This week I talked to Sean Cody who is a local Unix administrator with a strong interest in security, especially Secure Sockets Layer (SSL). We got on Skype and talked about various issues to do with SSL, such as trust and proper creation and handling of certificates.
DEFCON 17: More Tricks For Defeating SSL presentation by Moxie Marlinspike - Sean attended this talk and “it just completely opened my eyes to how weak SSL ‘as typically assumed’ is.”
A Whitepaper about untrusted root certificates - This ‘whitepaper’ is decent.. not great but not terrible on the topic of untrusted root certs.
A very nice cheat sheet - the most common OpenSSL commands.
A lesson in timing attacks - One of the many ways attackers can subvert an encrypted channel to retreive a cookie.
We talked about a lot of things this week having to do with SSL, and surprisingly most of them focused on the identity aspect, that is “am I talking to the person/thing I think I am”, as opposed to the encryption part. After our discussion I have a renewed appreciation for this phase, it is indeed more important than most give it credit for.