Lawrence_elixir

Lawrence_elixir

14) ElixirConf EU 2019 - Learn you some 'ssl' for much security! - Bram Verburg

@voltone - Security advocate, BEAM enthusiast

Learn you some ‘ssl’ for much security!

Talk in three words: TLS, security, troubleshooting

Abstract
Erlang/OTP’s built-in ‘ssl’ application forms the basis of many client and server packages. Unfortunately it has quite a few quirks, potentially leading to weak security. This talk highlights the most important client and server settings for ‘ssl’ sockets, how the defaults have evolved across OTP versions, and how popular libraries build on them. Topics include cipher suite selection, server hostname verification, known certificate issues (wildcard SAN, cross-signed CA), revocation checks, ECDSA servers, and more.

Objectives
Learn to apply secure TLS configurations to clients and servers, either directly with the OTP ‘ssl’ application or through the many libraries that rely on it: Ranch, Cowboy, Plug, Phoenix, httpc, Hackney, HTTPoison, etc.

Audience
Anyone building applications that include TLS client or server functionality, directly or through packages, which means just about anyone developing on the BEAM. The speaker Bram is an architect and security advocate with more than 20 years experience delivering complex software platforms to tier-1 telcos around the world, meeting their stringent security and reliability requirements. He has been using Erlang, and later Elixir, since 2010. As a security advocate, he has taken an interest in the security aspects of the Erlang/OTP ecosystem. This focus he has also continued as a blogger, trainer, speaker, and open source contributor. His latest project is the X509 package, available on Hex.

All will be added to the ElixirConf EU 2019 Talks List or via the #elixirConfEU2019 tag.

Most Liked

voltone

voltone

Agreed. And I’d love to get the OTP team to adopt verify: :verify_peer as the default for TLS client connections. That way, if the user did not pass in a CA trust store, connections fail with {:error, {:options, {:cacertfile, []}}}. At that point the user is forced to decide: bring in a trust store, or explicitly opt out of verification by passing verify: :verify_none.

Still, I also think application developers have a responsibility to test the end-product, the same way you would include tests to verify user authentication, even if it is mostly handled by a 3rd party package. We all need to talk about this, improve the defaults, improve the documentation, and improve the testing. It all starts with awareness, which was the main goal of the talk.

Where Next?

Popular in Talks Top

axelson
ElixirConf US 2018 – You Can Never Debug the Code You Run, But You Can View the Code the Debugger is Running – Luke Imhoff (@KronicDeth) ...
New
CodeSync
Code Sync: Keynote: Gang of None? Design Patterns in Elixir - José Valim | ElixirConf EU 2024 Comments welcome! View the <span class="ha...
New
axelson
ElixirConf 2017 - The Power of Zero - Andrew Forward Automation is hard, but the benefits can be phenomenal....
New
axelson
Almost done with posting the Elixir Conf talks! ElixirConf 2017 - Realtime Vehicle Tracking with Elixir and Phoenix - @st23am ...
New
axelson
ElixirConf 2017 - Live APIs with GraphQL Subscriptions - @bruce and @benwilson512 APIs have gone live with G...
New
axelson
ElixirConf 2017 - Well Behaved Native Implemented Functions for Elixir - @potatosalad Native Implemented Fun...
New
AstonJ
Just starting to go up - did you attend? Have any faves? Here are the keynotes:
New
ElixirConf
ElixirConf: ElixirConf 2022 - Brian Cardarella - What is LiveView Native? Comments welcome! View the <span class="hashtag-icon-placehold...
New
axelson
ElixirConf 2017 - Building an Open Source, Real Time Forum with Phoenix and Elm - @knewter There’s a lot of ...
New
AstonJ
Keywords: LiveView autocomplete, LiveView search, focus Startups and web developers take note. Phoenix LiveView is the revolutionary fr...
New

Other popular topics Top

AstonJ
Posting this to see if we can make things easier for people to get into Neovim. If you use Neovim and have a favourite distro please let ...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 31013 112
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 36352 110
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement