TLS/SSL in the enterprise

In our our training we will cover attacks against TLS/SSL in theory and in practice, discuss their relevance for the enterprise and talk about reasonable mitigating controls.

The training will demystify TLS/SSL Security because today it seems to be hard to run a secure TLS configuration without breaking functionality. So after some basic introduction about history and cryptology we will dig into certificate problems, crypto attacks, work with most important tools and walk through the common SSL vulnerabilities. We will explain each vulnerability, do a demo or hands-on if possible, discuss relevance and pitfalls within the enterprise context and give recommendations for mitigating controls (e.g. example configs for Apache, Nginx, IIS, Tomcat, Jboss).

Finally we will also take a look into the future, because a lot of important things will change shortly, so everyone should be well prepared to avoid any major disruption of important services. And don’t forget to bring a laptop with administrative privileges, this is a hands-on training and you have to install tools, if you would like to participate in the exercises.

Who should visit the training and why?

  • Server administrators

  • Pentesters

  • Members of security departments

Requirements

  • Basic knowledge about networking and protocols (tcp, udp, http, smtp)

  • Working with linux/*nix on the commandline

  • Basics about configuration of web, mail and application servers

  • Laptop with administrative privileges (linux OS preferred)

  • VirtualBox or VMWare Player installed, if the laptop is running windows or if the attendee doesn’t want to make changes to the host OS

About the Speakers