Sunday, January 3, 2010

Moxie Marlinspike SSL video

Happy New Year! I'm catching up on some of the material I wanted to blog about last year, but just didn't get to. This post is about a talk which is definitely more advanced and for someone interested in learning about cybersecurity, specifically secure web browsing, in more depth.

One of the security vulnerabilities that made news in 2009 was a hacker/security researcher, going by the name Moxie Marlinspike, who found an interesting vulnerability in how we have implemented PKI, which provides identities for SSL/TLS, which provides the security for HTTPS. Whew, that's a lot of acronyms, sorry, the short version would be "how we do secure web browsing".

While the exploit has largely been dealt with at this point, Moxie's talk is posted online and is interesting to watch from an educational perspective because it gives a good overview of HTTPs, PKI and the fundamentals of secure web browsing.

The exploit itself is also interesting it that it shows how a seemingly innocuous thing (how we choose to encode strings) can come back to bite us. Moxie also touches on how this exploit could be used to attack OCSP and automatic software updates. It's a good example of how a little thing can be extended to attack complicated systems.

The video is about an hour long. It does include one use of adult language (sh*t).


Enjoy.




No comments:

Post a Comment