SlideShare uma empresa Scribd logo

SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig

SBA Research
SBA Research

Target Group: SysAdmins, anyone interested in PKI Focus: technical Language: English Abstract: ********** Revocation of TLS certificates used by web browsers has been broken for years. Why is that, and can the newly proposed CRLite technology solve the problem? About the Speaker: ********************* Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.

Tecnologia
1 de 17
Baixar para ler offline
Klassifikation: Öffentlich Welcome to the SBA Live Academy #bleibdaheim # remotelearning Today: CRLite: Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig This talk will be recorded as soon as the presentation starts! Recording will end BEFORE the Q&A Session starts. Please be sure to turn off your video in your control panel.
Klassifikation: Öffentlich CRLite Revocation for X.509 certificates in the browser – this time for real? SBA Research gGmbH, 2020
Klassifikation: Öffentlich 3 The sad story of revocation SBA Research gGmbH, 2020
Klassifikation: Öffentlich 4 Revocation • Problem only arose with asymmetric cryptography • Subject creates public/private keypair • Trusted Certification Authority signs keypair to create trust into the ownership of it -> certificate • Certificate valid for a limited amount of time • Things can go wrong in that timeframe o Broken algorithms o Key compromise o Organisational problems o Misissued certificates • -> Revocation tells the world that a certificate has become invalid before its expiration date SBA Research gGmbH, 2020
Klassifikation: Öffentlich 5 Revocation • Certificate Revocation List (CRL) o List of all revoked certificates for that CA o Too large to be downloaded on every HTTPS connection (MBs) • Online Certificate Status Protocol (OCSP) o Query status of a single relevant certificate o Privacy concerns o Hard failure vs. soft failure (= Single point of failure vs. useless) o Very resource intensive (Comodo 2013: 2.000.000.000 requests/day) SBA Research gGmbH, 2020
Klassifikation: Öffentlich 6 Revocation • OCSP Stapling o Server queries OCSP response, sends it with the TLS handshake to the client o Server can simply hold back OCSP response with revocation information o Bad implementations in web servers • OCSP Must-Staple o Certificate extension indicating that the certificate is only valid in conjunction with a stapled OCSP response o Again: Bad or incomplete support. Hardly used SBA Research gGmbH, 2020
Klassifikation: Öffentlich 7 Revocation Workarounds • OneCRL/CRLSet/… o Browser vendor compiles a list of revoked certificates, pushes it directly to the browser o Does not scale, only usable for high value domains • Short lived certificates o The shorter a certificate’s lifespan, the shorter the period a compromised key can be exploited o TLS certificates were originally valid for up to 5 years o Maximum lifetime of 2 years since 2018 o Ballot to reduce it to 1 year fails in CA/B forum 2019; unilateral push by Apple announced in 2020 o Let’s Encrypt: 3 month SBA Research gGmbH, 2020
Klassifikation: Öffentlich 8 Summary Revocation for the WebPKI is weird … • Most complicated part of operating a CA (legal & standard requirements) • Currently mostly broken & unused • Consumes a lot of effort, yes not really important SBA Research gGmbH, 2020
Klassifikation: Öffentlich 9 CRLite to the rescue SBA Research gGmbH, 2020
Klassifikation: Öffentlich 10 CRLite Overview • Proposed by Larisch, Choffnes et.al. at IEEE S&P 2017 (Universities & Akamai) • Compile a list of all revocations like OneCRL • Store it efficiently by using Cascading Bloom Filters SBA Research gGmbH, 2020
Klassifikation: Öffentlich 11 Bloom Filter • Extremely fast and storage efficient data index • Data can only be added to the filter • User can query if some data is in the filter o „Object not in the filter“ o „Object probably in the filter“ • Probabilistic Data Structure • False positive probabililty depends on filter size, configuration and number of entries SBA Research gGmbH, 2020
Klassifikation: Öffentlich 12 CRLite Workflow • Download all CRLs • Store unique certificate identifier (hash of public key + serial number) of all revoked certificates in Bloom filter • Check for false positives in the filter o Download all certificates from certificate transparency logs • Store false positives in a second, much smaller, cascading bloom filter • Continue until no false positives are left • Push filter to browser SBA Research gGmbH, 2020
Klassifikation: Öffentlich 13 CRLite at Mozilla • Activated in Firefox Nightly (only for telemetry) • Filter compiled 4 times a day • Covers 100M of 152M certificates, 750k revocations o Missing: CRL errors, CAs without a CRL (Let‘s Encrypt!) • Filter generation takes ~1h; requires 16GB memory and 7GB storage • Filter size: 1,3MB • Faster than OCSP 99% of cases SBA Research gGmbH, 2020
Klassifikation: Öffentlich 14 References • https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland1 7.pdf • https://blog.mozilla.org/security/2020/01/09/crlite-part-2- end-to-end-design/ • https://blog.mozilla.org/security/2020/01/21/crlite-part-3- speeding-up-secure-browsing/ • https://scotthelme.co.uk/crlite-finally-a-fix-for-broken- revocation/ • https://www.imperialviolet.org/2014/04/19/revchecking.html • https://scotthelme.co.uk/revocation-is-broken/ SBA Research gGmbH, 2020
Klassifikation: Öffentlich 15 Key take-aways 1. Certificate revocation in the browser is currently broken 2. Pushing lists of revoked certificates to the browser is the only thing that works 3. Bloom filters allow extremely compact storage 4. Certificate transparency necessary enabling technology SBA Research gGmbH, 2020
Klassifikation: Öffentlich 16 Mathias Tausig SBA Research gGmbH Floragasse 7, 1040 Wien +43 1 5053688 1512 mtausig@sba-research.org SBA Research gGmbH, 2020
Klassifikation: Öffentlich 17 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org

Recomendados

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Research
 
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Research
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
SBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Research
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
Jorge Orchilles
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 

Recomendados

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Research
 
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Research
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
SBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Research
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
Jorge Orchilles
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
Marco Morana
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE - ATT&CKcon
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
Priyanka Aash
 
Software Engineering Process at SSL
Software Engineering Process at SSLSoftware Engineering Process at SSL
Software Engineering Process at SSL
SSL
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Simone Onofri
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 
Fighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyFighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case Study
Priyanka Aash
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
Sergey Gordeychik
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
Kaspersky
 
Certificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 CertificatesCertificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 Certificates
OnBoard Security, Inc. - a Qualcomm Company
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentation
gtbsalesindia
 
4ire presentation
4ire presentation4ire presentation
4ire presentation
Olena Petrashchuk
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
JPCERT Coordination Center
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Clare Nelson, CISSP, CIPP-E
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
Guardicore
 
Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...
Priyanka Aash
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023
Shane Coughlan
 

Mais conteúdo relacionado

Mais procurados

Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
Marco Morana
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
Kaspersky
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentation
gtbsalesindia
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 

Mais procurados (20)

Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
 
Software Engineering Process at SSL
Software Engineering Process at SSLSoftware Engineering Process at SSL
Software Engineering Process at SSL
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
 
Fighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyFighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case Study
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
 
Certificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 CertificatesCertificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 Certificates
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentation
 
4ire presentation
4ire presentation4ire presentation
4ire presentation
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 

Semelhante a SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig

Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...
Priyanka Aash
 
GTB DLP Suite Presentation
GTB DLP Suite PresentationGTB DLP Suite Presentation
GTB DLP Suite Presentation
gtbsalesindia
 
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfBuild Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
RussFustino
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltd
clarkems
 
Building A Machine Learning Platform At Quora (1)
Building A Machine Learning Platform At Quora (1)Building A Machine Learning Platform At Quora (1)
Building A Machine Learning Platform At Quora (1)
Nikhil Garg
 
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
MLconf
 

Semelhante a SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig (20)

Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...Lost and Found Certificates: dealing with residual certificates for pre-owned...
Lost and Found Certificates: dealing with residual certificates for pre-owned...
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
 
GTB DLP Suite Presentation
GTB DLP Suite PresentationGTB DLP Suite Presentation
GTB DLP Suite Presentation
 
Provide Company Overview
Provide Company OverviewProvide Company Overview
Provide Company Overview
 
Trunk-Based Development
Trunk-Based DevelopmentTrunk-Based Development
Trunk-Based Development
 
DevDay:Moving CorDapps from Pilot to Production, Dr. Duncan Wong
DevDay:Moving CorDapps from Pilot to Production, Dr. Duncan WongDevDay:Moving CorDapps from Pilot to Production, Dr. Duncan Wong
DevDay:Moving CorDapps from Pilot to Production, Dr. Duncan Wong
 
GlobalSign's Hosted OCSP for IoT PKIs
GlobalSign's Hosted OCSP for IoT PKIsGlobalSign's Hosted OCSP for IoT PKIs
GlobalSign's Hosted OCSP for IoT PKIs
 
From Monolith to Kubernetes #geecon #prague
From Monolith to Kubernetes #geecon #pragueFrom Monolith to Kubernetes #geecon #prague
From Monolith to Kubernetes #geecon #prague
 
Analysis of TLS in SMTP World
Analysis of TLS in SMTP WorldAnalysis of TLS in SMTP World
Analysis of TLS in SMTP World
 
Wipro Customer Presentation
Wipro Customer PresentationWipro Customer Presentation
Wipro Customer Presentation
 
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfBuild Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltd
 
Building A Machine Learning Platform At Quora (1)
Building A Machine Learning Platform At Quora (1)Building A Machine Learning Platform At Quora (1)
Building A Machine Learning Platform At Quora (1)
 
Microservices summit talk 1/31
Microservices summit talk 1/31Microservices summit talk 1/31
Microservices summit talk 1/31
 
Go GC: Prioritizing Low Latency and Simplicity
Go GC: Prioritizing Low Latency and SimplicityGo GC: Prioritizing Low Latency and Simplicity
Go GC: Prioritizing Low Latency and Simplicity
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
 
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
Nikhil Garg, Engineering Manager, Quora at MLconf SF 2016
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?
 

Mais de SBA Research

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
SBA Research
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
SBA Research
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
SBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Research
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
SBA Research
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Research
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Research
 
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Research
 
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Research
 
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Research
 

Mais de SBA Research (20)

