Your SlideShare is downloading. ×
SSL Screw Ups
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

SSL Screw Ups

2,457
views

Published on

SSL Screw Ups talk given by Michael Coates at Chicago\'s 2010 Thotcon security conference.

SSL Screw Ups talk given by Michael Coates at Chicago\'s 2010 Thotcon security conference.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,457
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Michael Coates mcoates@mozilla.com michael-coates.blogspot.com
  • 2. Who am I?   Web Security Engineer @ Mozilla   Contributor OWASP 2010 Top 10   Author OWASP TLS Cheat Sheet   Creator & Leader OWASP AppSensor   Security Blogger http://michael-coates.blogspot.com 2
  • 3. SSL: Super Shiny Locks 3
  • 4. Padlock != Secure 4
  • 5. SSL Growth   > 1 Million SSL Certificates 5
  • 6. The Good   Confidentiality   Integrity   Replay Protection   End Point Authentication 6
  • 7. Problem: Usability 7
  • 8. Problem: User Expectations   How did you get to the site?   Is HTTPS in the URL?   Are those 0’s or O’s?   Did you get any browser warning messages?   Did you click “ok” or “accept” to any popup boxes? 8
  • 9. Scenario: Insecure Landing Page http://mybank.com   <form  method="POST"  action="https://mybank.com/login"  >      Username:  <input  type="text"  name="user">  <br>      Password:  <input  type="password"  name="pass">  <br>   </form>   9
  • 10. Exploiting Insecure Landing Page mybank.com HTTP  REQUEST   GET  http://mybank.com   HTTP  Response   …   http://mybank.com   <form  method="POST"   action="https://mybank.com/ action="http://mybank.com/ login"  >   Steven …   Steven ******* ******* POST  http://mybank.com   user:Steven&pass:JOSHUA   10
  • 11. Problem: Insecure Redirects http://mybank.com   https://mybank.com   11
  • 12. Insecure Redirects – Behind The Scenes mybank.com Get  http://mybank.com   302  Redirect   Location:  https://mybank.com   Get  https://mybank.com   SSL   200  Found   12
  • 13. Exploiting Insecure Redirects mybank.com Get  http://mybank.com   302  Redirect   Location:   http://mybank.com   https://phishmybank.com   http://malware.com   13
  • 14. Insecure Redirects via Google   “Bank of America”   http://www.bankofamerica.com/   “Chase”   http://www.chase.com/   “Wachovia”   http://www.wachovia.com   Cookie set on HTTP response too!   “Wells Fargo”   http://www.wellsfargo.com/ 14
  • 15. Scenario: Insecure Content mybank.com SSL   Request   Response   Request   Response   scripts.com Request   Response   15
  • 16. Exploiting Insecure Content mybank.com SSL   Request   Response   Request   Response   scripts.com Request   Response   <script>BADNESS </script>   16
  • 17. Scenario: HTTP after Login mybank.com SSL   Request   Response   Set  SessionID:  5593…   scripts.com Welcome!   Request   Response   Request   Update   Response   Profile   17
  • 18. Exploiting HTTP after Login mybank.com SSL   Request   Response   Set  SessionID:  5593…   scripts.com Request   Welcome!   SessionID:  5593…   Response   Request   Update   SessionID:  5593…   Response   Profile   18
  • 19. Problem: Cookie Forcing 19
  • 20. Problem URL Leakage Transition   Expectation   Result   SiteA.com  to  SiteB.com   HTTP-­‐>HTTP   Referrer  Leaked   Referrer  Leaked   HTTP-­‐>HTTPS   Referrer  Leaked   Referrer  Leaked   HTTPS-­‐>HTTP   Referrer  Secure   Referrer  Secure   HTTPS-­‐>HTTPS   Referrer  Secure   Referrer  Leaked   20
  • 21. Exploiting URL Leakage https://secure.com?sessionID=55769…   Viewing  Charlie’s  Profile   Favorite  Movie:  Sneakers     Favorite  Food:  spam   Personal  Blog:  Click  Here   <a  href=“https://charlieblog.com”>Click  Here</a>   21
