A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Fighting Back Against SSL Inspection - or How SSL Should Work - Jacob Thompson Derbycon 2014 (Hacking Illustrated Series InfoSec Tutorial Videos)

Fighting Back Against SSL Inspection - or How SSL Should Work
Jacob Thompson
Derbycon 2014

Enterprises are known to intercept and inspect SSL,protected employee web traffic, often without adequate understanding on the employee’s behalf, and almost certainly without the consent of the entity operating the server. The cases of Trustwave, TURKTRUST, and ANSSI show how the confidentiality of client-server communications is further threatened by the mounting abuse, misuse, incompetence, and compromise of trusted certificate authorities. Prior notice and the need to install custom root certificates are no longer technical hurdles impeding SSL interception.This talk will dispatch beliefs that SSL interception is only a client,side concern, and that addressing it using client,side certificates is impractical. We discuss how to leverage built,in browser and server,side capabilities, well,understood in academia but rarely used in practice, to achieve mutual client,server authentication. Using these techniques, the server, too, now has a say in whether its traffic can be intercepted and inspected.

Back to Derbycon 2014 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast