me say if the cell is going to be a lot less confusing thank you so what is this is l is is l and secure socket layer it is a proprietary protocol that has been introduced by Netscape and back in 1994 and the idea was to collection and to authenticate domain so know actually who you're talking to it's using its 509 and trusted standard the users and 1 which is a good friend of mine in this talk about the very same issue called unfortunately complicated now to appreciate that statement you have to know that he's British and British like understatements right by so well as adults who unsurprisingly turned out to be not very secure and so enter as L 3 only 1 year later so proprietary but much better designed and again I'm not going into the details there are a lot of pages detailing on that and I'm not going to bore you what the details finally years later and this is partly because of the underlying EEG final once that it's 509 standard wasn't ready and they were waiting for it we had to this 1 and finally 98 standard of and this was 1999 so having and the triple deckers mandatory was a good thing minimize a one-dimensional surfaces of and actions principle that you have certificate of subjective issue area of public key you have a couple of extensions what could possibly go wrong there's a certificate of and
basically I'm going to show this on the next slides and become a conference screenshot here it's very simple you have trust to root anchor certificate authority and its communication with your browser and you from 1 or more intermediate so you can easily verify the actual certificate souls great right well maybe not in and this is so who knows what that is the what comment all the right so this is the and this possibly also that item that from highly recommended sigh from this of the the model a project which I recommend everyone to go on to configure and and this is because I have to walk post where people were basically asking OK why should we be using
and others were saying I just want this to work and whenever I have people saying I want this to work which is completely legit you I mean the surfaces are are very special topic that you actually have to understand the and you have to know what goes counter mode is then you watch it and how it's really not related to cigarettes so that's that's fine but you just have to understand what's good so what's a good word to the choice of the surfaces at the time and you have to know how to verify that it is a good choice the of some so just for a minute and where this is coming calling and so and so inside a domain and you
can make the all the conspiracy theories you want half of them may be true half of them locked up but there are way too many certificate organizations that can actually issue certificates and and again if you trust wall this this is completely fine I find the amount of C that can issue again so that could fall and domain of scary yeah we the on often against the will also that the cell use certificate make efficiently we the Laplacian you don't hear anyone of this is the unfortunate situation where there's no and no real solution to the problem you can roll outs and fear of Sauron as like with about everything I've seen up to date it is a it's it's about this it's not a widest so you can be lucky maybe you not probably you're not and the biggest problem with the 0 they're not checked so what good is it anyway at and again there a lot of very very good proposals out there and I'm going to online the 1 that I think has the best potential and but nothing works today you can explicitly and then lets you will probably see a drop in and fidelity of but yeah that's where this makes the problem as a virtual holes are not understood by most says that because what they're used to they configured in hosts an Apache and makes you name it and you're done of we with SSL is slightly more complicated and by slightly I mean a fucking want more complicated which is again because you have to have your certificates right you have to to have your work specific cancers of configuration which even depends between versions of a particular software right and it's simply not as easy unless you know what to do the problem is you have to because otherwise you will see exactly what we saw in on the beginning you will see a certificate warnings and some warnings actually go without the embassy in the browser does something very interesting we about reports and you time only on Michael and when people would saying I'm completely correctly installed insulation stand out but and the browsers fine with it on the on the complaints that it's a lot better for some reason not correct interestingly enough it was correct of course what we 1 correct completely correct either
because it was just supposed to to be a warning and then we just kick the bucket on and by a lot of warnings that some web service issue but it's cell are the of what are on type 1 it's called in specification error time warning character warning axis and arrows are not usually displayed in browser and again a lot of this has to do with problems anticipating the web service and not correctly configured patterns that are not shown were a warning so as such system and you don't get to see what the problem and what makes it is something I mentioned meaning certain certificates
and if you like this we never testing in your environment and find the problem there is this much of a margin between and testing this for myself and and giving access to everyone else in the world and then this thing completely false apart of so self signing it is not a good solution you control your own CA for this purpose and and again I'm explaining later why I I think this is a problem in cost of a configuration is another thing we see them as L 2 is still enabled in today in some of today's SSL set ups and this should really scare you because as as only 2 is
well let's let's just make assumptions and we see week surface we see installation have announced that has enabled not was grateful 1 thing debugging for the rest you could just just forget about it but you don't want it but practices this is more of something that's on top of the web server you've makes contents and in the web today is mixing websites let's not kid ourselves right you integrate other services you load you follow you font awesome package from remote service because what the hell essentially and this creates problems if you're at p s and your remote website isn't because your brother rightfully states are not going to look because there could be a man in the middle and this and then my home security Council and finally intermediate certificates and this is what we see are there in the corner a even will
and this is why I have this global has their own certificate authority who will in the media Internet authority to which they themselves and other problems of course also have their roots of box but they themselves have have a signature from the trust the aid which is well established but even that 1 it is signed by Equifax and again this is for compatibility reasons you want to make sure that even if it even though your certificate is probably included in most browsers of you want this to work and so if you don't include you intermediates and you probably not cool you got you're going to need the needs all the time most browsers smartly will say all waiters intermediate missing let me look that up and all of that for you and that increases fidelity it takes about 100 seconds for a for at at least initially and then and then the problem will usually catch it but if you're not dealing with a browser and there's a good chance that your
program will not work and this is again something that we saw during development of the employer clients are waiting for clients and showed morning because it could not established a trust relation and want to browse of course was simply looking at the in yeah and OK so I was mentioning this takes final online before which is used of In for certificates and what is this and ITU standards
0 back in the days and was this yeah let's roll outs company-wide so so everyone has their own well directory and of course there in those directories each person always just 6 there exists 1 even across directories it was interesting assumptions something has been around granted them having an and the reason that thing is that was pre-exam times so they they have to come up with something and that something back then was a and 1 and someone a is not an encoding himself itself and there are several Encoding Rules for that and actually you have to implement at least 2 of them I think B R and are usually mandatory to get working properly and C. are I to views can contain arbitrary data at most encodings are extremely easy to get wrong and this has huge security implications like every time every time someone decides to you to write than its
509 part in the low level for nearby also whatever security crowd goes crazy and thing because the particularly easy to exploit because it's easier to get wrong later again at the next part of the common name alternative subject fields as I can and
then these or hostnames well Osmond's because lately people figured out that may be an IP for each for each virtual holes is not and so you can have proper names you can you can use wildcards you can use a is the way at start of what p and this to work this used to work back until 2 thousand 11 because people weren't careful enough next thing should should do how far should wildcard reach this actually what have reached this has only been also been some rather unclear and has been clarified years ago but the next problem idea and international domain names will you know CA code during again there is 1 thing about unique codes and which causes page and pain and pain in which we've also been exposed to because well we give me a sinking files file are are encoded unique code and there's arbitrary amount of ways you can get this wrong but 1st of all because of things like the or any of the other whatever i can be written into ways I can say this is a single symbol or because you because I can say this is a new was to with the diet on top with the to double the and this makes 2 separate entities and basically the the 1st and 2nd says OK and related to the 1st so this is way to represent the same character of the computer
scientists estates no problem is to different representation and only the i can be fooled the problem is that this can be considered a commitment by a certain policy because that's in standard so this is this is really dangerous stuff and it's been discussed over and over again but it's also a problem it's it's nothing you not at all but it's also a problem in writing a proper policy and not any anyone having to write a possible because it's extremely easy to get so is a
right taken well that's not really realistic right of just really doing something as complex as as itself is not really viable especially because some of the
things that are wrong with this is l are not and implementation this is just the development of the scare you you remember that we still have the we still have the problem of trust we still have the problem of location and this is not going away by thinking of something else in is in 1 form for example for instance and so what do we do of 1st of all please make sure that in your application domains get a valid certificate this can be your own CA that's being rolled out a come to this later but just for the sake of it if you'd open source project mobile
