This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, October 13 • 3:30pm - 4:30pm
HTTPS & TLS in 2016: Security practices from the front lines

Sign up or log in to save this to your schedule and see who's attending!

Implementing strong security for Internet‐facing services has grown more challenging and more complex over the past two years. With protocol‐level vulnerabilities like FREAK, BEAST, CRIME, POODLE, & LOGJAM, Ops teams are forced to reevaluate long‐held assumptions about foundation system network code. What are the right tradeoffs between modern network security requirements versus widespread legacy client and user interoperability? How do we apply these to traditional Apache and Nginx servers, mobile app web services, and non‐browser infrastructure like libcurl, proxies, API endpoints, and load balancers? And what's the deal with Curve25519, ChaCha/Poly1305, LibSodium, BoringSSL, and LibreSSL?
Here, we present a practitioner's crash guide to modern site and web service endpoint encryption using HTTPS. We cover the "TLS 101" (and 201) fundamentals of certificates: ECDSA vs RSA, 2K vs 4K, ephemeral Diffie‐ Hellman (elliptic curve versus static), Domain Validation vs Extended Validation. We'll talk about intermediate and root authorities (and why Superfish is such a problem), and then look at some best practices around https including certificate transparency (CT), pinning (HPKP), and strict transport security (HSTS). Lastly, we'll give updates from the OpenSSL 1.1 audit, and point to well curated configuration guides and recipes for https and TLS.

avatar for Eric Mill

Eric Mill

Eric Mill is a software engineer and advocate for a web that is safe and secure for all of its users. Eric is currently an advisor and engineer in a federal government agency, and has previously worked at the Sunlight Foundation on open data infrastructure and policy.
avatar for Kenneth White

Kenneth White

Director, Open Crypto Audit Project
Kenneth White is a security researcher whose work focuses on networks and global systems. He is Director of the Open Crypto Audit Project (OCAP), currently managing a large‐scale audit of OpenSSL on behalf of the Linux Foundation's Core Infrastructure Initiative. In his day job, White leads an applied R&D team for Dovel Labs, working with federal clients on mission system security and cloud automation. Previously, he was Principal Scientist... Read More →

Thursday October 13, 2016 3:30pm - 4:30pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Attendees (95)