More Tricks For Defeating SSL

DEF CON 17

Presented by: Thomas Wilhelm
Date: Friday July 31, 2009
Time: 12:30 - 13:20
Location: Track 1
Track: Track 1

This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping. This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.

Moxie Marlinspike

<strong>Moxie Marlinspike</strong> is from the Institute For Disruptive Studies, a radical think tank for hackers and co-conspirators who seek to operate outside of both the professional sphere as well as academia. For money, he is a licensed USCG Master Mariner, and delivers yachts worldwide.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats