[Owasp-portland] August 22nd: Chapter Meeting

Tim tim.morgan at owasp.org
Mon Aug 20 17:53:53 UTC 2012


Howdy!  Just a quick reminder about our chapter meeting on Wednesday
at 6:30p.  I've updated the link in calagator with more information,
but here are the abstracts:


Kevin P. Dyer presents:
What Encryption Leaks and Why Traffic Analysis Countermeasures Fail

As more applications become web-based, an increasing amount of
client-server interactions are exposed to our networks and vulnerable
to Traffic Analysis (TA) attacks. In one form, TA attacks exploit the
lengths and timings of packets in a protocol's flow to infer sensitive
information about communications. In the context of encrypted HTTP
connections, such as HTTP over SSH, this means an adversary can
determine which website a user is visiting. In the context of a
specific web application, an adversary can determine user input by
viewing only a few client-server interactions.

Recent advances in the application of Machine Learning tools
demonstrate that TA attacks are possible despite industry-standard
encryption such as TLS, SSH or IPSec. What is more, even if a protocol
uses stronger countermeasures, such as fixed-length per-packet
padding, this incurs significant overhead but only provides limited
security benefit. These types of security vs. efficiency trade-offs
are of immediate concern to security-aware applications such as Tor,
and performance-sensitive application features such as Google Search
Autocomplete.

In this talk, Kevin will address the state-of-the-art TA attacks and
proposed countermeasures in the context of network and web application
security. Most importantly, he will discuss open problems in this area
and why a general-purpose TA countermeasure remains elusive.



Timothy D. Morgan presents:
HTTPS, Cookies, and Men-in-the-Middle: Why You Shouldn't Allow
Marketing Departments to Design Your Security Protocols

Login session management in modern web applications is largely
dominated by use of HTTP cookies. However, HTTP cookies were never
designed for secure applications, which has led to a significant
number of protocol security problems.

In this talk, Tim will start with a brief background on why HTTP
cookies are a poorly-conceived mechanism to begin with, and continue
with a discussion of how this impacts security. He will describe
several lesser-known cookie-based session management problems that
remain wide spread and allow for session hijacking through a variety
of clever attacks.



Cheers,
tim



On Thu, Aug 02, 2012 at 08:07:13AM -0700, Tim wrote:
> 
> Hi Everyone,
> 
> Just wanted to drop a quick note for you to mark your calendars.  On
> Wednesday August 22nd, Kevin Dyer will be giving a talk for us at PSU.
> We'll be adding details here as we get closer to the event:
>   http://calagator.org/events/1250462659
> 
> Hope to see you there!
> tim
> 
> 
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland


More information about the Owasp-portland mailing list