sign as a project that gives you a free certificates otherwise if you 21 domain to so far only 1 host of security starters cell is good enough that's going to solve it for many you in the 1st place and then all that's not a convenient answer I make sure you send all intermediate certificates and that's really important sent the intermediate certificates but not all the final root certificate that's what people what c h and vendors recommended using cycles Cycles sweet and again you probably don't know what the best such as readers know that that's why smart people have places to go things up in this case and that's a good address and another problem that that you have is the downgraded text or not even downright you enter a scientist HDP you know it's it's a possibility yes but instead of redirecting man in the middle will simply redirected to results of a because the initial redirectors unencrypted but there is no good solution to that there is only 2nd to the best solution which is called the restricted transport security and what it does is is extra hand which on 1st connected by as will make the browser remember that this side is supposed to be a GPS only connectable and it will make a redirect automatically won't even try to connect initial GPS connections that make initial connection while the 2nd bad because it's tough the 1st used 1st use mean well that can go wrong for us use if you're in the wrong place William as the best um certificate painting and this is something at least as far as I'm aware can't do yourself a browser but but rather than have gone to implement it and so in conferences you have a static list compiled in of sites and what they do is they Our for instance the that is allowed to issue of it is a lot to issue the a certificate with a question et al and so on so they had this database this by the way how they found out that there were broken with certificates because code was complaining and who will well was listening and so what they do is they actually why don't in the certificates well certificate there to be replaceable they know they're going to issue from their own CA so it's easy because they know they were only issue from that CAD 1 of the CIA agents on whether they update Chrome and
this also shows why this is practical for me will but probably not for everyone and and again the main problem here is and by the way also feasible for those using arguing about during mobile apps they can simply because they know what to looking at and basically and but even then and there is a good paper that I have the reference list it's not but it's not necessarily clear on what to do and so review documentation on that and the biggest problem is the uh esthetic list of pending looks to have a lot like a whole still takes the in the eighties and it basically comes down to the same as just expressed uh just explained flexible but which is not and finally to test your configuration this is probably
a sign that many of you already know 0 1 gives you the results for your page and and to you know that you done everything right and you're what will be the talking about then it is
the case in a lot of green marks I why is it not not 100 per cent on that's very easy under the center would mean you sacrifice compatibility and with all the roles of so pick your poison but I think it's something that is considered a plus y you 1 was the author of this tool and should be good enough and book and actually also this you why it came to that conclusion so it's not just some random magic number is at least an explanation why that number is meant but of course there's a number
of things that says that means cannot fix and the very basic
problem here is on 1 and the security and security you want a white list of sites you absolutely sure that you're is securely connected to the implementation of mess apart and on the other hand you have a high availability you want your site to be available if anything fails that reporting line you actually from security forces from from securities perspective would have to say no on the from and availability perspective you wanna say we yeah well in case of not just in the sense that and because he was the 1 that you don't wanna lose customers so this is the very basic problem I then you will have to pick your poison and because you're not picking and alone use you have other people's browser and the CAC cetera making a good set of choices for you in that regard the other thing and here's what I think is going to be the best solution for certificate revocation and it's not yet in place but I think it doesn't get better than always see people with a few extensions so 1st of all we have revocation relocation this they used to be a few kilobytes if you see a as see a few exploded CS major data growing 2 megabytes and their most likely to grow beyond that so downloading esthetics year L again and again that is not really scalable and viable solution and the online certificate status protocol and what they do there's basically you In parallel to each request or before each request they offer specific CA server OK is that certificates OK and certificate and answers with a yes or no that with yes or no or I don't know so this is the 1st thing which makes is the somewhat questionable at a
protocol that can reply with I don't know it is not really useful the 2nd of the 2nd thing is that you can do do it as an of an attack you can try out of service on this and because just an educator uh it should be connections and so it's it's it's not really working out right that's what that's what smart people saw as well and they came up with a is the stapling what is that
as an indicator of its they knows his P. responds to the actual reply from the summer so suppose you have you have your is anyone familiar with camera OK certainly explain the 1st 2nd what is basically does is server how and has I take it that from the CIA that says you are allowed to to was that your that certificate is valid for the next 10 hours for instance so you can arbitrarily resize the window right now that window is rather large usually and that would basically and signed with the CIA certificate that you have anyway because you need to establish a trust relation right so the and that would mean that you don't your browser history because before you need to run history every time you ask for a website your browser would have to associate this is OK as a consequence the CIA gets to get all your browsing history i which is just and cool and you wouldn't make you need to take that Of course this still doesn't solve everything last time I tried to deploy the manager makes it showed that every time a worker was was firing up the 1st request would be unstable and so model of people seem to be using this right now it is not an amount that I was lying in and Apache 2 to which most distributions of that ship doesn't have it as well yeah they they they so there's an arbitrary number of problems with that as well but we're getting better we getting better next thing would be 0 since and sorry I made a typo there was his penis staple which are reminiscent of and this transfer this secure transport had uh basically x 100 and says OK this response
we state otherwise the and you could do this in a number of other ways you could have this information in the certificate and the browser could remember that 1 and the bad thing about this very sorry thing is that at least overseas piece stapling has been in Windows Server 2008 and come on this is 6 years ago 6 years ago Microsoft had 0 since the statement which again is not the definite answer but it's better than anything we currently my knowledge has so Apache 2 2 and this is the next problem most the people use stable or lts or enterprise is the same ancient word distributions back from Egypt and and
sometimes like ready decided that they may want to actually ship more recent as diverse as l and 3 link their applications most of the times than those just to the new version of Open is that what is completely useless because all the implications they should for compatibility reasons for certification reasons for whatever reasons is still linked with the old library so the benefit of this for the systems administration unless they use some funky backwards and then again they have to be aware of this is 0 at the end of course not interchangeable because what's open as is l and it's simply not binary-compatible so you can't just what libraries what so my
call to action would be of assistance tried to adhere to that best practices and again in in the end of my presentation I have a couple of and also in a lot of you will find a good list of references on the on the topic and 2nd of all track what's going on With regard to SSL TLS and is a lot of things going on there's a lot of standards that have been proposed and it takes a while and as goes with standard there's and 2nd of all and and 3rd World thing if you really we need all worsens think about it it is not possible to have a federation between enterprise stability and diverse ability and up-to-date software and that actually allows you to configure these things again Apache 2 2 is still the most used to an Apache webserver and and it's not allowing for all the interesting things that Microsoft and this is really I hope this puts a thing to many of you Microsoft that is back in 2008 on enabled by default but what of distributions should
therefore really follow the example for instance red hair and rhetoric was apparently also very reluctant with that choice of and and of course it's not easy their certification programs there's money involved and there are a other people involved that would then need to put money into this
summer but that should not be we're talking security we're talking about the very integrity of t we cannot messed with that and so without right what again really we've discussed entities of the brothers the
same of course applies for everything else in both as an LT the good news is you know now know how to use for several weeks of same
principle prior applies and there's not much more to take away from this that go to the right that's fine find and and red the appliance and keep track if a aside from what is considered as an unsecured 2 months later that is now still height that can really happen it's your responsibility to keep track of the just as you try your your operates and Europe vulnerabilities right that's what you do anyway of so now we've done most of this is that part of the talk about applications let's talk about small well that that's sort and there we are again here tragic shell scripts of 1 of the guys are basically designed in a way that you could write a browser with them they're not designed to help you if you just want to get your job done and we're not talking about Open SSL openness is an API on design not have serious they're not aligned I the you've got to roll your own certificate handling control on warning dialogs and you have to get all the warnings right from the enumerations in the documentation of the different this is another plementations you have to get mixed-mode hanging right which is extremely difficult I mean you have to get you out to updates right using transport security free updates by checking for integrity by checking for tens of intercity of this is where many many people fail including AV vendors anti-virus vendors failed to authenticated and their updates and is it is something that was in 2002 13 and think so last year and we're coming to that in bit so and if you like the had to go to that you have to go cross-platform i with the application and you have to do this on your own 0 my god causes house there is just a there is for instance the native of the k native to this like you they're going to help you to a certain degree of but in general it's still a lot of pain because the implementations and each platform is going to be like different uh those things are unfortunately often called analysis although I would really love to see that the applications tribute for that
specific thing but closed-source all your favorite Windows shareware you check again on the part of my shot and see if you if you switch if if we have that I haven't told mobile that's saying the same issue of you're writing up so that chances are you doing right why is that that we have a very good paper but follow it up and from the university they analyzed the 13
thousand 500 popular most popular and applications and what's interesting is that when you go to capture but I couldn't come number Twitter accounts school accounts yahoo accounts IV infinitive the gun and so on and so on and so on because the application offers were unable or unwilling or did not understand what it means to properly implemented as a cell within the application and they this is what was referred to earlier they were able to forge anti-virus signature so even on the
various steps were unable to properly SSL secure data communication so the so the common problems they found in this paper that applications for trusting of certificates or they were checking the certificate for that but they did not check the host and that's a certificate which is about as investors but they were and with energy of a special problem his support in order to to 2 has has accepted certificate still includes for instance the genotype of people trust
that I wouldn't in and again mixed-mode content because again next month content handling is complicated of and then you might say OK that's
perfectly fine I'm not doing this crazy idea is that the interest of time and I was also and the absolute is curated means that Apple has a dedicated review process and it was certainly capture right no and to quote doctor I'm sorry so sorry but that's not what's happening and another paper the same offers look at the and about 1 thousand applications like why is it only that if you compared to Android again very simple an Android was in there were to spider the applications and I IOS and in the absence of that was not as trivial as they found about 10 % node 1 person were honorable motives and vulnerable and tender there is a much larger amount where unable to give the correct from parameters search and some of them simply refuse to connect everyone and no error handling whatsoever so
during that story you and and that was the problems
so what what were the problems this time as well on the basic SSL API is available that's what I mentioned and there was an improper understanding of the underlying technology so what they did in the 2nd study was they were asking so they were all modifying the at Office of the of the found to be vulnerable and they explained the issue and they were asking if there were willing to to do an interview some of them said yes most of them understood the ship explanation but after here but some of them even after being explained what the problem is that not see that there well had a problem and so apparently there's people during security led related stuff that fail even after being educated to understand what the problem is that of course the biggest problem and you consulted with technology the the next thing again it's a social thing you have a problem with this trend as L thing you don't know what it is uh so you go to your favorite programming side and of course there is an answer to that because there is always a nonsensical and the answer to this is that it's usually well there is this fancy ignore all of all of this is an artist like you turn that on you go you and on another 1 a popular mobile framework so that you can read in which 1 of the largest studies and I think they Maori already have fixed some of those this the following to not so the certificates again this is the cause of those certificates are meant to be easy to use and if the 1st thing you see is an hour on that you need to handle in your API there's a good chance and people will have framework and this is where the framework offers decided to buy the fault this able checks another thing they found this the checks were implemented then
able for development purposes because they were checking with self-censorship certificates but then if you to read the that check so essentially it was like checking everything so what can
you do and for some reason the last 1 with its 1st you can we will will basically need and this is also conclusion of this paper they designed and they that framework that gives you that gives you the essential features that you will need that you don't have to write any dialogs any any checks and so basically treat you as an application browser within a rather than an application rather than the browser up to standard picture and then was drawing the beginning and they're taking away most of the flexibility that you have doesn't matter because usually you don't need it and with that's and they were able to substantially improved and improve
