ISG OWASP Seminar - Thurs 8th March 2012

RHULOn Thursday 8th March 2012 the ISG and OWASP (Open Web Application Security Project) will hold a joint seminar at Royal Holloway. There will be two talks by Tobias Gondrom & Viet Pham.'

Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom
"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."

Implementing cryptography: good theory vs. bad practice - Viet Pham
Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.

The ISG / Owasp meetings offer an excellent opportunity to invite a leading industry expert to present, giving value to both our current MSc students and for our network of alumni. In addition it allows us to build on the existing relationship with OWASP (both founders, Mark Curphey and Dennis Groves are MSc alumni). From OWASP's perspective, it offers another route for them to achieve their goal of information sharing, and it also provided a chance to bring together academia and industry in a casual but informative atmosphere.

The seminar will be held in Bourne Lecture Theatre 2 at Royal Holloway, University of London on Thursday 8th March 2012 from 6pm. For further details, please email Dennis Groves