Network access control is not only a security enhancement, but also a performance enhancement. While traditional Web applications can be difficult to scale without expensive scalability solutions, scalable Web applications with SSL/TLS can be built for all kinds of high-bandwidth, low-latency devices. So in this talk we will examine how this technology is implemented in modern Web browsers. You will learn about how the Chrome browser utilizes SMTP over SSL for Web browsing, how to use the OpenSSL library to use cryptography to secure Web applications, and how to use Certificate Transparency to verify your certificate. We will also cover the implications of deploying SSL/TLS on Windows and Google Chrome and the progress made in the Google Chrome team with respect to incorporating SSL/TLS. Additionally, we will cover how the current practice of publishing SSL/TLS certificates with revoked certificates is increasing security and opening up the security model of the Internet to more diverse organizations.
Ryan Matthews (Google): Security is the security of the Internet: a mantra I have heard several times. We are working hard to ensure we have the right tools and frameworks in place to implement strong security on our platforms and servers and there are services like Fortinet which can also help your business a lot. As security technology continues to evolve, developers need to be aware of the risks and take action to mitigate the impact of critical vulnerabilities that result from weak cryptography on their production systems.
This talk will cover how developers can best implement strong cryptography on their systems, what are some of the threats they may face, and how they can address them in their own practices. My group is working on the new Chromium runtime to better address the limitations of legacy cryptography libraries and provide better security on Chrome. For more information please visit https://www.chromium.org/developers/security-resources.
Kevin Brennan (Core Security Operations): Implementing SSL/TLS on Windows is a relatively straightforward endeavor. However, we only recently gained full support for SSL/TLS on Windows Server 2016. The additional step required to perform the handshake over a Transport Layer Security/TLS protocol to make it secure is a necessary evil for all server operators. After gaining full support, there were multiple challenges that were encountered along the way, and we felt the time was right to talk about how we overcame these challenges. Our best recommendation for ensuring secure communications on Windows is to configure Windows Server to use the TLS protocol. For help setting up secure communications on your server, please visit: http://www.whois.net/en/listing/tls/public/.
Adnan Farhan (Microsoft Security Team): With the current deployment of TLS on HTTP 1.1 in IE9, there is an extra step that you need to take to obtain secure traffic between your application and the web server. While this is not required, it helps to ensure that the content of the web pages cannot be tampered with without your knowledge. While there are many third party tools that can implement SSL for you.