SSL has been around for decades and yet it keeps happening: new attacks are being discovered against TLS at a steady rate. The past year has seen its share of rogue CA certificates and critical vulnerabilities in TLS libraries that we have come to expect. In this talk, I will present no less than three new attacks against the use of TLS on the web. The first one relies on a long-known cryptographic weakness in the protocol that can be combined with long-known issues in TLS implementations to re-enable a flavor of the 2009 renegotiation attack that was thought to be fixed. The second one exploits the truncation weakness known since SSL2 but left unsolved to bypass anti-stripping defenses (strict transport security) and steal secure cookies. The last one exploits vulnerabilities in the deployment of HTTPS, in particular, how HTTP servers process requests and manage certificates and sessions, to reach the holy grail of TLS attacks: full server impersonation of several thousands of websites, including Microsoft, Apple, Twitter, PayPal. The three attacks have strong common points: they rely on an attacker that operates both at the TLS and HTTP levels, and they exploit misunderstandings and false assumptions between TLS libraries and applications.
In the course of this talk, you will learn about the full capabilities of the "beastly" attacker that operates jointly at the transport and application levels and how they can be exploited. You will also learn how to configure your HTTPS server to avoid being vulnerable to our virtual host confusion attacks, for which no simple universal fix exists. Lastly, I will try to disprove some misconceptions about TLS and privacy in the context of powerful network attackers.