filmov
tv
RuhrSec Day 2022 // Why TLS is better without STARTTLS ... , Damian Poddebniak and Fabian Ising
Показать описание
RuhrSec is the annual English speaking non-profit IT security conference with cutting-edge security talks by renowned experts. RuhrSec is organized by Hackmanit.
🔽 More information …
———
Talk // Why TLS is better without STARTTLS
Abstract // TLS is one of today's most widely used and best-analyzed encryption technologies. However, for historical reasons, TLS for email protocols is often not used directly but negotiated via STARTTLS. This additional negotiation added complexity and was prone to security vulnerabilities such as naive STARTTLS stripping or command injection attacks in the past.
We performed the first structured analysis of STARTTLS in SMTP, POP3, and IMAP and introduced a semi-automatic testing toolkit (EAST) to analyze email clients. We used EAST to analyze 28 email clients and 23 email servers, resulting in over 40 STARTTLS related issues. Only 3 out of 28 clients and 7 out of 23 servers did not show any STARTTLS-specific security issues. We conclude that STARTTLS is error-prone to implement, under-specified in the standards, and should be avoided
———
Biography // Damian Poddebniak is a software engineer and security researcher interested in email security, network protocols, and applied cryptography. He recently defended his dissertation about the limitations of end-to-end encrypted email and now seeks opportunities to sustainably improve the status quo of software security. He believes in free software, open access to knowledge, and a world with net-zero greenhouse gas emissions. Rustacean. He/Him.
Biography // Fabian Ising is a security researcher and PhD candidate at Münster University of Applied Sciences and Ruhr Uni Bochum. He is interested in applied cryptography, especially in email security and network protocols. Apart from applied cryptography, he spends time on medical security and web security. He also has experience as a penetration tester and code auditor. Bugs love him and tend to jump at him as soon as he uses software. He/Him.
Speaker //
Damian Poddebniak
Fabian Ising
———
👉 Subscribe to our channel:
👉 Read more about interesting IT Security topics on our blog:
✍️ Want a deeper dive?
Training courses in Single Sign-On (SAML, OAuth and OpenID Connect), Secure Web Development, TLS and Web Services are available here:
———
———
Thanks for your attention and support. Stay secure.
#TLS #STARTTLS #SMTP #POP3 #IMAP #EAST #cyber #cybersecurity #ruhrsec #itsecurity #itsicherheit #conference #talk
🔽 More information …
———
Talk // Why TLS is better without STARTTLS
Abstract // TLS is one of today's most widely used and best-analyzed encryption technologies. However, for historical reasons, TLS for email protocols is often not used directly but negotiated via STARTTLS. This additional negotiation added complexity and was prone to security vulnerabilities such as naive STARTTLS stripping or command injection attacks in the past.
We performed the first structured analysis of STARTTLS in SMTP, POP3, and IMAP and introduced a semi-automatic testing toolkit (EAST) to analyze email clients. We used EAST to analyze 28 email clients and 23 email servers, resulting in over 40 STARTTLS related issues. Only 3 out of 28 clients and 7 out of 23 servers did not show any STARTTLS-specific security issues. We conclude that STARTTLS is error-prone to implement, under-specified in the standards, and should be avoided
———
Biography // Damian Poddebniak is a software engineer and security researcher interested in email security, network protocols, and applied cryptography. He recently defended his dissertation about the limitations of end-to-end encrypted email and now seeks opportunities to sustainably improve the status quo of software security. He believes in free software, open access to knowledge, and a world with net-zero greenhouse gas emissions. Rustacean. He/Him.
Biography // Fabian Ising is a security researcher and PhD candidate at Münster University of Applied Sciences and Ruhr Uni Bochum. He is interested in applied cryptography, especially in email security and network protocols. Apart from applied cryptography, he spends time on medical security and web security. He also has experience as a penetration tester and code auditor. Bugs love him and tend to jump at him as soon as he uses software. He/Him.
Speaker //
Damian Poddebniak
Fabian Ising
———
👉 Subscribe to our channel:
👉 Read more about interesting IT Security topics on our blog:
✍️ Want a deeper dive?
Training courses in Single Sign-On (SAML, OAuth and OpenID Connect), Secure Web Development, TLS and Web Services are available here:
———
———
Thanks for your attention and support. Stay secure.
#TLS #STARTTLS #SMTP #POP3 #IMAP #EAST #cyber #cybersecurity #ruhrsec #itsecurity #itsicherheit #conference #talk
0:36:27
0:38:31
0:32:54
0:06:45
0:52:54
0:39:47
0:38:14
0:34:56
0:41:07
0:35:18
0:38:38
0:02:52
0:42:39
0:00:56
0:30:47
0:00:30
0:28:02
0:37:14
0:39:03
0:11:40
0:02:22
0:08:31
0:41:06
0:25:42