[Owasp-royalholloway] Please join us at the OWASP Royal Holloway Chapter on March 8th 2012

Dennis Groves dennis.groves at owasp.org
Fri Mar 2 13:08:44 UTC 2012

My apologies - I will update the wiki - the time is 6:30pm.

 ** **
>  Thursday, March 8th 2012 (Royal Holloway)**** [edit<https://www.owasp.org/index.php?title=Royal_Holloway&action=edit&section=5>
> ]Location****
> Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill,
> Egham, TW20 0EX****
>  [edit<https://www.owasp.org/index.php?title=Royal_Holloway&action=edit&section=6>
> ]Talks****
> §  *Securing the SSL channel against man-in-the-middle attacks: Future
> technologies - HTTP Strict Transport Security and and Pinning of Certs -
> Tobias Gondrom*****
> "In the recent months major trusted CAs providing trusted certificates for
> SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar
> breach) and based on the current trust models (trusting all registered CAs
> equally for all domains) exposed vital web applications to the risk of
> man-in-the-middle attacks. Several approaches are currently discussed to
> mitigate this risk. The most advanced and closest to final adoption being
> the technologies discussed by the browser vendors at the recent IETF
> meeting in November in Taipei: HSTS and pinning of certificates. To better
> protect content providers against the distribution of bogus certificates,
> an HTTP header extension containing a fingerprint of their certificates
> linked to a domain address has been defined. This approach, which has been
> partly tested in Chrome, and already helped identify and protect to some
> extend Google's web application in the recent Diginotar compromise. Chrome
> users were able to detect the bogus DigiNotar certificates because Chrome
> had embedded the hashes of valid Google certificates. Back in July, the
> hacked DigiNotar certificate authority (CA), which has since gone out of
> business, was used to issue more than five hundred bogus certificates for
> companies including Google and various intelligence services."****
> §  *Implementing cryptography: good theory vs. bad practice - Viet Pham***
> **
> Abstract: Cryptography is being widely implemented in software to provide
> security features. The main reason is that, many cryptographic mechanisms
> are mathematically proven secure, or trusted secure given some mathematical
> reasoning. However, to take full advantages of these mechanisms, they must
> be implemented strictly according to the theoretical models, e.g., several
> cryptographic mechanisms must be used together, in a specific manner to
> provide a desired security goal. However, without strong cryptographic
> background, many software developers tend to deviate from these models,
> thus making their own security software a gold mine for attackers. This
> talk gives examples to show why such situations exist, where do they
> spread, and how bad they may turn into.****
>  [edit<https://www.owasp.org/index.php?title=Royal_Holloway&action=edit&section=7>
> ]Speakers****
> Tobias Gondrom, Viet Pham
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-royalholloway/attachments/20120302/11616516/attachment.html>

More information about the Owasp-royalholloway mailing list