Скачать с ютуб Nullcon Goa 2023 | Self-Signed, Why Not! Exploiting Insecure Certificate Validation In iOS And macOS в хорошем качестве

Nullcon Goa 2023 | Self-Signed, Why Not! Exploiting Insecure Certificate Validation In iOS And macOS

In this talk, our speaker Aapo Oksman will tentatively discuss the following topics: 00:00 Introduction 03:17 Certificates 20:44 Certmitm demo 35:54 Apple CVEs 40:33 Penetration testers & Bug bounty hunters 42:05 Apple Click here to download the slides: https://goa2023.nullcon.net/goa-2023/... ---------------- Abstract TLS allows communicating parties to uniquely authenticate each other by validating each other's certificate. However, iOS and macOS have a history of not validating server certificates insecurely. To make things worse, there have been signs of active attacks against Apple certificate validation. And this is not just history. In this talk, we are going to see some new exploits against both iOS and macOS certificate validation. Just showcasing fixed vulnerabilities is not that interesting, that's why we also learn how these vulnerabilities were found with a newly released tool: certmitm, and how it will catch any new ones that are rolled out. Certmitm automatically discovers insecure certificate validation vulnerabilities in TLS clients by trying to actively exploit any connection passing through it. #TLSAuthentication #CertificateValidation #iOSsecurity #macOSsecurity ----------------- Follow Nullcon on Facebook:   / nullcon   Twitter:   / nullcon   LinkedIn:   / posts   Website: https://nullcon.net/