Big breaches make for interesting headlines, but in real life it's the small stuff that's breaking SSL for most web sites. This talk is the culmination of two years of work across three separate SSL Labs surveys, analysing virtually all SSL sites in the world. Using the hard data as a backdrop, we present the top challenges for the SSL ecosystem and give hints to how they should be approached. We pay special attention to the less-often mentioned issues, such as insecure session cookies, mixed content, incorrect site configuration, and distribution of trust to third-party web sites.
Ivan Ristic is a respected security expert and author, known especially for his contribution to the web application firewall field and the development of ModSecurity, an open source web application firewall. He is also the author of Apache Security, a comprehensive security guide for the Apache web server, and ModSecurity Handbook. He founded SSL Labs, a research effort focused on the analysis of the real-life usage of SSL and the related technologies. A frequent speaker at computer security conferences, Ivan is a member of the Open Web Application Security Project (OWASP), and an officer of the Web Application Security Consortium (WASC).