Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

I saw this on the SANS blog and Newsbites and thought it might be interesting reading since we have been talking about SSL and TLS.  Just in case you were wondering how hard it might be to decrypt your protected channel, this post goes into detail showing how easy it is to do.

-Jeff C.

 

https://isc.sans.edu/diary/Psst.+Your+Browser+Knows+All+Your+Secrets./16415

 

“I got to wondering one day how difficult it would be to find the crypto keys used by my browser and a web server for TLS sessions. I figured it would involve a memory dump, volatility, trial and error and maybe a little bit of luck. So I started looking around and like so many things in life….all you have to do is ask. Really. Just ask your browser to give you the secrets and it will! As icing on the cake, Wireshark will read in those secrets and decrypt the data for you. Here’s a quick rundown of the steps:”

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu