[Owasp-royalholloway] Please join us at the OWASP Royal Holloway Chapter on March 8th 2012

Dennis Groves dennis.groves at owasp.org
Thu Mar 1 19:04:55 UTC 2012

 Thursday, March 8th 2012 (Royal Holloway)
]Location Royal Holloway University of London, Bourne Lecture Theatre 2,
Egham Hill, Egham, TW20 0EX

   - *Securing the SSL channel against man-in-the-middle attacks: Future
   technologies - HTTP Strict Transport Security and and Pinning of Certs -
   Tobias Gondrom*

"In the recent months major trusted CAs providing trusted certificates for
SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar
breach) and based on the current trust models (trusting all registered CAs
equally for all domains) exposed vital web applications to the risk of
man-in-the-middle attacks. Several approaches are currently discussed to
mitigate this risk. The most advanced and closest to final adoption being
the technologies discussed by the browser vendors at the recent IETF
meeting in November in Taipei: HSTS and pinning of certificates. To better
protect content providers against the distribution of bogus certificates,
an HTTP header extension containing a fingerprint of their certificates
linked to a domain address has been defined. This approach, which has been
partly tested in Chrome, and already helped identify and protect to some
extend Google's web application in the recent Diginotar compromise. Chrome
users were able to detect the bogus DigiNotar certificates because Chrome
had embedded the hashes of valid Google certificates. Back in July, the
hacked DigiNotar certificate authority (CA), which has since gone out of
business, was used to issue more than five hundred bogus certificates for
companies including Google and various intelligence services."

   - *Implementing cryptography: good theory vs. bad practice - Viet Pham*

Abstract: Cryptography is being widely implemented in software to provide
security features. The main reason is that, many cryptographic mechanisms
are mathematically proven secure, or trusted secure given some mathematical
reasoning. However, to take full advantages of these mechanisms, they must
be implemented strictly according to the theoretical models, e.g., several
cryptographic mechanisms must be used together, in a specific manner to
provide a desired security goal. However, without strong cryptographic
background, many software developers tend to deviate from these models,
thus making their own security software a gold mine for attackers. This
talk gives examples to show why such situations exist, where do they
spread, and how bad they may turn into.

Tobias Gondrom, Viet Pham

Dennis Groves <http://about.me/dennis.groves>, MSc
dennis.groves at owasp.org


*This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain
View, California, 94041, USA.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-royalholloway/attachments/20120301/8d4194a0/attachment.html>

More information about the Owasp-royalholloway mailing list