Improper Use of SSL

Improper Use of SSL - Improper Use of SSL Mingzh e Du...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
Improper Use of SSL Mingzh e Du
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Improper Use of SSL 1. Overview of the Sin 2. The Sin Explained 3. Related Sins 4. Spotting the Sin Pattern 5. Spotting the Sin During Code Review 6. Redemption Steps
Background image of page 2
1. Overview of the Sin Secure Sockets Layer, SSL (along with its successor, Transport Layer Security, or TLS) SSL is the most popular protocol in the world for creating secure network connections. It is widely used in browsers to secure electronic commerce. For brevity, we’ll refer to SSL and TLS simply as SSL.
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
1. Overview of the Sin How do we apply SSL? Programmer APIs generally replace traditional point-to-point TCP socket abstractions with a “secure socket”. Seems simple? Just replace regular sockets with SSL sockets, add a simple login that runs over the SSL connection.
Background image of page 4
SSL handshake with two way authentication with certificates[1]
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2. The Sin Explained SSL is a connection-based protocol. The primary goal of SSL: 1. Transfer messages between two parties over a network 2. The two parties know as definitively as is reasonable to whom they’re talking. 3. Ensure that messages are not readable or modifiable by an attacker.
Background image of page 6
2. The Sin Explained SSL uses a client-server model. The client and the sever authenticate to each other. Most of the world use a Public Key Infrastructure(PKI). 1. The server creates a certificate. 2. But the client needs to know that the certificate really does belong to the server. 3. CA, such as
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CA 1. The client needs to have pre-installed root certificates for common CAs 2. If it does have the CA signing key, it needs to validate the signature. •. The certificate is generally only valid for a period time, just like a credit card. (The longer a certificate exists, the greater
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 12/13/2011 for the course CSCE 548 taught by Professor Farkas during the Spring '10 term at South Carolina.

Page1 / 26

Improper Use of SSL - Improper Use of SSL Mingzh e Du...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online