When SSL Fails: Tracing the SSL vuln to the most shocking real world impacts - Michelle Simpson

Описание: As a web application tester, I have rarely ever (except due to limited scope) delivered a report without SSL/TLS issues raised. While the impact can be high, the complexity of mounting an attack usually results in many SSL/TLS issues being rated low risk or medium at most. I see in my clients and many colleagues SSL issue fatigue.

Inspired by Geoff White’s new book Rinsed and the stark reality of the impact of cybercrime, I decided to take a look at the role of encryption. Geoff's book demonstrates the depths to which humanity will go when embroiled in exploitation of humans for drugs and money and cyber is undeniably entangled in this web of crime. I wanted to know if there is a direct path from my web app report to the most heineous crimes and if this real world impact is in fact relevant.

I want to dive into the typical web app SSL issues, explore the real world exploitation of these and track them through from what I identify and report to my clients as a web app tester, through exploitation, how that works, and how it has been a factor (if so, how much of a factor) in some of the greatest high profile hacks in the world, finally, what that real world impact could be of that little old common issue of supporting weak ciphers.

During my talk, I will demonstrate some exploitation of SSL/TLS vulnerabilities and if time show how to test for these vulnerabilities both using tools and using command line.