Lawrence_elixir
14) ElixirConf EU 2019 - Learn you some 'ssl' for much security! - Bram Verburg
@voltone - Security advocate, BEAM enthusiast
Learn you some ‘ssl’ for much security!
Talk in three words: TLS, security, troubleshooting
Abstract
Erlang/OTP’s built-in ‘ssl’ application forms the basis of many client and server packages. Unfortunately it has quite a few quirks, potentially leading to weak security. This talk highlights the most important client and server settings for ‘ssl’ sockets, how the defaults have evolved across OTP versions, and how popular libraries build on them. Topics include cipher suite selection, server hostname verification, known certificate issues (wildcard SAN, cross-signed CA), revocation checks, ECDSA servers, and more.
Objectives
Learn to apply secure TLS configurations to clients and servers, either directly with the OTP ‘ssl’ application or through the many libraries that rely on it: Ranch, Cowboy, Plug, Phoenix, httpc, Hackney, HTTPoison, etc.
Audience
Anyone building applications that include TLS client or server functionality, directly or through packages, which means just about anyone developing on the BEAM. The speaker Bram is an architect and security advocate with more than 20 years experience delivering complex software platforms to tier-1 telcos around the world, meeting their stringent security and reliability requirements. He has been using Erlang, and later Elixir, since 2010. As a security advocate, he has taken an interest in the security aspects of the Erlang/OTP ecosystem. This focus he has also continued as a blogger, trainer, speaker, and open source contributor. His latest project is the X509 package, available on Hex.
All will be added to the ElixirConf EU 2019 Talks List or via the #elixirConfEU2019 tag.
Most Liked
voltone
Agreed. And I’d love to get the OTP team to adopt verify: :verify_peer as the default for TLS client connections. That way, if the user did not pass in a CA trust store, connections fail with {:error, {:options, {:cacertfile, []}}}. At that point the user is forced to decide: bring in a trust store, or explicitly opt out of verification by passing verify: :verify_none.
Still, I also think application developers have a responsibility to test the end-product, the same way you would include tests to verify user authentication, even if it is mostly handled by a 3rd party package. We all need to talk about this, improve the defaults, improve the documentation, and improve the testing. It all starts with awareness, which was the main goal of the talk.
chulkilee
- Author blog: https://blog.voltone.net/
- Slide deck: Learn you some `:ssl` for much security - Speaker Deck
Popular in Talks
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









