Web Security 2021

you talk thank you very much I don't do that I've got this one I can do that switch off cheers good morning everybody I'm going to start with um the serious bit first and then I'll get rid of that very quickly so I firstly want to thank the organizers cuz um it's great to be back at a conference in person I was having uh friends from overseas saying it had been years since they'd seen firstly a conference and secondly a conference with no mask so um it's fantastic to be here I do want to acknowledge the traditional owners of the land on which we're meeting today the would people um and I pay my acknowledgement to their Eld past

present and future um I'm going to stop with the serious bits there and I'm going to start with the fun bits I also want to pay my respects to the traditional owners of the network here and when I say owners I mean owned um and that would be the akans of Cameron Hall any ens in the room one two three there's a few around so the UCC predates the department of computer science here by a number of years and in a time when identity checks weren't as strict as they are today they enrolled one of their computers in a degree of computer science um and the paperwork was done by volunt by paperwork I mean exams was

done by volunteers within the organization and so one of the servers inside the UCC obtained a degree of computer science here at uwa um The Legend became myth and over time this identity a computer called Murphy obtains a doctorate just by name change effectively and is the official contact address for the computer science uh hackers here on the University so um I'm going to give you a little bit of a run back through some of the web stuff which has been happening because I've traditionally been more on the blue team of things not so much a a destroyer but a Defender um and it is an interesting space which is changing fairly rapidly but first I'll tell you a little bit

more about why I'm here and why I'm talking take you through some certificate Authority changes and obviously there's a lot going in that space we touched on the history generally of cryptography but we're going to talk about some of the stuff which has been happening that is real world today and stuff which is stuff you can change which doesn't cost any money um to try and help protect what you're doing so firstly bit of pii um I've obstated a few bits and pieces because nobody goes to a hacker conference and hands out everything so um please take my mother's maiden name and uh put that into your user agent string um and hilarity will ensue um I'm actually

surprised that the organizers managed to receive my presentation and it didn't get flagged up so that was uh it's great so no um yes and my dog little uh drop tables um so I've been a volunteer in the text Bas for some time um that photo was January 2003 um when we ran Linux confu here at the University uh with about 700 people uh and we brought Li Tov volts to Perth way way way back um I've been one of the Debian developers now for 21 odd years um so and that was actually triggered by uh TOA podest one of the long-term Network administrators here at WWA who was kind enough to set up a Debian

mirror back in the 1990s which was the first Major Distribution that we had access to here at uwa um I managed to convince Nick down the front and others to bring LCA back to Perth in 2014 um and I served for a while as uh plug president and uh it was a fun time uh putting lus in a penguin suit on a 35 degree day um his little girls now have just finished University and are all grown up um so other stuff I've been doing so uh I worked for a while for heartley Pointon uh J V in their share trading piece I was the web guy for that so uh the only thing that stood between

all of the share trading that most of the banks were doing um and security was me um I went to Europe for a while I worked for a division of Canon Europe called Fango um which was a little Pearl shop um Pearl is a language you don't hear much of these days uh but it um did some interesting stuff we used to have a copy of everybody's photos if you bought a Canon camera in Europe um it was kind of a precursor to flicker but we were pretty um inventive we came up with a concept for function execution as a service in 2005 we started it 2006 it was launched um and if you look at the serous history

on Wikipedia uh that is where basically function as a service started um I moved onto an advertising company came back to Perth in 2010 with uh the little o um when he was 6 months old uh and took a job with a cloud startup company out of um Seattle uh and did three years working for AWS opening the office here in Perth um which was a fun ride uh very interesting I got to be the security solution architect for all of Australia and New Zealand which meant I got to walk inside various data centers around the next morning um and write white papers and then walk into the vaults of various Banks and tell them about how

you'd connect up to the cloud uh these days I work for uh part of the Eco group modus um along with a bunch of my colleagues we look after various agencies and Enterprises around town and across the Australia um but going way way back uh I I studied here doing a computer science degree computer science in French oddly enough and that will come up in a second um and uh I was an Aran myself in fact I think that was my wheel photo which is the administrative group for the UCC back in long time ago um and my first paid web job was in 1995 and it was that web page there uh which was written in French yeah um that was

one of the things about being the weird guy who came from computer science to the Arts faculty and then back again you know something about this I've written up this thesis about French uh African authors um can we get this online uh that screenshot taken last week still renders after 24 years uh yeah now some of you may remember there was a period where there was this technology called um Flash and there was some comments made last week that there was this period of the early 2000s where large number of news sources that were delivered via flash are no longer available for archive particularly around the September 11 attacks um so it's a testament to the vision that Tim berners

