A study of what really breaks SSL

BSidesLV 2011

Presented by: Ivan Ristic
Date: Wednesday August 03, 2011
Time: 12:30 - 13:30
Location: Track 3
Track: Track 3

We love security metrics because they tell us what really goes on out there. Last year we conducted an analysis of millions of SSL servers, showing, for the first time, how SSL is really used. This year we are pushing our study further by deepening and expending our efforts in several key areas. We will be looking at the problems that really break SSL — insecure session cookies, mixed content, incorrect site configuration, and distribution of trust to third-party sites. The best crypto in the world is not going to help a site that has flaws in these critical areas. To discover these flaws we are building a custom site crawler, which we are then going to run against the world’s 1 million most used web sites. In addition to all that, we are expanding the scope of the study to include protocols other than HTTP, as well as basing our assessment on an updated version of the rating guide. The end result? We are finally going to find out how useful SSL really is.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats