Brian Ritchie, profile picture
Uploaded byBrian Ritchie
3,293 views

Introduction to SSL and How to Exploit & Secure

The document discusses SSL/TLS, how it works to securely transmit data between endpoints, and potential vulnerabilities. It provides an overview of SSL/TLS protocols and how data is encrypted and transmitted. It then outlines several common endpoint issues that can compromise SSL/TLS, such as inconsistent DNS configurations, self-signed certificates, incomplete certificates, and mixing plain text and encrypted sessions. Exploiting these issues allows man-in-the-middle attacks that can intercept and decrypt encrypted traffic.

Embed presentation

SSL/TLS Introduction and How to exploitBy BRIAN RITCHIETwitter : twitter.com/brianritchieFacebook : facebook.com/brianritchie
Who Am I ?Co worked on the Enterprise Architecture for some of the largest regional as well as international companiesRolled out the first official OSS Centre of Excellence strategy and implementation for a local Financial InstitutionExperience with large scale Project Management for core systemsDesigned and Implemented Research and Incubation Services for large scale corporationsAll rounded Geek
What is SSL ?An introduction
Some HistoryOriginally proposed by Netscape in the 90 sEvolved from SSL 1.0, 2.0, 3.0 and now to the Transport Layer Security or TLSDeveloped with the intention of providing security for communications over networksIs used heavily today for ecommerce, and other web applications/services which require a higher level of security
What is SSL ?Intermediate layer between the Transport layer and the Application layerHas 2 main functions :Establish a secure connection between peersSecure is defined as = Authentic and ConfidentialUse the secure connection to transmit higher layer protocol data from sender to recipient
Let’s delve in a little deeper here
How does SSL transmit data ?SenderBreaks data down into manageable pieces called fragmentsEach fragment is compressed, authenticated with a MAC, encrypted, prepended with a header and transmittedRecipientNOTE :: These fragments are what we call SSL recordsThe fragments are decrypted, verified through MACs, decompressed and reassembled.
Just a little bit more theory and we’ll go to some cooler stuff
Graphical View of SSLApplication LayerSSL Handshake ProtocolSSL Change Cipher Spec ProtocolSSL Alert ProtocolApplication Data ProtocolApplication LayerSSL Record ProtocolTransport LayerNetwork LayerNetwork Access LayerTCPUDPIP
What are these protocols ?SSL Handshake Protocol – Core protocol. Allows peers to authenticate between themselves and negotiate a suitable cipher suite and compression method for both partiesSSL Change Cipher Spec Protocol – Allows peers to change ciphering strategy and the cryptography protection usedSSL Alert Protocol – Allows peers to signal for potential problem symptoms and exchange alert messagesSSL Application Data Protocol – Workhorse. Takes the higher level data and feeds it to the SSL Record protocol for cryptographic protection and secure transmission
What’s good about SSL ?
Plus pointsVery widely usedWell designedPretty much secures the InternetSecure out of the box
Now to the cool OWASP part
What’s the Minus points ?No one pays attention to itThis means if you can break it, you’re the boss.Can be compromised through HTTP
Tools and Attack PrinciplesSslsniff and sslstrip make attacking it easy as piePrinciple of attack :MITM – The usual suspectApp and configuration issuesFake certificatesBad implementation
SSL Threat ModelsLets look at a small part today
Endpoint IssuesEndpointsBad Server Side ConfigurationSSL not enforcedBad certificate configurationPrivate Key not protectedUse weak protocolsUnpatched librariesMixed (SSL&Non-SSL) configurationsAnd many many more…
Lets take a deeper dive and look at some examples
Inconsistent DNS confighttp://www.example.com and http://example.com point to different webserversMicrosoft
Another exampleA good example : OWASP
Different Sites on port 80 and 443Both http://www.example.com and https://www.example.com must be the same websiteA lot of major companies fail to verify this
Self Signed SSL CertsTwo words : DON’T BOTHERThis causes more issues than it solves.It is significantly harder for you to maintain a secure, well configured SSL certIt is much easier and more secure to buy one from a legitimate provider
Badly Configured SSL ServersOut of the box SSL is pretty secure iff (– if and only if) the configuration fits your deployment.More often than not, you will need to tweak the settings to fit your deployment.Updating patches is also equally crucial
Incomplete certificatesA certificate has to encompass both http://example.com and http://www.example.comThey have to be the same siteThey must also be the same for the https://Your certificate must ensure that it is all-encompassing
Mixing SSL and Plain textTricky to implementActive user sessions can be compromisedSslstrip can perform MITM attacks and convert HTTPS to HTTP
There’s a few more but I’ll leave it there for now.
If you have any questions, contact me through the aboveTwitter : twitter.com/brianritchieFacebook : facebook.com/brianritchieOWASP MY Mailing List

More Related Content

PPT
SSL
bytheekuchi
 
PPT
Ssl (Secure Sockets Layer)
byAsad Ali
 
PPTX
Securing TCP connections using SSL
bySagar Mali
 
PPTX
Ssl in a nutshell
byFrank Kelly
 
PPTX
SSL overview
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PPSX
Secure socket layer
byNishant Pahad
 
PPTX
SSL/TLS 101
byChul-Woong Yang
 
PPTX
secure socket layer
byAmar Shah
 
SSL
bytheekuchi
 
Ssl (Secure Sockets Layer)
byAsad Ali
 
Securing TCP connections using SSL
bySagar Mali
 
Ssl in a nutshell
byFrank Kelly
 
SSL overview
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Secure socket layer
byNishant Pahad
 
SSL/TLS 101
byChul-Woong Yang
 
secure socket layer
byAmar Shah
 

What's hot

PPTX
Ssl and tls
byRana assad ali
 
PPT
Introduction to Secure Sockets Layer
byNascenia IT
 
PPTX
SSL
byBadrul Alam bulon
 
PPT
What is SSL ? The Secure Sockets Layer (SSL) Protocol
byMohammed Adam
 
PPT
Secure Socket Layer (SSL)
byamanchaurasia
 
PPTX
Transport Layer Security (TLS)
byArun Shukla
 
PDF
Basics of ssl
byn|u - The Open Security Community
 
PPTX
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
byMonodip Singha Roy
 
PDF
SSL Secure socket layer
byAhmed Elnaggar
 
PDF
SSL/TLS Handshake
byArpit Agarwal
 
PPTX
Transport layer security (tls)
byKalpesh Kalekar
 
PPTX
Secure Socket Layer (SSL)
bySamip jain
 
PPT
Sniffing SSL Traffic
bydkaya
 
PPTX
SSL/TLS
bySirish Kumar
 
PPTX
Secure Socket Layer
byAbhishek Gupta
 
PPT
SSL Secure Socket Layer
byomkar bhagat
 
PDF
SSL/TLS
bypavansmiles
 
PDF
SSL intro
byThree Lee
 
PPTX
Transport layer security
byHrudya Balachandran
 
PDF
Transport Layer Security - Mrinal Wadhwa
byMrinal Wadhwa
 
Ssl and tls
byRana assad ali
 
Introduction to Secure Sockets Layer
byNascenia IT
 
SSL
byBadrul Alam bulon
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
byMohammed Adam
 
Secure Socket Layer (SSL)
byamanchaurasia
 
Transport Layer Security (TLS)
byArun Shukla
 
Basics of ssl
byn|u - The Open Security Community
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
byMonodip Singha Roy
 
SSL Secure socket layer
byAhmed Elnaggar
 
SSL/TLS Handshake
byArpit Agarwal
 
Transport layer security (tls)
byKalpesh Kalekar
 
Secure Socket Layer (SSL)
bySamip jain
 
Sniffing SSL Traffic
bydkaya
 
SSL/TLS
bySirish Kumar
 
Secure Socket Layer
byAbhishek Gupta
 
SSL Secure Socket Layer
byomkar bhagat
 
SSL/TLS
bypavansmiles
 
SSL intro
byThree Lee
 
Transport layer security
byHrudya Balachandran
 
Transport Layer Security - Mrinal Wadhwa
byMrinal Wadhwa
 

Similar to Introduction to SSL and How to Exploit & Secure

PDF
cybrpro-com-secure-sockets-layer-2025-security-.pdf
byCyberPro Magazine
 
PPTX
chp2 IS.pptx information security and data
bygallanandhini
 
PPTX
Module2 PPrwgerbetytbteynyunyunythyhtyT.pptx
byThanushB1
 
PPTX
Sequere socket Layer
byRaghavendra Rao
 
PPTX
SECURE SOCKET LAYER ( WEB SECURITY )
byMonodip Singha Roy
 
PPTX
Web Security and SSL - Secure Socket Layer
byAkhil Nadh PC
 
PDF
Network Security Unit 4.pdf for BCA BBA.
bySerpent6
 
DOCX
What is TLS/SSL?
byShehzad Imran
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
byAnant Shrivastava
 
