I like to follow up each year with the SSL news from Black Hat USA and DEF CON 20. I was just looking for my 2011 follow-up and found out that I never released it. Unfortunately, I started the write up just before the DigiNotar fiasco and never finished it.
So what SSL presentations occurred in 2012? Nothing. Well, at least none that my reporters told me about as I didn’t actually attend either conference.
On the other hand, the SSL industry has not been idle since 2011. The attacks on Comodo and Vasco/DigiNotar highlighted some vulnerabilities. There were also known certificate management issues as there was no standard for the issuance of non-EV SSL certificates. As a result, the following happened:
- Browser vendors such as Microsoft and Mozilla increased the requirements of their certificate policies
- The CA/Browser Forum released the Baseline Requirements for all publicly-trusted SSL certificates
- Most CAs became compliant to the Baseline Requirements by the target date of July 1, 2012
- The CA/Browser Forum released Network and Certificate System Security Requirements
Just to be complete, the 2011 shows had three topics about SSL:
- SSL and the Future of Authenticity by Moxie Marlinspike
This is an introduction to his concept of Convergence. More information can be found at his website.
- The Ultimate Study of Real-Life SSL Issues by Ivan Ristić
This is a study of the typical SSL deployment issues such as key size, SSL/TLS protocol support and mixed content. I didn’t find the presentation slides, but here is a blog on the subject and a former presentation.
- Getting SSLizzard by Nicholas Percoco and Paul Kehrer
A presentation about the SSL issues with mobile devices.