SSL, HSTS and other stuff with two eSSes

967 views
856 views

Published on

SSL is widely accepted as a technology that protects site users from certain attacks. But does it really protect them? Are we deploying it right? Probably not. I will show you why

Presented at Confraria Security & IT, 22/06/11, Lisbon.

note: this is the second version of this presentation. Please see the other presentations for updated content.

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
967
On SlideShare
0
From Embeds
0
Number of Embeds
103
Actions
Shares
0
Downloads
27
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

SSL, HSTS and other stuff with two eSSes

  1. 1. SSL, HSTS and other stuff with two eSSes Versão 1.1 - 22/06/2011Confraria  Security  &  IT Tiago  Mendo  -­‐  ,ago.mendo@telecom.pt
  2. 2. Summary • History – SSL – TLS – SSL  vs  TLS • Protocol – Objec9ves – Applica9ons • How  it  works  -­‐  the  2  minutes  version • How  it  works  -­‐  the  30  minutes  version – Cer9ficate  valida9on – Cer9ficate  revoca9on  check – Cer9ficate  chain  of  trust  check – Fetching  content – Redirec9ng  from  HTTP  to  HTTPS – Full  HTTPS  browsing – Mixed  content  browsing • Recommenda9ons • Conclusions • Ques9onsSAPO  Websecurity  Team 2
  3. 3. History > SSL • SSL  -­‐  Secure  Sockets  Layer • 1994  -­‐  SSL  1.0  created  by  Netscape,  never                          released • 1995  -­‐  SSL  2.0  released  in  Netscape  Navigator                              1.1.  Mul9ple  security  flaws  found • 1996  -­‐  SSL  3.0  releasedSAPO  Websecurity  Team 3
  4. 4. History > TLS • TLS  -­‐  Transport  Layer  Security • 1999  -­‐  TLS  1.0  defined  in  RFC  2246,  using  SSL                          3.0  as  basis • 2006  -­‐  TLS  1.1  defined  in  RFC  4346 • 2008  -­‐  TLS  1.2  defined  in  RFC  5246SAPO  Websecurity  Team 4
  5. 5. History > SSL vs TLS SSL TLS 1.0 2.0 3.0 (3.1) 1.0 (3.2) 1.1 (3.3) 1.2 • SSL  3.0  and  TLS  1.0  are  equivalent  in  security,   but  incompa9ble • “Everybody  knows  SSL.  TLS  is  more  technically   accurate  but  sounds  like  a  cable  TV  network  or   a  disease"SAPO  Websecurity  Team 5
  6. 6. Protocol > Objectives • Why  SSL?SAPO  Websecurity  Team 6
  7. 7. Protocol > Objectives • Why  SSL? • To  protect  the  communica9ons  between  two   hosts: – content  confiden9ality – integrity – authen9citySAPO  Websecurity  Team 6
  8. 8. Protocol > Objectives • Why  SSL? • To  protect  the  communica9ons  between  two   hosts: – content  confiden9ality – integrity – authen9city • Host  iden9ty  is  not  protected  (requires  IPSEC) • Normally  only  the  server  is  authen9cated  SAPO  Websecurity  Team 6
  9. 9. Protocol > Applications Applica,on HTTP Transport TCP Network IP Data  link 802.11  -­‐  WLAN Physical AirSAPO  Websecurity  Team 7
  10. 10. Protocol > Applications Applica,on HTTP HTTP  /  SSL Transport TCP TCP Network IP IP Data  link 802.11  -­‐  WLAN 802.11  -­‐  WLAN Physical Air AirSAPO  Websecurity  Team 7
  11. 11. Protocol > Applications HTTP Applica,on HTTP HTTP  /  SSL SSL Transport TCP TCP TCP Network IP IP IP Data  link 802.11  -­‐  WLAN 802.11  -­‐  WLAN 802.11  -­‐  WLAN Physical Air Air AirSAPO  Websecurity  Team 7
  12. 12. Protocol > Applications HTTP Applica,on HTTP HTTP  /  SSL SSL Transport TCP TCP TCP Network IP IP IP Data  link 802.11  -­‐  WLAN 802.11  -­‐  WLAN 802.11  -­‐  WLAN Physical Air Air Air • On  top  of  any  Transport  layer  (including  UDP) • Used  with  any  Applica9on  layer  protocol • HTTP,  SMTP,  XMPP,  SIP,  etc. • Used  in  OpenVPNSAPO  Websecurity  Team 7
  13. 13. How it works - the 2 minutes version • Type  hdps://www.facebook.com  and  hit  enterSAPO  Websecurity  Team 8
  14. 14. How it works > Traffic without SSLSAPO  Websecurity  Team 9
  15. 15. How it works > Traffic with SSLSAPO  Websecurity  Team 10