PPTX
Secure Socket Layer.pptx
byJenish Prajapati
 
PPTX
Secure Sockets Layer (SSL)
byBGSBU Rajouri
 
PDF
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
byNiharikaDubey17
 
PDF
Details about the SSL Certificate
byCheapSSLUSA
 
PPT
ssl
bysjyuva
 
PPSX
BSET_Lecture_Crypto and SSL_Overview_FINAL
byGlenn Haley
 
PPTX
The last picks
byNafiur Rahman Tuhin
 
PDF
presentation2-151203145018-lva1-app6891.pdf
byGumanSingh10
 
PPT
SecureSocketLayer.ppt
byPranavUndre1
 
PPTX
SSL.pptx
byhammadhassan9507
 
PPTX
group no 6.pptx
byNIRAJSINGH339856
 
cybrpro-com-secure-sockets-layer-2025-security-.pdf
byCyberPro Magazine
 
chp2 IS.pptx information security and data
bygallanandhini
 
Module2 PPrwgerbetytbteynyunyunythyhtyT.pptx
byThanushB1
 
Sequere socket Layer
byRaghavendra Rao
 
SECURE SOCKET LAYER ( WEB SECURITY )
byMonodip Singha Roy
 
Web Security and SSL - Secure Socket Layer
byAkhil Nadh PC
 
Network Security Unit 4.pdf for BCA BBA.
bySerpent6
 
What is TLS/SSL?
byShehzad Imran
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
byAnant Shrivastava
 
Secure Socket Layer.pptx
byJenish Prajapati
 
Secure Sockets Layer (SSL)
byBGSBU Rajouri
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
byNiharikaDubey17
 
Details about the SSL Certificate
byCheapSSLUSA
 
ssl
bysjyuva
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
byGlenn Haley
 
The last picks
byNafiur Rahman Tuhin
 
presentation2-151203145018-lva1-app6891.pdf
byGumanSingh10
 
SecureSocketLayer.ppt
byPranavUndre1
 
SSL.pptx
byhammadhassan9507
 
group no 6.pptx
byNIRAJSINGH339856
 

More from Brian Ritchie

PDF
Advanced Growth Marketing 101 by Brian Ritchie
byBrian Ritchie
 
KEY
Standardizing and Managing Your Infrastructure - MOSC 2011
byBrian Ritchie
 
PPTX
WiMAX_Intro
byBrian Ritchie
 
PDF
Make it Personal by Making it Local
byBrian Ritchie
 
PDF
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
byBrian Ritchie
 
PDF
Growth by Segmentation - Part 1 by Brian Ritchie
byBrian Ritchie
 
PDF
Tell Your Story - Brian Ritchie
byBrian Ritchie
 
Advanced Growth Marketing 101 by Brian Ritchie
byBrian Ritchie
 
Standardizing and Managing Your Infrastructure - MOSC 2011
byBrian Ritchie
 
WiMAX_Intro
byBrian Ritchie
 
Make it Personal by Making it Local
byBrian Ritchie
 
Buzzwords, Statistics and Lies - True Drivers of Digital Marketing and Growth...
byBrian Ritchie
 
Growth by Segmentation - Part 1 by Brian Ritchie
byBrian Ritchie
 
Tell Your Story - Brian Ritchie
byBrian Ritchie
 

Recently uploaded

PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Transforming SAP® Processes Through Automation: 2026 Trends and Challenges.pdf
byPrecisely
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Tracing the Thread: Decoding the Decision-Making Process with GraphRAG
byEnterprise Knowledge
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
bysleepandremedies
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
HCI and Its Impact on individual quality of life.pdf
byParham Abolghasemi
 
PDF
DevSecOps Learning Path - TryHackMe Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Transforming SAP® Processes Through Automation: 2026 Trends and Challenges.pdf
byPrecisely
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Tracing the Thread: Decoding the Decision-Making Process with GraphRAG
byEnterprise Knowledge
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
bysleepandremedies
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
HCI and Its Impact on individual quality of life.pdf
byParham Abolghasemi
 
DevSecOps Learning Path - TryHackMe Certificate
byVICTOR MAESTRE RAMIREZ
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 

