BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION:   'Title: mTLS: when certificate authentication done wrong\n  
  When: Friday\, Aug 11\, 11:00 - 11:20 PDT\n   Where: Caesars Forum - Foru
 m - 105\,135\,136 - Track 1 - [1]Map\n\n   SpeakerBio:Michael Stepankin \,
  Security Researcher at GitHub\n   Michael 'artsploit' Stepankin is a rese
 archer at GitHub Security Lab.\n   He joined the team to put his offensive
  security mindset to the test\,\n   uncovering complex vulnerabilities in 
 open source web applications. He\n   specializes in the Java Enterprise st
 ack\, covering a wide range of\n   security topics from insecure deseriali
 zation and XXEs\, to logical\n   bugs in OAuth systems. He's published a n
 umber of works throughout his\n   employment as a researcher\, including n
 ew ways to exploit JNDI\n   injections\, attacks on Apache Solr\, and find
 ing hidden Remote Code\n   Executions in the Spring framework.\n   Twitter
 : [2]@artsploit\n\n   Description:\n   Although x509 certificates have bee
 n here for a while\, they have\n   become more popular for client authenti
 cation in zero-trust networks\n   in recent years. Mutual TLS\, or authent
 ication based on X509\n   certificates in general\, brings advantages comp
 ared to passwords or\n   tokens\, but you get increased complexity in retu
 rn.\n\n   In this talk\, we’ll deep dive into some novel attacks on mTLS
 \n   authentication. We won’t bother you with heavy crypto stuff\, but\n
    instead we’ll have a look at implementation vulnerabilities and how\n
    developers can make their mTLS systems vulnerable to user\n   impersona
 tion\, privilege escalation and information leakages. We\n   present some 
 CVEs we found in popular open-source identity servers and\n   ways to expl
 oit them. Finally\, we’ll explain how these\n   vulnerabilities can be s
 potted in source code and how the safe code\n   looks like.\n\n   REFERENC
 ES:\n\n     1. Wikipedia: Mutual Authentication (mTLS) [3]https://en.wikip
 edia.org/wiki/Mutual_authentication#mTLS\n\n     2. Java: Possible RCEs in
  X.509 certificate validation\n       [CVE-2018-2633][CVE-2017-10116] [4]h
 ttps://mbechler.github.io/2018/01/20/Java-CVE-2018-2633/\n\n   '\n\n   1. 
 #CaesarsForumBR\n   2. https://twitter.com/artsploit\n   3. https://en.wik
 ipedia.org/wiki/Mutual_authentication#mTLS\n   4. https://mbechler.github.
 io/2018/01/20/Java-CVE-2018-2633/\n\n\n
DTEND:20230811T182000Z
DTSTART:20230811T180000Z
LOCATION:DC - Caesars Forum - Forum - 105\,135\,136 - Track 1
SUMMARY:mTLS: when certificate authentication done wrong
END:VEVENT
END:VCALENDAR