TLS Analysis with O-Saft

Agenda

End-to-end encryption is a major precondition in modern IT to ensure confidentiality and integrity. Many mature solutions exist for securing data, but TLS/SSL is mainly used for transport layer security. Even TLS does its job behind the scenes, it is a crucial factor that is works in the intended secure way.

It is not obvious, even not simply visible, if a connection using TLS fulfils all expected security requirements. This can be checked with various tools. Such tools most often check for known insecure ciphers, some insecure configurations, and some well known vulnerabilities.

This workshop will demonstrate how to use the tool O-Saft to perform these checks:

• independent of the operating system and installed libraries;

• in closed Intranet environments and with limited resources;

• various protocols: SMTP, POP3, IMAP, LDAP, RDP, XMPP, ...

• checking all, even unknown ciphers;

• checking for known vulnerabilities;

• testing multiple servers at once and scripting tests;

• formatting and post-processing the results.

Achim Hoffmann

Achim Hoffmann is managing partner and principal consultant of sic[!]sec GmbH, a company that provides information security services. While working as a developer for web-application for several years he started in the late 1990s concentrating on web applications security as major subject in different roles, like penetration tester, doing source code analyses and giving security workshops. He also supports customers by selecting, configuring and operating web application firewalls.

Achim is author, co-author and maintainer of various papers about web application security at BSI (Germany), OWASP and WASC. He also published some tools (EnDe, EMiR, ReDoS, O-Saft) which aim to make web application security more visible. He is author of the presented tool. Outside work he is German OWASP Board Member and helps maintaining OWASP's mailing lists.