Lee had so Tim or timble um of having documents available to be rendered and the fact that we can still render these things when we have the content obviously the way we get the content has changed subtly over the years um anyway I moved on uh to work for this organization uh I had a job title called Web Master U which was basically they couldn't figure out what else I was doing or campus-wide information systems officer uh and yes the 1997 annual report of this University screenshotted last week still renders um and uh that was a a great project we were doing some really interesting stuff like making the entire University's faculty handbooks from this cutdown version of sgml um

with my colleague at the time James talber who worked on the w3c board and and um they came up with this new little standard a cut down version of sgml called uh XML um which is seen its time come and go I think but still there anyway that's who I am anyone got any heckles so far oh God yes how old was that picture you put on page which one that one oh God 2014 still has I it's it's wisdom okay where can you get a cloud

jacket okay my colleagues actually insisted that I should do this uh yes it's all being Cloud all along because nobody wants to look after servers any anyone working data Cent here anyone no no one works in a data center good you're so lucky it's like Casino but without the drinks um okay so uh blah blah blah blah blah yeah went through that went through that so certificate authorities um some of you would have been around when this came out this was a reasonably significant event for the web um and today you look at the things that this version supports International Security do not go there um because you know 56-bit certificates with 40 bits exposed isn't that strong

um and in fact all of those Technologies are pretty much superseded today though I think people were yesterday talking about md5 um uh move on stronger hashes please um so the certificate authorities have been changing a lot of stuff in there um now there are a bunch of free certificate authorities today but there's a bunch of historical ones so if we go back ver of thought they came back from a long time ago but they're all starting to move towards the acne protocol um and this is not a Warner Brothers cartoon Acme uh this is the automated certificate uh mechanism for getting certificates if you haven't used it you definitely should the reason because um who comes and goes and buy

certificates at the moment anyone you know no one does a few people do um if it's a manual process you're going to hate what's happening in the industry um because certificate lights times are shortening more and more and there's been a few things that have been raised over the last couple of years to really bring it down and we all know probably that let en Crypt is around a 3month expiry um and people do think about doing it shorter than that down to days or weeks um you don't want to be doing that manually uh you want to have that automated and if you can automate it in production you should probably automate it in non-production as

well um now all of these certificate authorities that are out there are kind of members of a club um the ca Forum the ca browser Forum they pay a membership for to legitimize the fact that they are a certificate Authority um as a club it's got various rules of membership um and a lot of those are technical such as after this date you won't issue a certificate of this length or this algorithm um and you definitely won't issue a google.com certificate to someone who isn't google.com because you know that' be your job um and of course this is done quite transparently there's a lot of people who watch the recommendations that come out of the

browser CA forum and then go and check various public sources to make sure it's being enforced where possible or if it's not having the transparency of daylight calling it out and saying hey there's something going on here and there's a lot long history of very uh wellknown certificate authorities being caught out for transgressing those rules over time um one interesting piece was certificate transparency so certificate transparency was introduced a while back now to actually show when a CA issues a certificate so for example if I was to uh issue a certificate of David Stockbridge decom you'd probably want to know about that Dave um especially if I'm sitting in the opposite side of the world and you've never heard of me uh if

you look at your phone or your browser there's a large number of certificate authorities who are already trusted and they may all be legitimate businesses in fact they should be um but do you choose to trust them or by default your browser has made an initial selection to say yes but you may wish to review that list and remove those that you don't intend to visit Services of online that use certificates issued by those certificate authorities so um certificate transparency has changed there's a log of in fact there has to be two logs of every certificate issued by every legitimate CA it's one of those rules of the browser CA forum and these days the

actual location of those logs is embedded into the TLs certificate that you get handed or going through automation so you can actually go and find that log um now there was a security header for a while that indicated that that should be expected but this is pretty much Duru these days it happens automatically um there's new requirements coming up and we saw yesterday about RSA certificates um and these days we're starting to move into elliptical curve certificates which is described as being the bowling ball algorithm of you start at this point you've got a curve and if you go in this direction you bounce around to get to an uh a destination number that's the

trapdoor function or the one-way function of that algorithm um and bit forbit it is supposed to be more secure than a traditional RSA certificate RSA certificates get longer and longer we spoke yesterday about 2048 bit certificates I've got some 809 801 92 bit certificates that are quite long the longer you get with RSA it goes much much slower um and so newer certificate uh signing algorithms means that this is faster um so that's all very interesting moving on to some bits and pieces one thing you might want to do is be able to tell that list of legitimate certificate authorities that when you as an organization want to go and buy a certificate which CA are you going to authorize to

be your ca and that is the certificate Authority authorization record that you can squirrel away in DNS it's only ever looked up when a certificate Authority is about to issue a certificate in your common name your DNS name so it's hardly ever used you can set this at a zerc TTL no one else ever looks it up and you can specify whether those certificate authorities are allowed to issue explicit name certificates or Wild Card certificates or both you can listen as many Casa as you want and it might even stop you from having sort of Shadow it going out and going and buying a dodgy certificate from the South China Post who are a legitimate CA but you might

not be choosing to use them it's surprising this has been around now for quite some time um January 2013 nearly a decade uh and you could probably count on two hands the number of organizations in Perth that have actually gone and set this record up and put it in there um I spoke briefly about uh the cerate algorithms they are changing and as a result of that a certificate chain from the issuing CA is also being upgraded to be based around the elliptical curve algorithms so ecdsa new routs are being created let's encrypt has just moved to one of these new routes after being on an existing RSA based route for many years they've called them names like X1 and X2 sounds

very spooky turns out they're calling these certificate names with as short a name as possible anyone want to know why why are they making their names very short because they're transferred over the Internet so very much that every bite is sacred they're literally making the names of the ca short um so new certificates in fact there's an opt-in at the moment on let's encrypt if you would like to be vendored through the automation you have in place an ecdsa based certificate browsers have supported this for several years at this stage okay high level stuff TLS changes now everyone in in this room has probably heard about TLS it's what's protecting most of what we do every day especially

as we've managed to digitize pretty much everything in our society whole bunch of versions four years ago at this stage or three years ago was TLS 1.3 coming out basically and I don't know if you can read the red on green that was a a thought this morning about color blindness but don't use any of the first Bunch they are absolutely bad in fact they are so bad that the ETF has a request for comments and if you've come across rfc's before by the time you probably see it it's no longer requesting for comments it means standard um but don't use anything less than TLS 1.2 and all of those earlier revisions are so bad and we as a an

industry have been so LAX at removing them that the vendors themselves are removing implementations from their software base to force the fact that these things are turned off if you're waiting for the next update to disable older versions of TLS you're probably waiting too long you could probably go and turn these things off right now good logging will show whether or not they're in use they shouldn't be if they are you've got some really outdated software that you've not updated somewhere else you've probably got a whole host of other issues out there so um if you're ever looking for compatibility online there's a website called caniuse.com um and you can put in all kinds of

technologies that you want to use in the browser uh and it will tell you the support matrixes it looks like over common browsers um and most recent versions have got very good support for that um if you wanted to use TLS 1.0 you are going to get a bad day because all browsers that are out there in common use these days no longer support it so why leave it enabled you might have some automation Integrations happening which aren't using a traditional browser fair enough you probably should have updated those anyway um I'm going to spill outside of web for a moment and there was one other great thing that I've seen recently and that is a nice update to

Windows Server so at the beginning of this month there was a new version of Windows server that came out 2022 um and is the first one where the cryptographic provider on the host s Channel dll supports TLS 1.3 um so I can see that in future being one of those forcing factors of we need to get to that version because we've removed all the older versions of TLS out of our environment open SSL has TLS 1.3 support since version 111 I think it was K or L uh OB on it's thir 12th update now um big update last week open SSL 3 was released um currently going through fips validation um but uh again all change

upgrade where you can TLS 1.3 only supports a small number of ciphers the reason for that is there were a lot of older weak bad ciphers that really you shouldn't be using anymore and including some modes of AES the advanced encryption standard previously called ringel um so as mode that you most commonly see these days uh is called GCM anyone here heard of GCM yeah anyone tell me what it stands for G Cote this young man here uh is everas Gala uh a young French mathematician um now I've got a degree in mathematics you do too um and this is where we're going to claim some credibility because at the age of 20 he got into a

duel over a woman sadly he died so his a might not have been as good um and his last words were don't cry Alfred his friend who was with him at the time uh I have all I need all of my courage to be dead at the age of 20 um his field of mathematics was so misunderstood he was denied access into the academy Fones for multiple years and it wasn't until years after his death that uh what he was doing with with his his field was seen as actually being valid and secured and pretty much transaction you do nowadays is using his branch of mathematics to secure those transactions um and that is my link to frenchness

Prem Oliva browser changes um now unless you've been living under a rock browser versions on the open web have been looking a little bit like this um that green line is versions of chrome dominating very much so um I've been a Firefox user for many many years kind of declining off to the to the right hand side side there um but that's not the most interesting piece it's this one that I find is really interesting it is the roll out version that is actively in use and I think that this has been a testament to things like the approach on releases being lots of incremental small releases those that think back sort of 15 20 years ago a new release of a

browser was a potentially world-ending moment of compatibility changes these days this is done in a very slow incremental way what's also interesting is that Mom and Pop at home who are doing auto updates probably running the most recent browser and your standard operating environment in your organization which is version locked is probably not um and some agencies in Western Australia will choose current minus one version to be their s soe and then not touch it for four years um and you start sitting there going well that is fixed for everybody out there but not us um and so one thing to look at is well maybe we should be actually being a little bit more agile in corporate

environments for certain critical critical applications where the security update comes in through good mechanisms to make sure they're getting pushed pretty quickly um so as I said other things you can look at in uh can I use versions of images have been improved webp is looking pretty cool these days as a format not supportting in everything I was pasting webp images into teams the other day I didn't understand it but uh the efficiency that you get on that is huge and fully supported across browsers um one hack that happened a while back was uh the takedown of an accessibility service online and it brought my attention around to subresource Integrity subresource Integrity is the ability for you to say

look I've got this library or framework typically JavaScript could be a font could be anything to be honest um and I'm loading it from an external CDN or an external site something that is from another origin but I don't want it to change I want to make sure that you're still running the same version CU I've got an external dependency now now prior to this um quite often people would have example framework. JS and whoever was running that CDN was free to update it at any time they wanted to they could do maintenance on it new functionality but also they could be compromised and take down everybody who is leveraging that shared CDN resource that happened with

this accessibility service that was running um there were organizations here in Australia a lot of public sector in the UK was taken down with it um and cleverly enough the uh injection that was put into it was a Bitcoin minor with a throttle to I think 50 or 70% of CPU so that people wouldn't recognize that their browser was just going sluggish for a bit um so you can definitely generate uh Integrity check sums in fact you can generate multiple in this case it's a sha 384 um and your browser will actually validate that the cross origin resource that it's just loaded does actually meet that check sum before it loads executes or uses it important for

example in fonts there's been a lot of font vulnerabilities over time um and cross origin means don't actually add any um cookies or any other indications to be able to tell who I am you can generate those SRI hashes online from that website um and if you are leveraging third party cdns do so if the resources are all self-contained on your own site well it's the same source which is going to be compromised so there's not a huge amount of um advantage in doing so um there's been a lot of security headers added into browsers now this kind of stuff is only really for desktop browsers if you've got native Integrations then it's not implementing

this kind of stuff um my favorite in here and I I've got to type on the next slide is the strict Transport Security um this header basically is something you can put on your service and say hey if you're happy with my crypto at this stage just remember for some Cas age a year that I'm always a crypto site don't even try unencrypted HTTP um this is changing over time because browsers slowly are starting to go to https by default it's just it's 2021 um and I've got a bit on that in a second so uh you can enforce this also for your entire domain um that's a big one-way trip um if you're going to say

every service under my domain name including internet. example.com is an htps service you're saying you're going to use htps for everything which is a good thing but might catch you out by surprise if your internet currently has that big not secure warning in the browser Chrome at the moment um you can preload that also so once you've got the hsts header on your service you can toodle along to hsts preload register your site in that and the browser manufacturers go and pick up a database to precede the next version of their browser that you will automatically get by the crossover mechanisms of versions that it won't even need to make that initial unsecured HTTP request and of course most of that