security so 1 conclusion we can take away it is essentially everyone who offers necessarily API needs to offer convenience it PI those API themselves need to include developable and it needs to be very very hard to actually forget to turn on well so while we do not have these frameworks what would what do we do developers should treat as well like it was the business domain why is that because it's protecting would every application that is you it is doing your business them that whatever your business domain is and securing that's not securing as your business is in trouble so as is l is as important as your actual business that this happens doing of the word people that have to be employed in the open answer book is a good place to start began to check this and that in the end of the talk and there's a lot of good documentation and most of the things don't happen because people are stupid it's because people don't know it's because people I forget about certain details and again it's not generally people's fault it's the fault of people saying has to be complex because it's kind and finally challenger replication try if you can change by its and it goes up try if you can man in the middle this this is there are a lot of free easy to use tools tools so that it can just as as a proxy to easily and tempo with a With Securicor Communications and should be really easy to check if whatever you did a realistic communication good so because we have to hurry the final thing is scripts particularly best also patented I've seen myself and that angle to to devoted to that was really doing myself because I had
to use infrastructure that I was not administrating and new somewhere food and have scientific and well OK yeah you need to retrieve as SSL secure data from from that OK using kernel so that Rw again this is probably the most standard approach to go about this well you get this under the early warning and they refuse to block in best work with all the
warnings congratulations you just opened your communication to man-in-the-middle attacks and then again yes you probably in your own you're you probably neural network would still you have to ask yourself why you encryption the 1st place if you're going to tamper with that data on and that way so even if you doing this internally please at
least to properly create your own roll it out and there are a number of good 2 good toolkits to refer to really on CA if you don't want that there's see certain is not in any browser but can be easily rolled out there is again there's also solutions for that popular jealousy of engines you name and if if that's something that you cannot do by hand there's a good chance you already 1 of these things anyway or really if you're business if time is money just get lot certificate for a four-year internal domain so finally
but it's really bad but we this has to be done and has properly because we don't know and then and it doesn't even have to begin saying we've learned that the BND is doing the same then it's not really any surprises and you probably also find other secret services or a large organizations doing this
there and there is enough interest to despite certain communications and we're making we're making it very easy for everyone who has an interest in spying by not being carefully and with that I think attention without any questions lot I have not looked into the speculation period and know that it is that it contains just like they will inspire tropical and then we will sponsor protocol and that includes encryption interestingly right and that is a good thing that said I have not looked into the specifications myself so I cannot judge from you know that it was going all OK so I'm repeating this that let me quickly repeat where we're talking about because then people from remote can follow so the question was it should be to negotiations is is that is that a problem because it essentially negotiation on whether or not to to upgrade it should be 2 which has interesting encryption and and can be met in the middle and you can see where you basically can would die downgrade attack and my answer to this is I don't know because I have studied the age to to protocol indeed any of questions yet going the and this is interesting but I was I was wondering if we should do research talk about obtained but again this is something that I haven't invested close enough to make qualified statements on it basically yes it could if you trust thing because danger as far as I understand it what you can correct me if I'm wrong and you have 2 parties that have you that you have to trust both of them control both them are organizations that can very easily be tempered by political interests like in which is run by the United States for attending right at the and the local enhanced which is usually countries so it's basically to places where state-sponsored lots of little legislation can easily temple with this blood then it's probably little legit idea but then again 1 about relocation bank does not certification problem doesn't of yeah yeah yes theory there will be way I do remember that there have been no that there have been attempts to do this and data the latest problem with then however is it's not that and the question is that will be because a penetration frankly died and I also want to see a part of community and the draft of a right to be honest can can you think some rice and infusions of so far as is and there are a number of there are a number of drafts to solve articulations of just chose the one that I thought had the best potential but maybe I'm wrong maybe some other graph fluid and again this is not meant to be the different guide on how to solve problems there's is just something I think might solve the problem in a realistic way it's not the best way we can I completely agree on that if you say this is not the best way of solving the amplification problem on this problem in general I completely agree but I think it's a viable way at least of and present emulated questions we can discuss considers my time is up thank you
