A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


You're not old enough for that: A TLS extension to put the past behind us - Falcon Darkstar Momot (Circle City Con 2017 Videos) (Hacking Illustrated Series InfoSec Tutorial Videos)

You're not old enough for that: A TLS extension to put the past behind us
Falcon Darkstar Momot

falcondarkstar
Circle City Con 2017

TLS evolves rapidly. We don't all have the luxury of upgrading with it, unfortunately; new versions, extensions, cipher suites, and protocols require mutual support. This poses a serious problem for those who have legacy systems that cannot be upgraded (think IoT, or any device that needs certification). Accepting the risk of using a weak (but still sufficient, or better than nothing) protocol with those systems on an interim basis shouldn't imply accepting the risk everywhere. I offer an alternative. I propose a TLS extension that endorses certificates with certain supported features, and then performs a sanity check at the end of establishment or renegotiation. This can be used to detect and prevent downgrade attacks, and doubles as a policy enforcement tool.

Falcon is a Shadytel tactical lineman and a Leviathan security consultant. He usually talks about LangSec, and recently published "The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them".

Back to Circle City Con 2017 Videos list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast