by Anant Shrivastava (@anantshri) on Saturday, April 19, 2014

+8
Vote on this proposal
Status: Confirmed & Scheduled
View session in schedule
Section
Full talk

Technical level
Intermediate

Media

Objective

The objective of the session is

  • Provide a basic understanding of SSL / TLS related issues identified in and past year.
  • Its wide spread implications for the new age internet
  • What it means for the Developers and Administrators

Description

The talk will talk about various TLS / SSL related bugs that are identified in past year.

  • HeartBleed
  • GNUTLS Bug
  • Apple SSL Bug
  • Lucky 13
  • BEAST
  • CRIME

These bugs have shaken the core premise of Secure communication. The talk will focus on bringing a basic understanding of these issues to the administrators or developers. Besides this the talk will also focus on some burning questions that are now raised in wild. Such as

  • How secure are secure Socket Libraries?
  • Is opensource code really secure?
  • Is it really true that "given enough eyeballs, all bugs are shallow"?
  • Should we move towards higher abstract languages?

and most important.

  • What it really means for a Administrator / DevOps person

Speaker bio

  • I am a server administrator gone rouge to become a security consultant.
  • I have spoken and trained at multiple security focused conferences like Nullcon, c0c0n, ClubHack, g0s.
  • Primarily focused towards web application security and Mobile Security.
  • Active member of Null and Garage4Hackers open security Communities.
  • Creator of Android Tamer.
  • More about me here

Comments

  • 2
    [-] Sreekandh Balakrishnan (@gnuyoga) 2 years ago

    Anant,
    It was wonderful talking to you. Cant wait to hear you in the conference. As a next step i would like to see the deck that you prepare ( we can iterate on that ASAP)

    MoM
    Sensitize people about different kind of attacks
    What was the view of the customer about HeartBleed. He was assuming no attacks
    How to Monitor/Detect heartbleed realtime
    Heartbleed live demo of stealing ( record a video in case if we have internet issue )
    Updating SSL & Updating Cert is it enough ? [ lock the user account till they change the password, revoke the API access]
    Are we safe now ? Certainly not. How about mobile apps which has older version of openssl bundled. How about Embedded device. Perhaps ditch them and get a new version. As your vendor to give u a new build with latest version of openssl library.

Login with Twitter or Google to leave a comment