SSL/TLS

Overview of MAC Algorithms, Fuzzing TLS and Finally Exploiting CVE-2016-7054 Part 1/3

Posted on December 5, 2016 by Code SSL/TLS Vulnerability

Overview of MAC Algorithms, TLS Protocol and CHACHA20-POLY1305 Algorithms In the upcoming posts I’m going to give an introduction on Openssl CVE-2016-7054 vulnerability and the terminology about this topic. In part 2 we will discuss available tools and techniques and how to actually produce an exploit for this vulnerability, in the 3rd part we will try to enumerate installed Openssl version on our systems and see how we can update software packages that use Openssl like Apache, Nginx and Python. Intro Couple of days ago Fortinet published a blog post titled “Analysis of OpenSSL ChaCha20-Poly1305 Heap Buffer Overflow (CVE-2016-7054)“. A...

Continue reading...

TLS Extended Master Secret, Breaking SSL Proxies

Posted on August 14, 2016 by IIS SSL/TLS

SSL Proxy Failing To Decrypt The Handshake, Fixing Connection Reset Issue in New Browsers There was a new update couple of months ago affecting web servers and web browsers introducing a new TLS extension (Extended master secret) that changes the way master_secret is generated. This update broke the devices that were doing SSL inspection or proxy because they wouldn’t be able to decrypt the handshake and ultimately would reset the connection. In this post we’re going discuss the issue and look for workarounds and fixes. These fixes would be either an update in the device which is decrypting the SSL...

Continue reading...

Client Certificate Authentication in SSL/TLS and its interaction with Web Application Firewalls

Posted on August 8, 2016 by IIS SSL/TLS
SSL Logo

In a previous blog post I discussed about Client Certificate Authentication and possible implementation methods. In this post I’m going to delve deep into TLS protocol implementation, specifically the Client Certificate part. During the setup of Client Certificate Authentication on a web application I faced various issues and when a piece of technology is just a black box in your view, there’s not much tuning or debugging that can take place when things stop working. So I spent a handful of time studying the underlying technology and I’m sharing the gist of it here. I’m also going to briefly go...

Continue reading...
Babak Amin Azad
I'm a PhD candidate at Stony Brook University. I work on the topics of web security. My main focus is on "Web Application Attack Surface Reduction Through Software Debloating".
I also study internet bots and anti-bot technologies, and pretty much anything related to web and mobile security.

About me

Twitter: @imsilverfoxy
Mastodon: [email protected]
Github: silverfoxy
Resume: [Web Format] [PDF]
Google Scholar: [Link]