AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
Wednesday, June 25

11:00 BST

Biting into the Forbidden Fruit. Lessons from Trusting JavaScript Crypto.
We all know JS crypto is flawed, right? Over the years, security community has pointed out its multiple fundamental problems. Several arguments were made and "JavaScript cryptography is bound to fail" became a mantra. Of course, despite all this JS crypto WAS used all over the place. Theory met practice - it was about time to dig into this!

In recent months, we tested various high-profile, in the wild crypto libraries, applications and systems. We saw code from home-grown cryptography to full-blown TLS or OpenPGP implementations. Hilarious bugs were spotted, protections were bypassed and systems were pwned. But was it really that different from what we all had already seen in OpenSSL, BouncyCastle or GnuPGP? Can we actually fix all those bugs? Does it mean that Javascript cryptography can be, pardon us saying, secure like any other?

Come and listen. During the talk vulns will be shown, authorities - questioned, myths - debunked, and browsers cursed upon. You'll see the full picture - from XSS, to man-in-the-middle, to PRNGs and timing side-channels, even snippets in C. No stone will be left unturned, nothing will be taken for granted. You'll be left with an updated, solid and heavily opinionated view of JavaScript cryptography.

avatar for Krzysztof Kotowicz

Krzysztof Kotowicz

Senior Software Engineer, Information Security Engineering team, Google
Krzysztof Kotowicz is a web security researcher specializing in discovery and exploitation of client-side vulnerabilities, and a software engineer in the Information Security Engineering team at Google. Speaker at various security conferences (ACM CCS 2017, Black Hat USA 2017, OWASP... Read More →

Wednesday June 25, 2014 11:00 - 11:50 BST
Filter sessions
Apply filters to sessions.