SSL/TLS Security Lab

Learning objectives

The participants will gain a deeper understanding of the various versions of the SSL and TLS protocols. The historic development of the protocols will be explained together with their associated strengths and weaknesses. By using the current specification of TLS Version 1.3, we will look into the future in order to recognize trends and further developments. The various known attacks on SSL and TLS will be explained with reference to theoretical principles and practical exercises. Alongside the attacks, measures to protect one’s own infrastructure will be introduced.

The exercises will be done on www.hacking-lab.com. Following the course, the labor environment is available to the participants for 30 days more

Demarcation: The course focuses on SSL/TLS and the known attacks associated with them. The fundamentals of RSA, AES, Diffie-Hellman and operating modes of block encryptions are not subject of the course.

Highlights

  • Introductions of the various protocols
    • SSL v3
    • TLS 1.0
    • TLS 1.1
    • TLS 1.2
    • TLS 1.3 and relevant innovations
  • Known attacks on SSL/TLS
    • “Padding Oracle“ attacks
    • BEAST
    • Compression attacks
    • Side channel attacks
    • Heartbleed
  • Datagram Transport Layer Security (DTLS)
  • Secure configuration of an Apache HTTP Server (HPKP, HSTS)
  • Inspection proxies
  • Public Key Infrastructure

                              Target group

                              • Security Officers
                              • Technology Officers
                              • Operators of Infrastructures
                              • Developers of E-Business Applications

                               Prerequisite

                              • Familiarity with the Linux command line
                              • Basic knowledge of cryptography
                              • TCP/UDP network technology

                              CALENDAR

                              Security Training: Secure Mobile Apps

                              In the 2-day course (in German) from October 20/21, 2020, you will learn about the most important security problems of mobile apps. Read more

                              Security Training: Social Engineering

                              In the 2-day course (in German) from December 1/2, 2020, you will get to know and understand the methods, tools and tricks of social engineering. Read more

                              ALL DATES

                              NEWS

                              Vulnerability in Mailster

                              Thierry Viaccoz identified an XSS vulnerability in Mailster (email newsletter plugin for WordPress). Read more

                              Secure Payments on th Internet

                              More and more goods and services are bought and paid on the internet. Ivan Bütler summarizes security relevant information on online shopping and... Read more

                              Vulnerability in Froala WYSIWYG HTML Editor

                              Security Analyst Emanuel Duss identified a DOM XSS vulnerability in the Froala WYSIWYG HTML Editor Read more

                              ARCHIVES

                              Compass Security Blog

                              Yet Another Froala 0-Day XSS

                              Compass found a DOM-based cross-site scripting (XSS) in the Froala WYSIWYG HTML Editor. HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can... mehr

                              Relaying NTLM authentication over RPC

                              Since a few years, we - as pentesters - (and probably bad guys as well) make use of NTLM relaying a lot for privilege escalation in Windows networks. In this article, we propose adding support for... mehr

                              ZUM BLOG