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
 
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
 
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
 
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig

  • 1. Klassifikation: Öffentlich Welcome to the SBA Live Academy #bleibdaheim # remotelearning Today: CRLite: Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig This talk will be recorded as soon as the presentation starts! Recording will end BEFORE the Q&A Session starts. Please be sure to turn off your video in your control panel.
  • 2. Klassifikation: Öffentlich CRLite Revocation for X.509 certificates in the browser – this time for real? SBA Research gGmbH, 2020
  • 3. Klassifikation: Öffentlich 3 The sad story of revocation SBA Research gGmbH, 2020
  • 4. Klassifikation: Öffentlich 4 Revocation • Problem only arose with asymmetric cryptography • Subject creates public/private keypair • Trusted Certification Authority signs keypair to create trust into the ownership of it -> certificate • Certificate valid for a limited amount of time • Things can go wrong in that timeframe o Broken algorithms o Key compromise o Organisational problems o Misissued certificates • -> Revocation tells the world that a certificate has become invalid before its expiration date SBA Research gGmbH, 2020
  • 5. Klassifikation: Öffentlich 5 Revocation • Certificate Revocation List (CRL) o List of all revoked certificates for that CA o Too large to be downloaded on every HTTPS connection (MBs) • Online Certificate Status Protocol (OCSP) o Query status of a single relevant certificate o Privacy concerns o Hard failure vs. soft failure (= Single point of failure vs. useless) o Very resource intensive (Comodo 2013: 2.000.000.000 requests/day) SBA Research gGmbH, 2020
  • 6. Klassifikation: Öffentlich 6 Revocation • OCSP Stapling o Server queries OCSP response, sends it with the TLS handshake to the client o Server can simply hold back OCSP response with revocation information o Bad implementations in web servers • OCSP Must-Staple o Certificate extension indicating that the certificate is only valid in conjunction with a stapled OCSP response o Again: Bad or incomplete support. Hardly used SBA Research gGmbH, 2020
  • 7. Klassifikation: Öffentlich 7 Revocation Workarounds • OneCRL/CRLSet/… o Browser vendor compiles a list of revoked certificates, pushes it directly to the browser o Does not scale, only usable for high value domains • Short lived certificates o The shorter a certificate’s lifespan, the shorter the period a compromised key can be exploited o TLS certificates were originally valid for up to 5 years o Maximum lifetime of 2 years since 2018 o Ballot to reduce it to 1 year fails in CA/B forum 2019; unilateral push by Apple announced in 2020 o Let’s Encrypt: 3 month SBA Research gGmbH, 2020
  • 8. Klassifikation: Öffentlich 8 Summary Revocation for the WebPKI is weird … • Most complicated part of operating a CA (legal & standard requirements) • Currently mostly broken & unused • Consumes a lot of effort, yes not really important SBA Research gGmbH, 2020
  • 9. Klassifikation: Öffentlich 9 CRLite to the rescue SBA Research gGmbH, 2020
  • 10. Klassifikation: Öffentlich 10 CRLite Overview • Proposed by Larisch, Choffnes et.al. at IEEE S&P 2017 (Universities & Akamai) • Compile a list of all revocations like OneCRL • Store it efficiently by using Cascading Bloom Filters SBA Research gGmbH, 2020
  • 11. Klassifikation: Öffentlich 11 Bloom Filter • Extremely fast and storage efficient data index • Data can only be added to the filter • User can query if some data is in the filter o „Object not in the filter“ o „Object probably in the filter“ • Probabilistic Data Structure • False positive probabililty depends on filter size, configuration and number of entries SBA Research gGmbH, 2020
  • 12. Klassifikation: Öffentlich 12 CRLite Workflow • Download all CRLs • Store unique certificate identifier (hash of public key + serial number) of all revoked certificates in Bloom filter • Check for false positives in the filter o Download all certificates from certificate transparency logs • Store false positives in a second, much smaller, cascading bloom filter • Continue until no false positives are left • Push filter to browser SBA Research gGmbH, 2020
  • 13. Klassifikation: Öffentlich 13 CRLite at Mozilla • Activated in Firefox Nightly (only for telemetry) • Filter compiled 4 times a day • Covers 100M of 152M certificates, 750k revocations o Missing: CRL errors, CAs without a CRL (Let‘s Encrypt!) • Filter generation takes ~1h; requires 16GB memory and 7GB storage • Filter size: 1,3MB • Faster than OCSP 99% of cases SBA Research gGmbH, 2020
  • 14. Klassifikation: Öffentlich 14 References • https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland1 7.pdf • https://blog.mozilla.org/security/2020/01/09/crlite-part-2- end-to-end-design/ • https://blog.mozilla.org/security/2020/01/21/crlite-part-3- speeding-up-secure-browsing/ • https://scotthelme.co.uk/crlite-finally-a-fix-for-broken- revocation/ • https://www.imperialviolet.org/2014/04/19/revchecking.html • https://scotthelme.co.uk/revocation-is-broken/ SBA Research gGmbH, 2020
  • 15. Klassifikation: Öffentlich 15 Key take-aways 1. Certificate revocation in the browser is currently broken 2. Pushing lists of revoked certificates to the browser is the only thing that works 3. Bloom filters allow extremely compact storage 4. Certificate transparency necessary enabling technology SBA Research gGmbH, 2020
  • 16. Klassifikation: Öffentlich 16 Mathias Tausig SBA Research gGmbH Floragasse 7, 1040 Wien +43 1 5053688 1512 mtausig@sba-research.org SBA Research gGmbH, 2020
  • 17. Klassifikation: Öffentlich 17 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org