[Owasp-royalholloway] confirmed attendence -OWASP Royal Holloway

Edward Bowen edward at gump-tion.co.uk
Fri Mar 2 14:20:31 UTC 2012

Thanks, looking forward to the event. Please can you confirm the time and


-----Original Message-----
From: owasp-royalholloway-bounces at lists.owasp.org
[mailto:owasp-royalholloway-bounces at lists.owasp.org] On Behalf Of
owasp-royalholloway-request at lists.owasp.org
Sent: 02 March 2012 12:00
To: owasp-royalholloway at lists.owasp.org
Subject: Owasp-royalholloway Digest, Vol 2, Issue 1

Send Owasp-royalholloway mailing list submissions to
	owasp-royalholloway at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	owasp-royalholloway-request at lists.owasp.org

You can reach the person managing the list at
	owasp-royalholloway-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Owasp-royalholloway digest..."

Today's Topics:

   1. Please join us at the OWASP Royal Holloway	Chapter on March
      8th 2012 (Dennis Groves)


Message: 1
Date: Thu, 1 Mar 2012 19:04:55 +0000
From: Dennis Groves <dennis.groves at owasp.org>
To: Owasp-london at lists.owasp.org, owasp-royalholloway at lists.owasp.org
Subject: [Owasp-royalholloway] Please join us at the OWASP Royal
	Holloway	Chapter on March 8th 2012
	<CAJL+Z05ZJQhwD=avUJCG+TVzP5jV8pF-Ks0JwT28tTUT87K1nw at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

 Thursday, March 8th 2012 (Royal Holloway)
]Location Royal Holloway University of London, Bourne Lecture Theatre 2,
Egham Hill, Egham, TW20 0EX

   - *Securing the SSL channel against man-in-the-middle attacks: Future
   technologies - HTTP Strict Transport Security and and Pinning of Certs -
   Tobias Gondrom*

"In the recent months major trusted CAs providing trusted certificates for
SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar
breach) and based on the current trust models (trusting all registered CAs
equally for all domains) exposed vital web applications to the risk of
man-in-the-middle attacks. Several approaches are currently discussed to
mitigate this risk. The most advanced and closest to final adoption being
the technologies discussed by the browser vendors at the recent IETF meeting
in November in Taipei: HSTS and pinning of certificates. To better protect
content providers against the distribution of bogus certificates, an HTTP
header extension containing a fingerprint of their certificates linked to a
domain address has been defined. This approach, which has been partly tested
in Chrome, and already helped identify and protect to some extend Google's
web application in the recent Diginotar compromise. Chrome users were able
to detect the bogus DigiNotar certificates because Chrome had embedded the
hashes of valid Google certificates. Back in July, the hacked DigiNotar
certificate authority (CA), which has since gone out of business, was used
to issue more than five hundred bogus certificates for companies including
Google and various intelligence services."

   - *Implementing cryptography: good theory vs. bad practice - Viet Pham*

Abstract: Cryptography is being widely implemented in software to provide
security features. The main reason is that, many cryptographic mechanisms
are mathematically proven secure, or trusted secure given some mathematical
reasoning. However, to take full advantages of these mechanisms, they must
be implemented strictly according to the theoretical models, e.g., several
cryptographic mechanisms must be used together, in a specific manner to
provide a desired security goal. However, without strong cryptographic
background, many software developers tend to deviate from these models, thus
making their own security software a gold mine for attackers. This talk
gives examples to show why such situations exist, where do they spread, and
how bad they may turn into.

Tobias Gondrom, Viet Pham

Dennis Groves <http://about.me/dennis.groves>, MSc dennis.groves at owasp.org


*This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain
View, California, 94041, USA.*
-------------- next part --------------
An HTML attachment was scrubbed...


Owasp-royalholloway mailing list
Owasp-royalholloway at lists.owasp.org

End of Owasp-royalholloway Digest, Vol 2, Issue 1

More information about the Owasp-royalholloway mailing list