<p>The recently described TLS Authentication Gap represents one of the most complex security disclosure processes in recent years. Because the flaw had been present since the early days of SSL, a great many products were affected. As a bug in a protocol (rather than a flawed implementation), there was no easy way to roll out a quick fix. Furthermore, because the protocol is generally implemented in a library, a long dependency chain of software and hardware had developed over the years, with interesting interactions between open-source libraries and downstream commercial software. In some cases, open-source products were in direct market competition with commercial counterparts that depended on them. Interoperability of the proposed solution was a major concern.</p> <p>To address these and other issues, the authors undertook one of the most ambitious private disclosures on record, including representatives from the largest commercial software vendors, the largest open-source projects, the IETF, and others in secret. The working group arrived at a solution and was on the path toward implementation when the flaw was independently discovered and...</p>
<p>In this talk, the authors will discuss the discovery of the flaw, provide a technical overview and demonstrations, and then walk through the rationale and lessons learned in coordinating this disclosure. </p>
<p>Marsh Ray is a Software Development Engineer at PhoneFactor, Inc., a maker of two-factor authentication software, where he is responsible for security software development. </p>
<p>Steve Dispensa is the CTO and co-founder of PhoneFactor.</p>