EN FR
EN FR


Section: Dissemination

Popularization

Seminars

  • Graham Steel: invited talks at FCS-FCC 2014 (Vienna)

  • Graham Steel: invited keynote at Grande Region security day (Saarbrucken).

  • Bruno Blanchet: invited talk at the Dagstuhl seminar “The synergy between programming languages and cryptography”.

  • Karthikeyan Bhargavan: invited talk at the IETF TLS Working Group to discuss the Triple Handshake Attack (London)

  • Karthikeyan Bhargavan: invited talk at the Dagstuhl seminar “The synergy between programming languages and cryptography”.

  • Karthikeyan Bhargavan: invited talk at Les Journées Scientifiques Inria in Lille

  • Karthikeyan Bhargavan: invited panelist at Security Standardization Research workshop in Surrey UK

  • Karthikeyan Bhargavan: invited keynote at Santa's Crypto Workshop 2014 (Prague)

  • Antoine Delignat-Lavaud: briefing at BlackHat USA on “The BEAST Wins Again: Why TLS Keeps Failing to Protect HTTP”

  • Catalin Hritcu: invited keynote at Grande Region security day (Saarbrucken).

  • Catalin Hritcu: seminar at Groupe de travail LTP du GDR GPL

  • Catalin Hritcy: seminar at Groupe de travail Théorie des types et réalisabilité

Vulnerabily Reports

  • Karthikeyan Bhargavan, Antoine Delignat-Lavaud, and Alfredo Pironti reported the so-called Triple Handshake attacks on TLS implementations leading to security updates to all major web browsers: Google Chrome (CVE-2013-6628), Mozilla Firefox (CVE-2014-1491), Internet Explorer (CVE-2014-1771), Apple Safari (CVE-2014-1295), as well as to non-browser TLS libraries such as Oracle JSSE (CVE-2014-6457) and RSA BSAFE (CVE-2014-4630). For more details, see http://secure-resumption.com

  • Antoine Delignat-Lavaud reported virtual host confusion attacks on a number of web servers, leading to security updates to the Akamai content delivery network, Dropbox, Bugzilla, as well as the NGINX web server. His results were presented at BlackHat USA and are summarized at http://bh.ht.vc

  • Karthikeyan Bhargavan reported state machine attacks on major TLS libraries, such as OpenSSL (CVE-2014-3572), NSS, JSSE, CyaSSL, and SecureTransport, leading to security updates in all these libraries.