seminar: Tricks For Defeating SSL In Practice

	Monday, May 18, 2009
	Tricks For Defeating SSL In Practice
	Moxie Marlinspike, Fellow, Institute for Disruptive Studies
	12:00pm  INI Distributed Education Center (DEC), CIC Building *L level

Talk Abstract

This talk will introduce a class of vulnerabilities which focuses on attacking the bridge between HTTP and HTTPS. Specifically, this talk will detail some new tools and techniques that allow attackers to silently strip SSL from traffic intended for HTTPS in common web applications such as online banking and webmail logins. In practice, these tricks prove deadly for allowing attackers to silently alter, inject, and log traffic that should otherwise be secure. Real-world field testing data will be provided.

Speaker Bio

Moxie Marlinspike is a fellow at the Institute for Disruptive Studies with over thirteen years of experience in attacking networks. He is the author of sslsniff and sslstrip, the former of which was used by the MD5 Hash Collision team to deploy their rogue CA cert. His tools have been featured in many publications including Hacking Exposed, Forbes Magazine, The Wall Street Journal, the New York Times, and Security Focus as well as on international TV.

 

 

Copyright (c) 2009 Carnegie Mellon CyLab Partner Login | Carnegie Mellon Home
All Rights Reserved. Privacy Policy