Soundverarbeitung
Offene Menge
Softwareentwickler
Kategorie <Mathematik>
Güte der Anpassung
Mobiles Internet
Programm
Systemverwaltung
Systemplattform
Computeranimation
Metropolitan area network
Linienmethode
Software
Freeware
Softwareentwickler
Expertensystem
Bit
Extremwert
Browser
Computersicherheit
Teilbarkeit
Computeranimation
Arithmetisches Mittel
Bildschirmmaske
Software
Computerspiel
Mereologie
Client
Server
Expertensystem
Portscanner
Beobachtungsstudie
Softwareentwickler
Computerspiel
Wasserdampftafel
Computeranimation
W3C-Standard
Einfach zusammenhängender Raum
Metropolitan area network
Digitales Zertifikat
Momentenproblem
Computersicherheit
Browser
Familie <Mathematik>
Server
Normalvektor
Computeranimation
Leistung <Physik>
Public-Key-Kryptosystem
Router
Telekommunikation
Domain <Netzwerk>
Browser
Gruppenoperation
Zellularer Automat
Maßerweiterung
Computeranimation
Data Mining
Homepage
Metropolitan area network
Informationsmodellierung
Task
Datenverarbeitungssystem
Flächentheorie
Inhalt <Mathematik>
Wurzel <Mathematik>
Softwareentwickler
Maßerweiterung
Autorisierung
Data Encryption Standard
Softwareentwickler
Befehl <Informatik>
Digitales Zertifikat
Schlüsselverwaltung
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Güte der Anpassung
Browser
Systemverwaltung
TLS
Software
Flächeninhalt
Datenverarbeitungssystem
Rechter Winkel
Projektive Ebene
Domain <Netzwerk>
Vektorpotenzial
Server
Selbst organisierendes System
Browser
Besprechung/Interview
Versionsverwaltung
Partielle Differentiation
Zellularer Automat
Physikalische Theorie
Computeranimation
Metropolitan area network
Domain-Name
Software
Flächentheorie
Tropfen
Gleitendes Mittel
Konfigurationsraum
Laplace-Operator
Auswahlaxiom
Umwandlungsenthalpie
ATM
Digitales Zertifikat
Machsches Prinzip
Güte der Anpassung
Browser
Mixed Reality
Vorzeichen <Mathematik>
Portscanner
Diskrete-Elemente-Methode
Rechter Winkel
Bitfehlerhäufigkeit
Wort <Informatik>
Verkehrsinformation
Randverteilung
Server
Domain <Netzwerk>
Browser
Besprechung/Interview
Zellularer Automat
Partielle Differentiation
Kartesische Koordinaten
Computeranimation
Metropolitan area network
Web Services
Mustersprache
Datentyp
Zeitrichtung
Konfigurationsraum
Umwandlungsenthalpie
Softwaretest
Digitales Zertifikat
Machsches Prinzip
Cookie <Internet>
Browser
Mixed Reality
Vorzeichen <Mathematik>
Physikalisches System
Diskrete-Elemente-Methode
Ultraviolett-Photoelektronenspektroskopie
Sigma-Algebra
Fehlermeldung
Web Site
Server
Domain <Netzwerk>
Quader
Browser
Besprechung/Interview
Familie <Mathematik>
Partielle Differentiation
Computeranimation
Internetworking
Metropolitan area network
Benutzerbeteiligung
RPC
Font
Flächentheorie
Wurzel <Mathematik>
Metropolitan area network
Autorisierung
Digitales Zertifikat
Machsches Prinzip
Zwei
Cookie <Internet>
Browser
Elektronische Unterschrift
Portscanner
Hypermedia
Server
Aggregatzustand
Decodierung
Digitales Zertifikat
Sichtenkonzept
Computersicherheit
Relativitätstheorie
Besprechung/Interview
Programm
Schlussregel
Computeranimation
Metropolitan area network
Client
Standardabweichung
Ablöseblase
Decodierung
Softwareentwickler
Verzeichnisdienst
Standardabweichung
Decodierung
Computersicherheit
Eindeutigkeit
Besprechung/Interview
Elektronische Publikation
Code
Computeranimation
Homepage
Domain-Name
Datenfeld
Standardabweichung
Datenverarbeitungssystem
Mereologie
DoS-Attacke
Codierung
Äußere Algebra eines Moduls
Metropolitan area network
Rechter Winkel
ATM
Selbstrepräsentation
Hinterlegungsverfahren <Kryptologie>
Computeranimation
Resultante
Web Site
Browser
Adressraum
Implementierung
Zellularer Automat
Kartesische Koordinaten
Code
Computeranimation
Metropolitan area network
Domain-Name
Bildschirmmaske
Vorzeichen <Mathematik>
Momentenproblem
Total <Mathematik>
Wurzel <Mathematik>
Softwareentwickler
Metropolitan area network
Inklusion <Mathematik>
Einfach zusammenhängender Raum
Digitales Zertifikat
Open Source
Datenhaltung
Computersicherheit
Mobiles Internet
Einfach zusammenhängender Raum
Mailing-Liste
Kontextbezogenes System
Suite <Programmpaket>
Dreiecksfreier Graph
Projektive Ebene
URL
Instantiierung
Inklusion <Mathematik>
Resultante
App <Programm>
Softwaretest
Rechter Winkel
Momentenproblem
Besprechung/Interview
Mailing-Liste
Konfigurationsraum
Chatbot
Computeranimation
Software Engineering
Autorisierung
Metropolitan area network
Green-Funktion
Schießverfahren
Zahlenbereich
Personal Area Network
Computeranimation
Web Site
Server
Browser
Besprechung/Interview
Implementierung
Computeranimation
Perspektive
Standardabweichung
Maßerweiterung
Parallele Schnittstelle
Ideal <Mathematik>
Auswahlaxiom
Gerade
Implementierung
Umwandlungsenthalpie
Einfach zusammenhängender Raum
Digitales Zertifikat
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Güte der Anpassung
Hochverfügbarkeit
Zeiger <Informatik>
Forcing
Menge
Server
Distributionstheorie
Server
Befehl <Informatik>
Digitales Zertifikat
Transitionssystem
Browser
Relativitätstheorie
Digital Rights Management
Besprechung/Interview
Zahlenbereich
Wärmeübergang
Computeranimation
Informationsmodellierung
Standardabweichung
Rechter Winkel
