January 21, 2020

320 words 2 mins read

The razor's edge: Cutting your TLS baggage

The razor's edge: Cutting your TLS baggage

Jan Schaumann shares insights into TLS cipher specs and protocols and threat analysis of dozens of vulnerabilities and attacks and explains how to effect change across a diverse legacy stack, how to collaborate with a significant number of teams on goals that may not be directly in line with their roadmaps, and how to get buy-in from your executives.

Talk Title The razor's edge: Cutting your TLS baggage
Speakers Jan Schaumann (The Internet)
Conference O’Reilly Security Conference
Conf Tag Build better defenses
Location New York, New York
Date October 30-November 1, 2017
URL Talk Page
Slides Talk Slides
Video

Unifying the TLS and HTTPS properties of a 23-year-old company with millions of users across dozens of edge locations while retaining client compatibility and pushing forward the security and privacy of your users’ data is a complex task. Threat analysis of TLS ciphers, protocols, and attacks are one side of the story; effecting change across various teams supporting diverse legacy stack another. Jan Schaumann shares insights into TLS cipher specs and protocols and threat analysis of dozens of vulnerabilities and attacks and explains how to effect change across a diverse legacy stack, how to collaborate with a significant number of teams on goals that may not be directly in line with their roadmaps, and how to get buy-in from your executives. Jan also explores a major initiative that spanned 18 months, beginning with a detailed analysis of the internal SSL and TLS ecosystem before covering the TLS libraries, HTTP serving stacks and HTTPS protections like HSTS and HPKP, cipher and certificate configurations, CA compatibility (e.g., across mobile clients popular in different markets), and IoT compatibility (oh dear!). Drawing on this example, Jan outlines set of requirements and best practices for serving HTTPS across a large edge environment as well as the lessons learned along the way and the unexpected wins and side effects of improving your security posture across your company.

comments powered by Disqus