Failosophy

goto fail;

exploring two decades of transport layer insecurity
Hall 2
Nick Sullivan
Legend has it, the first iteration of the Secure Sockets Layer (SSL) protocol was broken in ten minutes by Phillip Hallam-Baker and Alan Schiffman during a presentation by Marc Andreesen at MIT in 1994. In the following two decades the protocol has been improved and the implementations have been strengthened, but not without a steady stream of implementation vulnerabilities and protocol design errors. From the ciphersuite rollback attack to LogJam, SSL/TLS has seen a diverse set of problems. In this talk we’ll discuss the pitfalls in designing and implementing a cryptographic protocol and lessons learned from TLS up to version 1.2.
Legend has it, the first iteration of the Secure Sockets Layer (SSL) protocol was broken in ten minutes by Phillip Hallam-Baker and Alan Schiffman during a presentation by Marc Andreesen at MIT in 1994. In the following two decades the protocol has been improved and the implementations have been strengthened, but not without a steady stream of implementation vulnerabilities and protocol design errors. From the ciphersuite rollback attack to LogJam, SSL/TLS has seen a diverse set of problems. From the HMAC-then-Encrypt vs Encrypt-then-HMAC debate to the preference for Cipher Block Chaining (CBC) modes, the 90s was an innocent time in secure protocol design. Daniel Bleichenbacher had not yet started his assault on RSA and the types of side-channel attacks that enabled BEAST and POODLE had not yet been discovered. Over the next two decades, not only were weaknesses revealed in the protocol, but implementation flaws were found in even the most widely deployed SSL/TLS libraries. By following the security-relevant changes in SSL/TLS over the years we can paint a picture of the hard lessons learned by the cryptographic community over the history of this protocol all and how we can prevent ourselves from repeating the mistakes of the past.

Additional information

Type lecture
Language English

More sessions

12/27/15
Failosophy
Ryan Lackey
Hall G
Datahavens have long been discussed as a solution to user security and privacy needs. Instinctively, the idea of physical locations where servers for communications, financial privacy, and other services can work is easily understood and seems appealing. As a founder of the HavenCo datahaven on Sealand in 2000, I saw firsthand the potential and the pitfalls of this approach.
12/27/15
Failosophy
David Kaplan
Hall 1
Software design and testing is hard, but what happens when each bug fix can cost months of delay and millions of dollars? In this talk we’ll take a behind-the-scenes look at the challenges in the design of a very complex, yet critical piece of hardware: the modern x86 CPU.
12/28/15
Failosophy
Gregor Ruttner
Hall 2
„Never ever say no, act your first thought and learn to love mistakes“ – these are the basic rules of improv theatre. I will show how this can be adopted for everyday life.
12/29/15
Failosophy
Peter Stuge
Hall 2
In 2010 I was asked by the second maintainer in a row to take over as new maintainer of the libusb project. The first time I had declined. The second time I accepted, and sadly failed. Eventually a hostile fork emerged, with the explicit goal to take over the original project. I will tell you my story, which mistakes I made and what I learned - about independent and corporate contributors in open source projects, about package maintainers in downstream OS distributions, about trolls on the ...
12/30/15
Failosophy
BoB Marvan
Hall 2
What do you want? Did you build your web/app for humans or NSA robots? Let's make it usable for human beings. I'd like to show you some basic design mistakes and how to avoid them to improve usability of your web or app. Why? Because it's worth it and I'm good in it.
12/30/15
Failosophy
dalmoz
Hall 1
For the past 3 years I have been delivering a custom-tailored DDoS attacks for organizations that wanted to test out their DDoS defense systems.