SSL has taken many hits over the past year. From the MD5 rogue certificate creation to SSL Strip, it seems that SSL should be dead and gone. However, SSL is still one of the fundamental security patterns used to protect data in transit. Unfortunately, SSL is widely misunderstood. It's time to take a breath and make sure everyone knows what we are really doing when we implement SSL. This will be an advanced talk that will focus on understanding the entire lifecycle of SSL. How does it work, what are the weaknesses and what's going on with the recent SSL attacks? We will address issues such as: How does SSL really work? Is redirecting from HTTP to HTTPS safe? Does the landing page need to be SSL? How bad are those browser warnings? What tools are available and how do I test my server's SSL configuration? Should I be concerned about the MD5 rogue certificate or SSL strip? These questions and more will be answered. This presentation will not be a basic intro to SSL talk. This will be 45 minutes of drinking from the SSL security fire hose. It is intended for security audiences already familiar with the basics of SSL and encryption.
Michael Coates is the lead Web Security Engineer for Mozilla with the responsibility of protecting all of Mozilla's web applications. Prior to Mozilla, Michael spent many years in consulting and performed penetration assessments, security code reviews, and security training sessions for leading corporations worldwide. Michael is a contributor to the OWASP Top 10, creator of the OWASP TLS Cheat Sheet and the OWASP AppSensor project and holds a Masters Degree in Computer Security from DePaul University.