Krzysztof Kotowicz - Biting into the Forbidden Fruit. Lessons from Trusting JavaScript Crypto. [F0sBuJkPsey]

Krzysztof Kotowicz - Biting into the Forbidden Fruit. Lessons from Trusting JavaScript Crypto. [F0sBuJkPsey]

| 1h 28m 28s | Video has closed captioning.

From AppSecEU 2014 in Cambridge We all know JS crypto is flawed, right? Over the years, security community has pointed out its multiple fundamental problems. Several arguments were made and "JavaScript cryptography is bound to fail" became a mantra. Of course, despite all this JS crypto WAS used all over the place. Theory met practice - it was about time to dig into this! In recent months, we tested various high-profile, in the wild crypto libraries, applications and systems. We saw code from home-grown cryptography to full-blown TLS or OpenPGP implementations. Hilarious bugs were spotted, protections were bypassed and systems were pwned. But was it really that different from what we all had already seen in OpenSSL, BouncyCastle or GnuPGP? Can we actually fix all those bugs? Does it mean that Javascript cryptography can be, pardon us saying, secure like any other? Come and listen. During the talk vulns will be shown, authorities - questioned, myths - debunked, and browsers cursed upon. You'll see the full picture - from XSS, to man-in-the-middle, to PRNGs and timing side-channels, even snippets in C. No stone will be left unturned, nothing will be taken for granted. You'll be left with an updated, solid and heavily opinionated view of JavaScript cryptography. Speakers Krzysztof Kotowicz Web security researcher specialized in Javascript and HTML5 security. Author of multiple open-source pentesting tools, and recognized HTML5/UI redressing attack vectors. Speaker at international IT security conferences & meetings (Black Hat, BruCON, Hack In Paris, CONFidence, SecurityByte, HackPra, OWASP AppSec, Insomni'Hack). Recently joined Google as Information Security Engineer. - Managed by the official OWASP Media Project #good cryptos #sachsen bitcoin