leE LeeBrotherston

## gist:80de22f7b44678f729bc
Ever been busted because you man in the middled software (which does TLS properly) and it alerted someone to your bad
certificate? No more! Want to detect certain types of connections leaving your network, but can’t keep the IP blacklist up
to date? This could be the answer.

This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what TLS fingerprints
contain, how to create your own fingerprints, how we use the fingerprints in several scenarios, a demo, and a discussion of
implications and pitfalls.

TLS provides transport security to all manner of connections from legitimate financial transactions to private
conversations and malware calling home. The inability to analyse encrypted traffic protects its users, whether they are

## interception_snort_rule_0
A window size of 1 and the abscence of the do not fragment bit is consistent with observed injected packets from the Perftech bulletin system, amongst others.

It does not of course guarantee injection has taken place as it is possible to generate this type of packet legitimately, however I have yet to experience a false positive with this.

For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/

## gist:7367881b53ebc8ea0192
URLs:
-----
SlideShare (SecTor & BSidesTO & TASK versions): http://www.slideshare.net/LeeBrotherston/
Recording of talk (SecTor): http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/

Contact:
--------
Twitter: @synackpse
email: lee@squarelemon.com

## keybase.md

      
        
          
            
              
              1 file
            
          
          
            
              
              0 forks
            
          
          
            
              
              0 comments
            
          
          
            
              
              0 stars
            
          
        
        
          
              
          
          
            
                LeeBrotherston
                / keybase.md
            
            
              Last active
              August 29, 2015 13:57
            
          
        
      
        
  
      
    Keybase proof

I hereby claim:

I am leebrotherston on github.
I am lee (https://keybase.io/lee) on keybase.
I have a public key whose fingerprint is C110 4776 8997 2E64 A7B5  793E D04D 4922 FBAE 8F3B

To claim this, I am signing this object:
	Ever been busted because you man in the middled software (which does TLS properly) and it alerted someone to your bad
	certificate? No more! Want to detect certain types of connections leaving your network, but can’t keep the IP blacklist up
	to date? This could be the answer.

	This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what TLS fingerprints
	contain, how to create your own fingerprints, how we use the fingerprints in several scenarios, a demo, and a discussion of
	implications and pitfalls.

	TLS provides transport security to all manner of connections from legitimate financial transactions to private
	conversations and malware calling home. The inability to analyse encrypted traffic protects its users, whether they are
	A window size of 1 and the abscence of the do not fragment bit is consistent with observed injected packets from the Perftech bulletin system, amongst others.

	It does not of course guarantee injection has taken place as it is possible to generate this type of packet legitimately, however I have yet to experience a false positive with this.

	For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/
	URLs:
	-----
	SlideShare (SecTor & BSidesTO & TASK versions): http://www.slideshare.net/LeeBrotherston/
	Recording of talk (SecTor): http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/

	Contact:
	--------
	Twitter: @synackpse
	email: lee@squarelemon.com