initial unsecured HTTP request is a redirect to go up to htps don't even bother with that um interestingly I I was running a poll on Linked In over the last couple of days asking which organizations have blocked HTTP from their users so if you go into your corporate environment can you actually get to neverssl.com so neverssl.com is an HTTP only site run by one of my former colleagues of uh uh Cole mccarth um and it's designed that you've got something that is always going to be an HTTP end point to validate why you would still have that on your corporate Network when most of your users are going to always go up to https why would you start with an

untrusted Source beats me but of that poll no one responded that their organization had taken that move to block unencrypted HP I have worked with someone recently to do that in their production environment and it's a great step forward okay um refer a policy es this is one source of information leakage which I think we were speaking about yesterday about following RFID chips from medical implants that might actually uh disclose who the user is or their user ID um this is disclosing the origin or the the host name that you were referred to from to between sources um these days you don't really need it a lot of that was used for analytics in the early days of the web most of this

is done now via Google analytics and other uh JavaScript providers so you can actually turn off the browser doing any referers saves a few bus and actually the less information you collect the better um permissions policy your browser is a pretty Powerful Beast um your browser has an accelerometer in it a GPS uh it's possibly hooked up to your uh FFC payment providers you can actually disable those features in your browser by setting various feature policies on your content in the headers which if you've got third- party JavaScript being executed you can scope it so that thirdparty JavaScript cannot get the GPS locations for your users but potentially you can from your own JavaScript nice

little bit of security protection for your customers um nobody wants to see the straa event again of where are all the people um it's been renamed it was called permissions policy but about 6 months ago that header got renamed and reformatted ever so slightly no one's heckling anyone it's very early it's very early yeah but it's very exciting I mean this stuff has taken years to get to the point of having a velocity where there are interesting changes that are happening as a result of interesting stuff happening with people exploits of yeah yeah I linked into a third party site and they started getting the GPS location for the visitors to my service that's bad um csps conent security policies uh

so this defines um where your browser is going to allow to load stuff from and more interestingly things like iframes now iframes have for 15 20 years being considered bad but they're still used if you've got a frame inside a page what would stop that frame from loading another frame from somewhere else or what stops a legitimate browser from being tricked into hosting your banking homepage in a malicious parent frame so luckily CSP gives you that capability you can specify where what sources are available to be within your descendant frames and what s where you're allowed your ancestor frames to be typically block everything this is work extending previous functionality that was there in some various experimental X headers um

but you can do this now in csps one of the ones tying into what I was talking about earlier was uh certificate transparency this header is actually going away because all of the certificate transparency is now in the certificate you don't need to go and actually go and look up third party log files so you can get rid of them um June 2021 it was supposed to become obsolete so there we go I've got a few very interesting ones that have just come up as well cross origin EMB better policies so allowing a site to say my assets should be loaded by a specific host and again we're looking here at legitimate browsers which are being tricked by Third parties

remote to them that the legitimate browser can be used to assist you in your security profile um and these are going to basically make things like popups not share context for the JavaScript engine between the popup and the window under they'll be in different Origins therefore they shouldn't share context um these things I would definitely recommend have a look into them they've only come around in the last couple of months um and they sit with cross origin resource sharing headers as well okay but what I think is actually now much more interesting is how the hell do you hear if a tree falls in a wood and no one is there I.E you've got people using your service and they

get a JavaScript error out on the internet traditionally you would never hear about any of this stuff but there's another her header called the network error logging headers and Reporting mechanisms which can tell a browser if you have any issues with this site please report to this location but remember this location for the next year so even if that person is in a Walled Garden of an airport if we remember what those were um then they might get denied access to your service and when they next come onto the network and do have access they'll chle a report off to you saying at this time I was on this address I couldn't get to you or I

had a certificate failure or I had all kinds of network failures on those classifications of reports really interesting stuff that you wouldn't have seen um and there are Services out there that you can just subscribe to to have them receive show and log your errors that are coming from your your clients and the nice thing is that by doing that you can find out the bad news about hey we've got broken images how JavaScript doesn't work in this specific browser faster than waiting for your users to phone up your help desk get through level one to level two to a developer to a release cycle um as M said once in one of the Bond films