  • 22. Exploiting URL Leakage secure.com SSL   Request   Response   Viewing  Charlie’s  Profile   Favorite  Movie:  Sneakers     charlieblog.com Favorite  Food:  spam   Personal  Blog:  Click  Here   SSL   Request   GET  charlieblog.com  HTTP/1.0   Referrer:  https://secure.com?sessionID=55769…   22
  • 23. Problem: False Internal Trust Internal  Network   SSL   mybank.com SSN,  Credit  Card,   Pin,  PII…   23
  • 24. Problem: Not all SSL is equal FIPS Approved Ciphers   View Ciphers by ADH-AES256-SHA DHE-RSA-AES256-SHA Strength DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA openssl ciphers <strength> -v DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA   Test Server: AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA openssl s_client -connect site.com:443 - EDH-DSS-DES-CBC3-SHA cipher <strength> DES-CBC3-SHA   Test Client: LOW Strength Ciphers ADH-DES-CBC-SHA openssl s_server -www -cert cacert.pem - EDH-RSA-DES-CBC-SHA key cakey.pem EDH-DSS-DES-CBC-SHA DES-CBC-SHA DES-CBC-MD5 <strength>=NULL|LOW|MEDIUM|HIGH|FIPS 24
  • 25. More Problems   MD5 Collision Rogue CA Creation   Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger   http://www.win.tue.nl/hashclash/rogue-ca/   SSLstrip   Null Prefix Attacks Against SSL/TLS Certificates   Moxie Marlinspike   http://www.thoughtcrime.org/software/sslstrip/   http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf 25
  • 26. MD5 Collision   Attacker requests legitimate cert from CA   Exploits MD5 Collision to create legitimate CA   Issues legit certs from authorized CA 26
  • 27. MD5 Collision Rogue CA Root  CA   Root  CA   CA   CA   CA   CA   SSL  Cert   amazon.com   27
  • 28. MD5 Collision Rogue CA Root  CA   Root  CA   CA   SSL  Cert   MD5 Collision CA   CA   Attacker   CA   CA   SSL  Cert   amazon.com   28
  • 29. Null Prefix Attack CA Verifies Root Domain Ownership www.foo.com www.blah.foo.com nonexistent.a.b.c.foo.com foo.com amazon.com0.foo.com Browser SSL Verification   Microsoft CryptoAPI - 0 is eos amazon.com == amazon.com0.foo.com 29
  • 30. SSLstrip   MitM SSL Connections   ARP Spoofing   IP Tables   Auto Strip SSL -> HTTPS to HTTP   Execute Null Prefix Attack   Block Certificate Revocation Messages   OCSP Attacks 30
  • 31. Is There Hope?   Average User == Not Technical   Most Deployments Vulnerable   Specialized Attack Tools Available 31
  • 32. Doing It Right… The  Application      SSL  only        No  HTTP  -­‐>  HTTPS  redirects  :  HTTP  shows   “User  Education”  message      No  SSL  errors  or  warnings   The  User      Bookmark  the  HTTPS  page      Stop  if  any  SSL  warnings/errors  presented   The  Browser      Set  realistic  user  expectations      Support  STS/ForceTLS   32
  • 33. Solution: Strict Transport Security   Server Side Option   Header tells browser to only send HTTPS requests for site   Blocks Connection w/any Errors HTTP/1.1  200  OK   Server:  Apache   Cache-­‐Control:  private   Strict-­‐Transport-­‐Security  :  max-­‐age=500;  includesubdomains   33
  • 34. Resources – TLS Cheat Sheet Rule  -­‐  Use  TLS  for  All  Login  Pages  and  All  Authenticated  Pages   Rule  -­‐  Use  TLS  on  Any  Networks  (External  and  Internal)   Transmitting  Sensitive  Data   Rule  -­‐  Do  Not  Provide  Non-­‐TLS  Pages  for  Secure  Content   Rule  -­‐  Do  Not  Perform  Redirects  from  Non-­‐TLS  Page  to  TLS  Login   Page   Rule  -­‐  Do  Not  Mix  TLS  and  Non-­‐TLS  Content   Rule  -­‐  Use  "Secure"  Cookie  Flag   Rule  -­‐  Keep  Sensitive  Data  Out  of  the  URL   http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet   34
  • 35. Resources - ssllabs.com (Ivan Ristic) 35
  • 36. Resources – sslfail.com (Tyler Reguly, Marcin Wielgoszewski) 36
  • 37. Questions? lobby -or- mcoates@mozilla.com -or- http://michael-coates.blogspot.com 37
  • 38. 38