Lawrence_elixir

Lawrence_elixir

14) ElixirConf EU 2019 - Learn you some 'ssl' for much security! - Bram Verburg

@voltone - Security advocate, BEAM enthusiast

Learn you some ‘ssl’ for much security!

Talk in three words: TLS, security, troubleshooting

Abstract
Erlang/OTP’s built-in ‘ssl’ application forms the basis of many client and server packages. Unfortunately it has quite a few quirks, potentially leading to weak security. This talk highlights the most important client and server settings for ‘ssl’ sockets, how the defaults have evolved across OTP versions, and how popular libraries build on them. Topics include cipher suite selection, server hostname verification, known certificate issues (wildcard SAN, cross-signed CA), revocation checks, ECDSA servers, and more.

Objectives
Learn to apply secure TLS configurations to clients and servers, either directly with the OTP ‘ssl’ application or through the many libraries that rely on it: Ranch, Cowboy, Plug, Phoenix, httpc, Hackney, HTTPoison, etc.

Audience
Anyone building applications that include TLS client or server functionality, directly or through packages, which means just about anyone developing on the BEAM. The speaker Bram is an architect and security advocate with more than 20 years experience delivering complex software platforms to tier-1 telcos around the world, meeting their stringent security and reliability requirements. He has been using Erlang, and later Elixir, since 2010. As a security advocate, he has taken an interest in the security aspects of the Erlang/OTP ecosystem. This focus he has also continued as a blogger, trainer, speaker, and open source contributor. His latest project is the X509 package, available on Hex.

All will be added to the ElixirConf EU 2019 Talks List or via the #elixirConfEU2019 tag.

Most Liked

voltone

voltone

Agreed. And I’d love to get the OTP team to adopt verify: :verify_peer as the default for TLS client connections. That way, if the user did not pass in a CA trust store, connections fail with {:error, {:options, {:cacertfile, []}}}. At that point the user is forced to decide: bring in a trust store, or explicitly opt out of verification by passing verify: :verify_none.

Still, I also think application developers have a responsibility to test the end-product, the same way you would include tests to verify user authentication, even if it is mostly handled by a 3rd party package. We all need to talk about this, improve the defaults, improve the documentation, and improve the testing. It all starts with awareness, which was the main goal of the talk.

Where Next?

Popular in Talks Top

axelson
ElixirConf US 2018 – Architecting Flow in Elixir - From Leveraging Pipes to Designing Token APIs – René Föhring (@rrrene) ...
New
axelson
by @SophieDeBenedetto LiveView’s reliance on server-rendered HTML and leveraging of bi-directional communication over WebSockets means ...
New
axelson
ElixirConf US 2018 Opening Keynote - The Next Five Years – José Valim (@josevalim) All talks thread:
New
LostKobrakai
After having watched the talk I'm wondering if this would also be a good opportunity to gather examples / tips about how to prevent or mi...
New
axelson
ElixirConf 2017 - Building Realtime Mobile Apps with React Native and Elixir - Osayame Gaius Obaseki Buildin...
New
New
axelson
ElixirConf 2017 - Closing Keynote - @chrismccord All talks are available in the Elixir Conf 2017 Talks List...
New
CodeSync
Code Sync: Keynote: The Road To LiveView 1.0 by Chris McCord | ElixirConf EU 2023 Comments welcome! View the #code-sync and #elixirconf-...
New
TwistingTwists
I am in middle of watching this. I have to stop every minute and think over what Chris just said. The amount of info he sends over that ...
New
axelson
by @jola Can you write a performant string processing scripts in Elixir? This talk attempts to answer that question while incrementally...
New

Other popular topics Top

JDanielMartinez
Hi! May someone helps me, please! I have two apps into an umbrella project: the first one is Database, which manages queries, and the se...
New
Tee
can someone please explain to me how Enum.reduce works with maps
New
_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
mgjohns61585
Could someone help me? I'm making my first elixir program, number guessing game. I can't figure out how to convert the user's guess from ...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? https://hexdocs.pm/ecto/Ecto.Repo.h...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers' Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New

We're in Beta

About us Mission Statement