Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulnerabilities (JavaOne2015 Edition)
1. Case Studies and Lessons Learned from
SSL/TLS Certificate Verification Vulnerabilities
JPCERT/CC Information Coordination Group
Yozo TODA (yozo.toda@jpcert.or.jp)
1
JavaOne2015 version