unlike the Americans we prefer not to get our bad news on CNN um get your own bad news first those reports are delivered as Jason um something like that so you can see whether it was a Content security policy that was transgressed or anything else in there um certificate pinning is is one that I'm going to I see a few laughs do not do this uh this is the shoot yourself in the foot oh my God I needed to change my certificate but I've told everyone I'm not changing it for a year uh I would call this the career limiting move um so yes just don't um and that's actually a good thing these things have come around

been experimented with in production um and then Dame you know what let's not and it's that level of experimentation which has really moving Mo things forward a hell of a lot uh Firefox and chrome no longer support FTP in the browser um they never supported ftps so don't um more recent versions of chrome using https by default um except for special addresses like Local Host and others like that um it's the start Nick yes if they supported magnet links they wouldn't need an S hash if they supported magnet links they wouldn't use an S hash very possibly um yes uh other changes so as of version 91 in Firefox only in private browsing mode anything you click or enter will be

upgraded to https um so this is obviously very fine grained testing before it becomes a blanket roll out of https everywhere um mixed content is blocked as of the end of last month in Chrome um uh one of my favorites triple Dar is removed as a cipher yay for for anyone who doesn't know Dez was okay triple Dez was Stronger double Dez in the middle there was weaker than both of single Dez and triple Dez um just don't um another change that some of you may remember was extended validation yeah um you could get an even better certificate with a guarantee a warranty of some sort um and instead of showing a host name it would

show your registered company name so for example stripe ink has anyone here heard of stripe yeah what do they do oh no no no I'm talking about stripe ink of witchar who are in a totally different environment who could actually make a browser come up with stripe Inc which looks exactly like the stripe you're all thinking this is terrible um and so this shaped down I mean this this approach of running a business of going for extra money we will display something different is basically dead um if you're currently buying extended validation certificates from a CA consider not because it's just not worth it protocol changes in the beginning in fact hp. n in the very beginning but HP

1.0 open a connection to a server across the in network request something get that object close the connection oh look at me I need to go and get something else off we go again open a connection request something get it oh I need something else browsers got around that with having multiple stream or threads in parallel doing that um we move to HB 1.1 where we could say get a connection open request something but hold the phone I might ask for something else yes I want something else trying to optimize the network approach of this that was 1997 24 years ago um in 2015 that's a long time between drinks um HTTP 2 move this from being a plain

text to a binary based protocol and also streaming parallel threads of transfer for the objects being requested so you could open a connection and say I want 1 2 3 4 5 whenever you're ready to send them to me little bit of one little bit of three little bit of two little bit of four five one finished one finish three finish two and all of these things would stream down as quickly as possible very efficient on on the network but um it did actually start to introduce things like if I lose a packet on the internet that stream although there are multiple threads within that one connection might then have to retransmit a whole bunch of

stuff and so what we're seeing now is a much bigger change and this is with HTTP 3 um and I'm thrilled to see things like Cloud flare already supporting that in fact bsides website if you've gone to it um is coming to you over HTTP 3 if your browser is up to date and you've got access to send outbound UDP traffic why UDP because it's no longer over TCP 443 yes HTTP 3 is really going to Fus your network Administration team um and it's going to silently downgrade back to http 2 for the next while um but it's it's out there it's fully supported in all browsers and it's very efficient on the network of course the process of

service Discovery there's no dedicated port for HTTP 3 so your browser goes to an initial http2 connection sees that header and goes okay the maximum age ma to remember this for is a day I'll just go back and use the same endpoint over UDP to request all of those resources you were after I think I'm nearly on time um was that an interesting journey through that so I've got a few other resources that you can go and use these are things that are possibly welln um security headers tocom run by um Scott Helm out of the UK um great site he maintains it really well throw any URL into it um and he'll give you after a

single hit these are the headers you've got these are the ones you're missing and it's a rating a through f I'm loving the the gamification of security um because it makes it really easy for people to go and consume it and incrementally fix things to get a better rating um SSL Labs Ivan ristic originally um who's now moved on to harden eyes.com and expanded that out um Harden eyes is is really good um it goes beyond web security also looks at things like your Ts for your mail system you know yeah we're all ts13 on the website yeah ts10 on SMTP um there's lots of places to go and look at this kind of stuff um observatory.

