TLS talk by Nick Sullivan working at CloudFlare. Public-key crypto, data encapsulation, certificate validation, SSL handshake (Diffie-Hellman). TLS provides authenticity. Public Key Infrastructure (PKI). Certificate anatomy. Certificate chain of trust. Signature validation. Trust store. RSA & Diffie-Hellman. Key derivation parameters. Man-in-the-middle Attack (MitM). Use untrusted certificate or fake signature. gnutls. Goto Fail, SSLVerifySignedServerKeyExchange. PKCS #1 v1.5. DigestInfo and MessageDigest. ASN-1. libsodium, NaCl. BERserk, NSS bug Integer overflow in ASN-1. Initial bytes of length are ignored. Allows Cube of forged message. Issues of Trust. How many Certificate Authorities (CAs) do you trust? 46 countries got valid CA and they can forge trivially any certificate. Using local network transparent man-in-the-middle proxy attack to snoop on TLS/SSL/HTTPS. Entities: OEM, Malware, Hackers, Anti-Virus Software, Corporate IT department, Country-level inspection proxy. Country of Kazakhstan. Locally installed roots bypass key pinning. Some proxies do not validate external certificates correctly, allowing additional MitMs go unnoticed. Trust is hard and complex. Bad code, bad infrastructure, bad administration, bad politics. NS, BoingSSL, Common Crypto, schannel, OpenSSL / GnuTLS. Apache, Microsoft IIS, Nginx, Google Servlet Engine (GSE). Heartbleed. Defcon. Memory space separation of confidential data and private keys. Formal security audit & verification methods. Protocol bugs. HTTP is great for crypto attacks, because of it's "repeated plaintext" = cookies, passwords, CSRF tokens and "chosen plaintext" = URI. Classic things you shouldn't do. CRIME & BREACH. ARP spoofing. Injecting JS, makign cross-origin request. TLS errors can trigger browsers to re-send request. Packet sniffer. Inserting padding to align compression blocks. BREACH is still exploitable on many web sites. Cipher Block Chaining (CBC), mode of encryption. MAC-then-encrypt. Padding Oracle. Timing redux, Lucky 13. Timing side-channel attack. No HMAC is fast -> incorrect padding, HMAC computation is slow -> correct padding. HMAC for different data lengths takes different time, and leaks information about the content being HMACed. Which is awesome with compressed data, because it tells so much about the message payload. Downgrade attacks. Export Ciphers. Cipher suites: Key Exchange, Certificate Key, Transport Cipher, Integrity / KDF. Cipher Suite Negotiation. Key generation, Random Number Generation (PRNG, TRNG, RNG). Session Key. Handshake is only partially authenticated. Logjam, crack export DH parameters. FREAK, crack export key. POODLE Padding oracle and a downgrade attack combined. TLS POODLE Same with exploitable implementation bug. MD5 collision attack. WeakDH. TLS v1.2 Client Support. Trusting unauthenticated data is a bad idea. Don't MAC-then-encrypt. Do use AEAD. X.509 and ASN-1 are hard to implement correctly. Copious side channels. If any information leaks, it's over, it usually allows decrypting rest of it. Talk skipped a few issues like: Blechenbacher RSA Decryption oracle, Schannel RCE, Triple Handshake, CA problems (DigiNotar, Comodo, Symantec), RC4 cipher weaknesses, Bignum vulnerabilities, Forward Secrecy Issues and more. There are many issues out there. CurveSwap, ECDH active MitM attack using Small weak curves and solve Discrete Logarithm Problem (DLP). Optimized using Index Calculus Algorithm (ICA). Using weak sect163k curve. Great question, how to get clients to upgrade their software versions to secure versions when they're using legacy systems. Modern security model for operating systems. Common modern insecure smart-devices and Internet of Things (IoT) applications. Lack of proper Access control, insecure protocols, unprotected services and resources. Cynara. ICMP Tunneling as covert channel as open source known as pingtun. Rootless ICMP Tunnel. BorgBackup, hey that's interesting. I'm not completely happy with current backup solutions, as you might have noticed from my blog. I've also made many suggestions how to improve Duplicati / Duplicity 1.3.4 and Duplicati 2.0. Borg offers Deduplication, Compression using several different algorithms, authenticated encryption, content-defined chunking, chunk deduplication. No windows binaries, ssh required. Well, not the answer I was looking for. Deduplication between clients / customers is also problematic if per customer privacy should be retained. Of per block encryption key based on content could be used. Yet it still reveals that these systems are sharing block X, which in some cases is unacceptable.