Introduction to SSL and How to Exploit & Secure

  • 1.
    SSL/TLS Introduction andHow to exploitBy BRIAN RITCHIETwitter : twitter.com/brianritchieFacebook : facebook.com/brianritchie
  • 2.
    Who Am I?Co worked on the Enterprise Architecture for some of the largest regional as well as international companiesRolled out the first official OSS Centre of Excellence strategy and implementation for a local Financial InstitutionExperience with large scale Project Management for core systemsDesigned and Implemented Research and Incubation Services for large scale corporationsAll rounded Geek
  • 3.
    What is SSL?An introduction
  • 4.
    Some HistoryOriginally proposedby Netscape in the 90 sEvolved from SSL 1.0, 2.0, 3.0 and now to the Transport Layer Security or TLSDeveloped with the intention of providing security for communications over networksIs used heavily today for ecommerce, and other web applications/services which require a higher level of security
  • 5.
    What is SSL?Intermediate layer between the Transport layer and the Application layerHas 2 main functions :Establish a secure connection between peersSecure is defined as = Authentic and ConfidentialUse the secure connection to transmit higher layer protocol data from sender to recipient
  • 6.
    Let’s delve ina little deeper here
  • 7.
    How does SSLtransmit data ?SenderBreaks data down into manageable pieces called fragmentsEach fragment is compressed, authenticated with a MAC, encrypted, prepended with a header and transmittedRecipientNOTE :: These fragments are what we call SSL recordsThe fragments are decrypted, verified through MACs, decompressed and reassembled.
  • 8.
    Just a littlebit more theory and we’ll go to some cooler stuff
  • 9.
    Graphical View ofSSLApplication LayerSSL Handshake ProtocolSSL Change Cipher Spec ProtocolSSL Alert ProtocolApplication Data ProtocolApplication LayerSSL Record ProtocolTransport LayerNetwork LayerNetwork Access LayerTCPUDPIP
  • 10.
    What are theseprotocols ?SSL Handshake Protocol – Core protocol. Allows peers to authenticate between themselves and negotiate a suitable cipher suite and compression method for both partiesSSL Change Cipher Spec Protocol – Allows peers to change ciphering strategy and the cryptography protection usedSSL Alert Protocol – Allows peers to signal for potential problem symptoms and exchange alert messagesSSL Application Data Protocol – Workhorse. Takes the higher level data and feeds it to the SSL Record protocol for cryptographic protection and secure transmission
  • 11.
  • 12.
    Plus pointsVery widelyusedWell designedPretty much secures the InternetSecure out of the box
  • 13.
    Now to thecool OWASP part
  • 14.
    What’s the Minuspoints ?No one pays attention to itThis means if you can break it, you’re the boss.Can be compromised through HTTP
  • 15.
    Tools and AttackPrinciplesSslsniff and sslstrip make attacking it easy as piePrinciple of attack :MITM – The usual suspectApp and configuration issuesFake certificatesBad implementation
  • 16.
    SSL Threat ModelsLetslook at a small part today
  • 17.
    Endpoint IssuesEndpointsBad ServerSide ConfigurationSSL not enforcedBad certificate configurationPrivate Key not protectedUse weak protocolsUnpatched librariesMixed (SSL&Non-SSL) configurationsAnd many many more…
  • 18.
    Lets take adeeper dive and look at some examples
  • 19.
    Inconsistent DNS confighttp://www.example.com and http://example.com point to different webserversMicrosoft
  • 20.
    Another exampleA goodexample : OWASP
  • 21.
    Different Sites onport 80 and 443Both http://www.example.com and https://www.example.com must be the same websiteA lot of major companies fail to verify this
  • 22.
    Self Signed SSLCertsTwo words : DON’T BOTHERThis causes more issues than it solves.It is significantly harder for you to maintain a secure, well configured SSL certIt is much easier and more secure to buy one from a legitimate provider
  • 23.
    Badly Configured SSLServersOut of the box SSL is pretty secure iff (– if and only if) the configuration fits your deployment.More often than not, you will need to tweak the settings to fit your deployment.Updating patches is also equally crucial
  • 24.
    Incomplete certificatesA certificatehas to encompass both http://example.com and http://www.example.comThey have to be the same siteThey must also be the same for the https://Your certificate must ensure that it is all-encompassing
  • 25.
    Mixing SSL andPlain textTricky to implementActive user sessions can be compromisedSslstrip can perform MITM attacks and convert HTTPS to HTTP
  • 26.
    There’s a fewmore but I’ll leave it there for now.
  • 27.
    If you haveany questions, contact me through the aboveTwitter : twitter.com/brianritchieFacebook : facebook.com/brianritchieOWASP MY Mailing List