[Owasp-royalholloway] Slides from OWASP Royal Holloway Chapter meeting on March 8th 2012

Tobias Gondrom tobias.gondrom at gondrom.org
Sun Mar 11 17:51:42 UTC 2012


Hello dear OWASP fellows,

it was great to meet you all last Thursday at our RHUL chapter meeting 
and really enjoyed the evening and the interesting discussion. As 
promised here is the link to my presentation:
http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf

If you have any questions or comments about it, please feel free to give 
me a ping.

Best regards and have a nice weekend,

Tobias
(OWASP London)


Tobias Gondrom
email: tobias.gondrom at gondrom.org
mobile: +447521003005



On 01/03/12 19:04, Dennis Groves wrote:
>
>
>       Thursday, March 8th 2012 (Royal Holloway)
>
>
>         [edit
>         <https://www.owasp.org/index.php?title=Royal_Holloway&action=edit&section=5>]Location
>
>     Royal Holloway University of London, Bourne Lecture Theatre 2,
>     Egham Hill, Egham, TW20 0EX
>
>
>         [edit
>         <https://www.owasp.org/index.php?title=Royal_Holloway&action=edit&section=6>]Talks
>
>   * /Securing the SSL channel against man-in-the-middle attacks:
>     Future technologies - HTTP Strict Transport Security and and
>     Pinning of Certs - Tobias Gondrom/
>
>     "In the recent months major trusted CAs providing trusted
>     certificates for SSL/TLS in browser scenarios were compromised
>     (e.g. seen in the Diginotar breach) and based on the current trust
>     models (trusting all registered CAs equally for all domains)
>     exposed vital web applications to the risk of man-in-the-middle
>     attacks. Several approaches are currently discussed to mitigate
>     this risk. The most advanced and closest to final adoption being
>     the technologies discussed by the browser vendors at the recent
>     IETF meeting in November in Taipei: HSTS and pinning of
>     certificates. To better protect content providers against the
>     distribution of bogus certificates, an HTTP header extension
>     containing a fingerprint of their certificates linked to a domain
>     address has been defined. This approach, which has been partly
>     tested in Chrome, and already helped identify and protect to some
>     extend Google's web application in the recent Diginotar
>     compromise. Chrome users were able to detect the bogus DigiNotar
>     certificates because Chrome had embedded the hashes of valid
>     Google certificates. Back in July, the hacked DigiNotar
>     certificate authority (CA), which has since gone out of business,
>     was used to issue more than five hundred bogus certificates for
>     companies including Google and various intelligence services."
>
>   * /Implementing cryptography: good theory vs. bad practice - Viet Pham/
>
>     Abstract: Cryptography is being widely implemented in software to
>     provide security features. The main reason is that, many
>     cryptographic mechanisms are mathematically proven secure, or
>     trusted secure given some mathematical reasoning. However, to take
>     full advantages of these mechanisms, they must be implemented
>     strictly according to the theoretical models, e.g., several
>     cryptographic mechanisms must be used together, in a specific
>     manner to provide a desired security goal. However, without strong
>     cryptographic background, many software developers tend to deviate
>     from these models, thus making their own security software a gold
>     mine for attackers. This talk gives examples to show why such
>     situations exist, where do they spread, and how bad they may turn
>     into.
>
>
>         [edit
>         <https://www.owasp.org/index.php?title=Royal_Holloway&action=edit&section=7>]Speakers
>
> Tobias Gondrom, Viet Pham
>
>
> -- 
> Dennis Groves <http://about.me/dennis.groves>, MSc
> dennis.groves at owasp.org <mailto:dennis.groves at owasp.org>
>
> <http://www.owasp.org/>
>
> /This work is licensed under the Creative Commons 
> Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a 
> copy of this license, visit 
> http://creativecommons.org/licenses/by-nc-nd/3.0/ or send a letter to 
> Creative Commons, 444 Castro Street, Suite 900, Mountain View, 
> California, 94041, USA./
>
>
>
> _______________________________________________
> Owasp-london mailing list
> Owasp-london at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-london

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-royalholloway/attachments/20120311/b1f6f48f/attachment.html>


More information about the Owasp-royalholloway mailing list