TLS evolves rapidly. We don't all have the luxury of upgrading with it, unfortunately; new versions, extensions, cipher suites, and protocols require mutual support. This poses a serious problem for those who have legacy systems that cannot be upgraded (think IoT, or any device that needs certification). Accepting the risk of using a weak (but still sufficient, or better than nothing) protocol with those systems on an interim basis shouldn't imply accepting the risk everywhere. I offer an alternative. I propose a TLS extension that endorses certificates with certain supported features, and then performs a sanity check at the end of establishment or renegotiation. This can be used to detect and prevent downgrade attacks, and doubles as a policy enforcement tool.

Falcon is a Shadytel tactical lineman and a Leviathan security consultant. He usually talks about LangSec, and recently published "The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them".

Back to Circle City Con 2017 Videos list