Abusing X.509 certificate features

Alexander 'alech' Klink

Playlists: 'mrmcd111b' videos starting here / audio / related events

Public key infrastructures and X.509 are designed to improve the security of applications and protocols. Unluckily, they also offer a lot of features that (when implemented naively) compromise security. The talk will show how browsers and mail clients have implemented certificates in such a way that they could be used for cross-domain user tracking, to unknowingly present a MITM threat to a user or to trigger unwanted HTTP requests on a client or server.

Many people believe PKI and X.509 "just works". The talk will show that the subtleties in the specification and implementations are something that should not be forgotten. Also, it shows some examples of interesting vulnerabilities where the vulnerability is actually in the "logic" part of the application or specification.