mozilla.com the nice thing there is it keeps a history of your scores so you can see improvements and degradations over time and of course for private endpoints you can use Google Lighthouse which you've already got in Chrome on your desktop or test SS sl. sh which is a shell script you can download and hit private endpoints for to give you that same kind of visibility of what that profile looks like bunch of people you might want to have a look at on Twitter um so some really interesting people um one interesting thing I've got up there and I I'll go back to my akan days uh we registered the domain RCP doto the week that the.to domain opened andto is Tonga

um the running joke was as we were wire sharing SMTP we could see receipt 2 James at receipt 2 it's not hugely funny now but we thought it was really funny back in the day um and as a result the tongen CT now follows me uh so that's that's interesting um but in summary everything in the technology space that we're looking at in fact everything that we deal with is a sunrise and a sunset new stuff is coming up old stuff is going away um but don't wait until the sunset to turn stuff off because it's likely already a poor security choice and waiting for the vendor to finally remove it is probably way too late it is

a saving function but you can be much better than that um HML and IP has stood the test of time open source RFC and the W3 3C recommendations for the win um Flash not so much and that is the end any questions yes hey thank you thank you very kind yes

please um the the one of the primary motivations for short is lifetimes is once you issue a certificate it can be out there for a really long time and if you discover a floor in a signing algorithm it might take a long time for the fix for that to be fully deployed in the network um luckily RSA has stood the test of time as far as we can tell there may be quantum computers with large numbers of cubits which we don't find out about yet which might not be there but if they are disclosed then what's going to be better changing over within a 3 month period or a 3year period for the planet yeah

that's probably the biggest one um yeah good question thank you you mentioned part way through that you Rec not using p i was of my take on what from where I work on the dfir side SE pinning stops an organization doing TLS intercept as well so so possibly short lifetimes in that span might be okay yeah from a user privacy perspective to ensure that TS inter isn't happening um what's the impact on some of the newer protocols like will organizations still be able to do TS intercept will that become more difficult so the question I just repeat for the stream is TS intercept and search pinning um I think one of the key things for TLS intercept is the client

base which is being intercepted in the corporate environment is you're using a corporate device and you've already been rumbled the internal CA certificate has been being prepopulated into your trust store um there's nothing you can do at that stage you're already compromised uh what becomes interesting is the BYOD environment do you take the company certificate and subscribe to trusting what the company thinks is combank or Westpac when you're going through their Network or do you just tether to your own and not use their bandwidth um yeah it's an interesting piece I I see the advantages for doing intercept to be able to scan stuff um but I think there's a lot of things that we need to

fix up in corporate networks one of which is I mean anyone here had a fishing email sent to them yeah so there is a large number of fishing uh links that are sent out where when you click the link which protocol are you using htps for some of them https yeah but there's still a large number that is HTTP so why support that still that's a untick that box um but for htps yeah that's that's when you would want to do it or reputation you've still got things like DNS lookups happening from clients so what's the reputation of the host that you're looking up and does your DNS support actually going you know what NX

domain for that I don't want you go to geoc cities.com because it's got no no right usage these days in that context um Sni for those that know about server name indication at the beginning of TLS that is being moved to being encrypted Sni um because that will um also Rumble where users are trying to to look at so there's a lot of privacy concerns going both ways especially corporate is one but citizens in oppressed regimes is another one um you know that was the the Arab Spring uprising of what 10 years ago or so so and as I spoke about my conference I'll just call out Dr David glance as well who was one of our

speakers in 2003 thank you very much anyone else was there anyone else here at LCA shame yeah yeah why not shame every in for Penny in for a pan anyone else here who was at LCA 2003 here in birth one two no hi you missed a good conference it was good anyway any other questions

yes no you shouldn't do so the question was about encrypted Sni and being able to choose the correct TLS certificate on a host and not needing one unique certificate per host and Port combination that was a terrible situation of course made worse by the fact we've got so much ipv4 address space around haven't we no um by the way enable IPv6 for everything please it's well past time um no because the other end will be able to decrypt the Sni that you were after to still make that choice so there is a pre-c conversation to actually share a key on that thank you for the question I'm probably over time aren't I uh you're getting close there's

a heap of questions the Discord chat do ask no most of them said it's a three-hour bar chat so I reckon if you jump into Discord there's a stuff to keep on going sounds good awesome lovely thank you everybody thank you guys thank you challeng thanks a lot getting