  16. 16. How it works - the 30 minutes version • Type  hdps://www.facebook.com  and  hit  enter • Browser  connects  to  www.facebook.com:443 • SSL  handshake  is  ini9ated • Server  sends  its  X.509  cer9ficate  to  the  client • The  client  starts  the  valida9on  processSAPO  Websecurity  Team 11
  17. 17. How it works > Certificate validation • CN  matches  URL • For  each  cert.  in  the  chain – Has  not  expired – Was  not  revoked – Was  emided  by  a   trusted  CASAPO  Websecurity  Team 12
  18. 18. How it works > Certificate validation • CN  matches  URL • For  each  cert.  in  the  chain – Has  not  expired – Was  not  revoked – Was  emided  by  a   trusted  CASAPO  Websecurity  Team 13
  19. 19. How it works > Certificate validation • CN  matches  URL • For  each  cert.  in  the  chain – Has  not  expired – Was  not  revoked – Was  emided  by  a   trusted  CASAPO  Websecurity  Team 14
  20. 20. How it works > Certificate validation • CN  matches  URL • For  each  cert.  in  the  chain – Has  not  expired – Was  not  revoked – Was  emided  by  a   trusted  CASAPO  Websecurity  Team 15
  21. 21. How it works > Certificate revocation check • CRL  -­‐  Cer9ficate  Revoca9on  List • The  cer9ficate  specifies  a  CRL  URL • The  CRL  is  a  list  of  revoked  serial  numbers • Answer  can  be  cached  for  a  few  months – period  defined  by  the  CA • The  CRL  can  be  very  large:  enter  OCSP – expired  certs.  are  removed  from  the  CRLSAPO  Websecurity  Team 16
  22. 22. How it works > Certificate revocation check • OCSP  -­‐  Online  Cer9ficate  Status  Protocol • The  cer9ficate  specifies  a  OCSP  server • Browser  asks  the  server  if  a  specific  cert.  is   s9ll  valid • Answer  can  be  cached  for  a  few  days – period  defined  by  the  CA • A  cert.  can  specify  both  the  CRL  and  OCSPSAPO  Websecurity  Team 17
  23. 23. How it works > Certificate revocation check • What  can  go  wrong?SAPO  Websecurity  Team 18
  24. 24. How it works > Certificate revocation check • What  can  go  wrong? • CRL  and  OCSP  servers  can  be  unreachable – Browsers  will  allow  user  to  con9nue – You  may  or  may  not  be  warned  about  this – Moxie  Marlinspike  found  that  OCSP  “try  again”   message  (error  code  3)  is  not  signed – Adack:  MiTM  with  a  revoked  cert.  and  reply  3  to   the  OCSP  requests.  SAPO  Websecurity  Team 18
  25. 25. How it works > Certificate revocation check • How  to  mi9gate  this  problem?SAPO  Websecurity  Team 19
  26. 26. How it works > Certificate revocation check • How  to  mi9gate  this  problem? • OCSP  Stapling  -­‐  Kerberos  style  9cket – Cert.  owner  frequently  asks  the  OCSP  for  a  9cket – Ticket  says  “I,  CA  guarantee  with  my  signature   that  this  cer9ficate  is  valid  for  a  few  hours” – Site  presents  this  9cket  to  reques9ng  browser • Fallback  to  OCSP • Support:  Chrome  on  Windows  Vista  or  higherSAPO  Websecurity  Team 19
  27. 27. How it works > Certificate revocation check • How  to  mi9gate  this  problem?SAPO  Websecurity  Team 20
  28. 28. How it works > Certificate revocation check • How  to  mi9gate  this  problem? • CRL  and  OCSP  cacheSAPO  Websecurity  Team 20
  29. 29. How it works > Certificate revocation check • How  to  mi9gate  this  problem? • CRL  and  OCSP  cache • Which  introduces  another  problem – If  a  cert.  is  compromised,  there  may  a  significant   window  of  vulnerability  (months  for  a  CRL) – Remember  the  Comodo  RA  compromise? – 9  certs.  were  issued  to  7  domains – certs.  were  revoked  in  15  minutes – Browser  vendors  immediately  issued  browser   updatesSAPO  Websecurity  Team 20
  30. 30. How it works > Certificate validation • CN  matches  URL • For  each  cert.  in  the  chain – Has  not  expired – Was  not  revoked – Was  emi@ed  by  a   trusted  CASAPO  Websecurity  Team 21
