Although regulations limiting the strength of cryptography that could be exported from the United States were lifted in 1999, and export ciphers were subsequently deprecated in TLS 1.1, Internet-wide scanning showed that support for various forms of export cryptography remained widespread, and that attacks exploiting export-grade cryptography to attack non-export connections affected up to 37% of browser-trusted HTTPS servers in 2015.
In this talk, I'll examine the technical details and historical background for all three export-related vulnerabilities, and provide recent vulnerability measurement data gathered from over a year Internet-wide scans, finding that 2% of browser-trusted IPv4 servers remain vulnerable to FREAK, 1% to Logjam, and 16% to Drown.
We then show several representative cases to concretely explain how real implementations fell into these pitfalls.
Details on the firmware in multiple versions of the Philips Hue smart lamps and bridges are discussed.Kernel exploitation using the browser as an initial vector was a rare sight in previous contests.This presentation will detail the eight winning browser to super user exploitation chains (21 total vulnerabilities) demonstrated at this year's Pwn2Own contest.What we call the Internet, was not our first attempt at making a global data network that spanned the globe. It's increasingly likely that there will be attempts to *change* the principles of the net, and the reality is that widespread hacking is the exact sort of force that brought us this working-ish system in the first place. In this talk, I'll lay out what I see as how the Internet actually works.