SSL News from Black Hat and DEF CON

Bruce Morton

I like to follow up each year with the SSL news from Black Hat USA and DEF CON 20. I was just looking for my 2011 follow-up and found out that I never released it. Unfortunately, I started the write up just before the DigiNotar fiasco and never finished it.

So what SSL presentations occurred in 2012? Nothing. Well, at least none that my reporters told me about as I didn’t actually attend either conference.

On the other hand, the SSL industry has not been idle since 2011. The attacks on Comodo and Vasco/DigiNotar highlighted some vulnerabilities. There were also known certificate management issues as there was no standard for the issuance of non-EV SSL certificates. As a result, the following happened:

  • Browser vendors such as Microsoft and Mozilla increased the requirements of their certificate policies
  • The CA/Browser Forum released the Baseline Requirements for all publicly-trusted SSL certificates
  • Most CAs became compliant to the Baseline Requirements by the target date of July 1, 2012
  • The CA/Browser Forum released Network and Certificate System Security Requirements

Just to be complete, the 2011 shows had three topics about SSL:

  • SSL and the Future of Authenticity by Moxie Marlinspike
    This is an introduction to his concept of Convergence. More information can be found at his website.
  • The Ultimate Study of Real-Life SSL Issues by Ivan Ristić
    This is a study of the typical SSL deployment issues such as key size, SSL/TLS protocol support and mixed content. I didn’t find the presentation slides, but here is a blog on the subject and a former presentation.
  • Getting SSLizzard by Nicholas Percoco and Paul Kehrer
    A presentation about the SSL issues with mobile devices.
Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation