Loading…
This event has ended. View the official site or create your own event + mobile app → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
View analytic
Monday, June 23 • 09:00 - 13:00
Training room 7 - TLS/SSL in Practice

Sign up or log in to save this event to your list and see who's attending!


SSL/TLS as used today has more and more problems and it's difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.

This training will give a brief introduction to SSL, how it works i. g., what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.

Topics

The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.

The explained tools are for example: openssl, sslaudit, sslscan, ssltest.pl, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do and what they cannot.

Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:



  • checking for special SSL settings



  • check multiple servers at a time



  • customizing the results



  • using private SSL-libraries



  • customizing o-saft itself


  • or simple debugging of various SSL connection problems.



The purpose of this course is to provide a tool set for checking SSL to the participants and teach the participants how and when to use which tool.

The course is intended to teach builders and defenders how to analyse SSL from a client-site view, in particular what an auditor or penetration tester does. It will not go into the details of fuzzing or even breaking SSL such as sslsniff, ssltrap and a like or exploiting vulnerabilities. Instead it should give developers an idea how to use SSL securely and give system architects, administrator or operational people hints how to set-up and configure SSL in a proper secure way. 



Technical Requirements

The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:



  • openssl (1.0.1e or newer)



  • perl (5.8 or newer), on windows system Strawberry perl is recommended



  • Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)



python (2.7) optional

Optional, for smooth testing, a local SSL-enabled web server should be running on the laptop.

 

Others

All other used tools are open source and available during the course. The participants are reliable on their own for accepting and following the license rules of each tool. 


Speakers
AH

Achim Hoffmann

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in different roles like penetration tester, doing SCA and giving security workshops.  | | He is author, co-author and maintainer of various papers about web application security at BSI...
Read More →

Monday June 23, 2014 09:00 - 13:00
LAB109

Attendees (2)

Attendance numbers do not account for private attendees. Get there early!


Remove this from your schedule?
This session is full and you may not be able to get back in.
Remove
Cancel