Conference:  Defcon 31

Authors: Bill Demirkapi Microsoft Security Response Center

2023-08-01

Digital signatures are fundamental for verifying the authenticity and integrity of untrusted data in the digital world. They ensure that software, firmware, and other digital content are not tampered with during transmission or at rest. Code signing certificates are significantly more challenging to obtain when compared to alternatives like SSL or S/MIME certificates. The latter only has a single criterion- proof of control over a domain, while the former requires significant validation of the publisher itself. This project uncovered a systemic vulnerability present in numerous signature validation implementations, enabling attackers to exploit valid certificates in an unintended manner. Vulnerable implementations mistakenly perceive files signed with incompatible certificates as legitimate, violating their respective specifications and allowing threat actors to sign untrusted code at little to no cost. In this talk, we will explore the problem at all levels, ranging from the fundamental theory to its application across multiple formats and real-world situations.

Conference:  KubeCon + CloudNativeCon Europe 2023

Authors: Kodie Glosser, Tyler Lisowski

2023-04-21

The presentation discusses the process of introducing a new cluster CA in a Kubernetes environment and updating server-side components and certificates to avoid downtime and maintain security.

• Introducing a new cluster CA is necessary for security and compliance purposes
• The process involves updating server-side components and certificates in a well-defined multi-step process
• Cross-signed CA certificates are used to maintain existing MTLS connections
• The new CA is rolled out across all server-side components
• The client and server certificates are updated to be issued from the new CA
• The cross-signed new CA certificate by the old CA is included in the chain to validate existing MTLS connections