Tuesday, August 25, 2015

Best SSL/TLS resources (Attacks, Tools, Talks)

7:40 AM Posted by ASM




This article will reference the best current resources on SSL/TLS (last update 25 august 15), if you have other references you think should be included, please point them in the comment section and we'll include them:

Attacks:

BEAST: implicit initialization vector in CBC mode 

CRIME: use compression as an auxiliary channel

TIME & BREACH: enhanced version of CRIME attack

LUCKY 13: oracle padding in CBC

RC4: statistical bias

POODLE: oracle padding in CBC for  SSL 3.0

Triple Handshake: Impersonate client by retrieving credentials when connecting to a malicious website

GOTO fail in Apple: Bad coding practice leading to certificate validation failure

GOTO fail in GnuTLS: Bad coding practice leading to certificate validation failure

Heartbleed: stack overflow in read operation

Universal Signature Forgery in NSS: A flaw in the Network Security Services (NSS) library allows attackers to create forged RSA certificates

Server Code Execution in SChannel: Remote code execurtion vulnerability in the Microsoft Server

Early CCS: error in the state machine of OpenSSL

SMACK/FREAK/SKIP-TLS: Vulnerabilities in some SSL implementation that could disable encryption or downgraded to weak crackable encryption 

LogJam: Downgrade attack similar to the FREAK, but is the result of a flaw in the protocol rather than a flaw in the implementation

Tools:

TrustKit: iOS 8+ universal SSL pinning without the need to change the code.
https://datatheorem.github.io/TrustKit/


FlexTLS: Tool for testing TLS implementation and easier writing of attack PoC.
https://www.smacktls.com/

nogotofail: on-path blackbox network traffic security testing tool
https://github.com/google/nogotofail

Talks:

2015:

Truskit: Code injection in iOS 8 for the greater good

Breaking HTTPS with BGP Hijacking

SSL/TLS current status, 3 years after (french)

FLEXTLS: A Tool for Testing TLS Implementations

Prying Open Pandora's Box: KCI Attacks against TLS






Popular Posts