Bildschirmfenster
Endogene Variable
Server
Wort <Informatik>
Information
Indexberechnung
Unternehmensarchitektur
Implementierung
Bildauflösung
Instantiierung
Distributionstheorie
Stabilitätstheorie <Logik>
Weg <Topologie>
Gruppenoperation
Versionsverwaltung
HIP <Kommunikationsprotokoll>
Kartesische Koordinaten
Kombinatorische Gruppentheorie
Computeranimation
Weg <Topologie>
Software
Programmbibliothek
Notepad-Computer
Default
Implementierung
Distributionstheorie
Digitales Zertifikat
Güte der Anpassung
Systemverwaltung
Systemaufruf
Mailing-Liste
Binder <Informatik>
Gruppenoperation
Offene Menge
Unternehmensarchitektur
Versionsverwaltung
Standardabweichung
Distributionstheorie
Digitales Zertifikat
Computersicherheit
Weg <Topologie>
Besprechung/Interview
Programm
Familie <Mathematik>
Integral
Gruppenoperation
Computeranimation
Auswahlaxiom
Instantiierung
Implementierung
Server
Bit
Euler-Winkel
Nabel <Mathematik>
Freeware
Browser
Implementierung
Kartesische Koordinaten
E-Mail
Systemplattform
Computeranimation
Weg <Topologie>
Prozess <Informatik>
Code
Abzählen
Endogene Variable
Skript <Programm>
Skript <Programm>
Analysis
Digitales Zertifikat
Zehn
Computersicherheit
Browser
Ausgleichsrechnung
Quick-Sort
Integral
Virensuchprogramm
Minimalgrad
Offene Menge
Softwareschwachstelle
Rechter Winkel
ATM
Grundsätze ordnungsmäßiger Datenverarbeitung
Mereologie
Gamecontroller
Instantiierung
Umwandlungsenthalpie
Twitter <Softwareplattform>
Bildschirmfenster
Mereologie
Besprechung/Interview
Zellularer Automat
Zahlenbereich
Kartesische Koordinaten
Elektronische Unterschrift
Grundraum
Computeranimation
Virensuchprogramm
Digitales Zertifikat
Computersicherheit
Mixed Reality
Kartesische Koordinaten
Rechnernetz
Computeranimation
Energiedichte
ATM
Inhalt <Mathematik>
Ordnung <Mathematik>
Versionsverwaltung
Instantiierung
Virensuchprogramm
Arithmetisches Mittel
Parametersystem
Message-Passing
Knotenmenge
Prozess <Physik>
Softwareschwachstelle
Kartesische Koordinaten
Humanoider Roboter
Computeranimation
Implementierung
Fehlermeldung
Beobachtungsstudie
Digitales Zertifikat
Physikalischer Effekt
Computersicherheit
Güte der Anpassung
Programm
Framework <Informatik>
Computeranimation
Office-Paket
Lesezeichen <Internet>
Twitter <Softwareplattform>
Mobiles Internet
Softwareentwickler
Telekommunikation
Proxy Server
Domain <Netzwerk>
Softwareentwickler
Freeware
Browser
Winkel
Computersicherheit
Güte der Anpassung
Ikosaeder
Kartesische Koordinaten
Framework <Informatik>
Computeranimation
Domain-Name
Softwaretest
Offene Menge
Datenreplikation
Skript <Programm>
Skript <Programm>
Wort <Informatik>
Softwareentwickler
Telekommunikation
Server
Computersicherheit
Besprechung/Interview
Skript <Programm>
Computeranimation
Neuronales Netz
Kernel <Informatik>
Server
Domain-Name
Digitales Zertifikat
Euler-Winkel
Selbst organisierendes System
Browser
Server
Skript <Programm>
Gleitendes Mittel
Computeranimation
Umwandlungsenthalpie
Offene Menge
Befehl <Informatik>
Digitales Zertifikat
Protokoll <Datenverarbeitungssystem>
Graph
Selbst organisierendes System
Fluid
Besprechung/Interview
Zahlenbereich
Frequenz
Physikalische Theorie
Computeranimation
Freeware
Software
Chiffrierung
Rechter Winkel
Mereologie
Elektronischer Programmführer
Bildauflösung

Metadaten

Formale Metadaten

Titel To Make Hearts Bleed - A Native Developer's Account On SSL
Serientitel FrOSCon 2014
Teil 12
Anzahl der Teile 59
Autor Molkentin, Daniel
Lizenz CC-Namensnennung - keine kommerzielle Nutzung 2.0 Deutschland:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/19643
Herausgeber Free and Open Source software Conference (FrOSCon) e.V.
Erscheinungsjahr 2014
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract To Make Hearts Bleed A Native Developer's Account On SSL Heartbleed A tour-de-force through the real-life SSL-adversities faced by developers outside the ivory tower that are today's browsers. It's the tale of understaffed engineering teams, hard-to-educate administrators. It's the horror of broken and undocumented APIs, and contradicting standards. It's the nightmare of FIPS requirements. It's a story without a happy ending, but with a call to action. In a hostile and broken Internet, cryptography is a basic foundation of communication. But cryptography has no value when it's not used correctly. Browser vendors have tried to improve usability, but even they can't fix everything. Some of the improvements have actually been outright rejected by usability studies. Finally, even the biggest amount of developers can't fix ambiguities found in fundamental standards such as those defining X.509 semantics. Moreover, developers who cannot depend on browser technologies are off much worse: They are required to know a significant amount about crypto, and get to re-implement the GUI part of it, often poorly and wrong, only relying on sub-par APIs of their libraries and/or toolkits. Somewhere else, server administrators are left with unsafe defaults by their distribution. Due to sheer complexity, under-educated sysadmins and old libraries found in enterprise distributions, SSL setups today are a lot less safe than they should be. This talk will discuss these subjects, provide examples and give hints for workarounds and proper behavior where possible. And after all, post-Snowden there is enough momentum to fix issues on a broader level, as efforts such as LibreSSL have shown. More effort is needed, and this talk outlines a possible solution. ······························ Speaker: Daniel Molkentin Event: FrOSCon 2014 by the Free and Open Source Software Conference (FrOSCon) e.V.
Schlagwörter Free and Open Source Software Conference
FrOSCon14

Ähnliche Filme

Loading...