Introduction to SSL and How to Exploit & Secure

4,023 views
3,776 views

Published on

Adapted from Ivan Ristic. Part 1. Originally for OWASP MY

Published in: Technology, Education
2 Comments
9 Likes
Statistics
Notes
No Downloads
Views
Total views
4,023
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
2
Likes
9
Embeds 0
No embeds

No notes for slide

Introduction to SSL and How to Exploit & Secure

  1. 1. SSL/TLS Introduction and How to exploit<br />By BRIAN RITCHIE<br />Twitter : twitter.com/brianritchie<br />Facebook : facebook.com/brianritchie<br />
  2. 2. Who Am I ?<br />Co worked on the Enterprise Architecture for some of the largest regional as well as international companies<br />Rolled out the first official OSS Centre of Excellence strategy and implementation for a local Financial Institution<br />Experience with large scale Project Management for core systems<br />Designed and Implemented Research and Incubation Services for large scale corporations<br />All rounded Geek<br />
  3. 3. What is SSL ?<br />An introduction<br />
  4. 4. Some History<br />Originally proposed by Netscape in the 90 s<br />Evolved from SSL 1.0, 2.0, 3.0 and now to the Transport Layer Security or TLS<br />Developed with the intention of providing security for communications over networks<br />Is used heavily today for ecommerce, and other web applications/services which require a higher level of security <br />
  5. 5. What is SSL ?<br />Intermediate layer between the Transport layer and the Application layer<br />Has 2 main functions :<br />Establish a secure connection between peers<br />Secure is defined as = Authentic and Confidential<br />Use the secure connection to transmit higher layer protocol data from sender to recipient<br />
  6. 6. Let’s delve in a little deeper here<br />
  7. 7. How does SSL transmit data ?<br />Sender<br />Breaks data down into manageable pieces called fragments<br />Each fragment is compressed, authenticated with a MAC, encrypted, prepended with a header and transmitted<br />Recipient<br />NOTE :: These fragments are what we call <br />SSL records<br />The fragments are decrypted, verified through MACs, decompressed and reassembled.<br />
  8. 8. Just a little bit more theory and we’ll go to some cooler stuff<br />
  9. 9. Graphical View of SSL<br />Application Layer<br />SSL Handshake Protocol<br />SSL Change Cipher Spec Protocol<br />SSL Alert Protocol<br />Application Data Protocol<br />Application Layer<br />SSL Record Protocol<br />Transport Layer<br />Network Layer<br />Network Access Layer<br />TCP<br />UDP<br />IP<br />
  10. 10. What are these protocols ?<br />SSL Handshake Protocol – Core protocol. Allows peers to authenticate between themselves and negotiate a suitable cipher suite and compression method for both parties<br />SSL Change Cipher Spec Protocol – Allows peers to change ciphering strategy and the cryptography protection used<br />SSL Alert Protocol – Allows peers to signal for potential problem symptoms and exchange alert messages<br />SSL Application Data Protocol – Workhorse. Takes the higher level data and feeds it to the SSL Record protocol for cryptographic protection and secure transmission<br />
  11. 11. What’s good about SSL ?<br />
  12. 12. Plus points<br />Very widely used<br />Well designed<br />Pretty much secures the Internet<br />Secure out of the box<br />
  13. 13. Now to the cool OWASP part<br />
  14. 14. What’s the Minus points ?<br />No one pays attention to it<br />This means if you can break it, you’re the boss.<br />Can be compromised through HTTP<br />
  15. 15. Tools and Attack Principles<br />Sslsniff and sslstrip make attacking it easy as pie<br />Principle of attack :<br />MITM – The usual suspect<br />App and configuration issues<br />Fake certificates<br />Bad implementation<br />
  16. 16. SSL Threat Models<br />Lets look at a small part today<br />
  17. 17. Endpoint Issues<br />Endpoints<br />Bad Server Side Configuration<br />SSL not enforced<br />Bad certificate configuration<br />Private Key not protected<br />Use weak protocols<br />Unpatched libraries<br />Mixed (SSL&Non-SSL) configurations<br />And many many more…<br />
  18. 18. Lets take a deeper dive and look at some examples<br />
  19. 19. Inconsistent DNS config<br />http://www.example.com and http://example.com point to different webservers<br />Microsoft<br />
  20. 20. Another example<br />A good example : OWASP<br />
  21. 21. Different Sites on port 80 and 443<br />Both http://www.example.com and https://www.example.com must be the same website<br />A lot of major companies fail to verify this<br />
  22. 22. Self Signed SSL Certs<br />Two words : DON’T BOTHER<br />This causes more issues than it solves.<br />It is significantly harder for you to maintain a secure, well configured SSL cert<br />It is much easier and more secure to buy one from a legitimate provider<br />
  23. 23. Badly Configured SSL Servers<br />Out of the box SSL is pretty secure iff (– if and only if) the configuration fits your deployment.<br />More often than not, you will need to tweak the settings to fit your deployment.<br />Updating patches is also equally crucial<br />
  24. 24. Incomplete certificates<br />A certificate has to encompass both http://example.com and http://www.example.com<br />They have to be the same site<br />They must also be the same for the https://<br />Your certificate must ensure that it is all-encompassing<br />
  25. 25. Mixing SSL and Plain text<br />Tricky to implement<br />Active user sessions can be compromised<br />Sslstrip can perform MITM attacks and convert HTTPS to HTTP<br />
  26. 26. There’s a few more but I’ll leave it there for now.<br />
  27. 27. If you have any questions, contact me through the above<br />Twitter : twitter.com/brianritchie<br />Facebook : facebook.com/brianritchie<br />OWASP MY Mailing List<br />

×