  31. 31. How it works > Certificate chain of trust check • The  server  sends  the   whole  cer9ficate  chain • For  each  cert.  in  the  chain  verify – is  properly  signed  by  the  CA  cer9ficate   immediately  higher  in  the  hierarchy – last  cer9ficate  is  explicitly  trusted  by  the  browser,   so  no  signature  verifica9on  is  doneSAPO  Websecurity  Team 22
  32. 32. How it works > Certificate chain of trust check • What  can  go  wrong?SAPO  Websecurity  Team 23
  33. 33. How it works > Certificate chain of trust checkSAPO  Websecurity  Team 24
  34. 34. How it works > Certificate chain of trust check • What  can  go  wrong? • The  browser  does  not  know  the  root  CA – can  happen  if  you  are  using  an  old  browser/deviceSAPO  Websecurity  Team 25
  35. 35. How it works > Certificate chain of trust check • What  can  go  wrong? • The  browser  does  not  know  the  root  CA – can  happen  if  you  are  using  an  old  browser/device • How  to  mi9gate  this  problem?   • Mul9-­‐roo9ng  CAs – Server  sends  a  longer  chain  with  more  CA   cer9ficates  higher  in  the  hierarchy – Both  CAs  trusted  by  FirefoxSAPO  Websecurity  Team 25
  36. 36. How it works > Certificate chain of trust check • What  can  go  wrong?SAPO  Websecurity  Team 26
  37. 37. How it works > Certificate chain of trust check • What  can  go  wrong? • You  do  not  trust  what  your  browser  trusts – Firefox  ships  with  76  CAs • Chunghwa  Telecom  Co.,  Ltd • Türkiye  Bilimsel  ve  Teknolojik  AraşUrma  Kurumu  -­‐   TÜBİTAK – Are  all  of  them  secure  and  properly  managed?SAPO  Websecurity  Team 26
  38. 38. How it works > Certificate chain of trust check • What  can  go  wrong? • You  do  not  trust  what  your  browser  trusts – Firefox  ships  with  76  CAs • Chunghwa  Telecom  Co.,  Ltd • Türkiye  Bilimsel  ve  Teknolojik  AraşUrma  Kurumu  -­‐   TÜBİTAK – Are  all  of  them  secure  and  properly  managed? – “I  have  not  been  able  to  find  the  current  owner  of   this  root.  Both  RSA  and  VeriSign  have  stated  in   email  that  they  do  not  own  this  root.”  said  one  of   the  maintainers  of  Mozilla  CA  list  (early  2010)SAPO  Websecurity  Team 26
  39. 39. How it works > Certificate chain of trust check • What  can  go  wrong? • You  do  not  trust  what  your  browser  trusts – Recent  request  to  add  a  CA  to  Firefox • “This  is  a  request  to  add  the  CA  root  cerAficate  for   Honest  Achmeds  Used  Cars  and  CerAficates.” • “Achmeds  uncles  all  vouch  for  the  fact  that  hes   honest.” • “The  purpose  of  this  cerAficate  is  to  allow  Honest   Achmed  to  sell  bucketloads  of  other  cerAficates  and   make  a  lot  of  money.” – It  was  not  granted.  This  9me.SAPO  Websecurity  Team 27
  40. 40. How it works > Certificate chain of trust check • How  to  mi9gate  this  problem?   • Remove  trust  or  delete  CAs – they  might  come  back  aler  solware  updates – how  do  you  evaluate  if  a  CA  can  be  trusted? – can  you  do  this  in  your  smartphone?SAPO  Websecurity  Team 28
  41. 41. How it works > Fetching content • At  this  point  the  browser  trusts  the  site   cer9ficate • No  HTTP  request  was  made  yet! • First  HTTP  request  is  made  only  now GET / HTTP/1.1 Host: www.facebook.comSAPO  Websecurity  Team 29
  42. 42. How it works > Fetching contentSAPO  Websecurity  Team 30
  43. 43. How it works > Redirecting from HTTP to HTTPS • Lets  go  back  a  lidle • Imagine  you  type  hdp://www.facebook.com   instead  of  hdps... • Hit  enter!SAPO  Websecurity  Team 31
  44. 44. How it works > Redirecting from HTTP to HTTPS • Lets  go  back  a  lidle • Imagine  you  type  hdp://www.facebook.com   instead  of  hdps... • Hit  enter! • Browser  connects  to  www.facebook.com:80SAPO  Websecurity  Team 31
  45. 45. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 32
  46. 46. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 33
  47. 47. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 34
  48. 48. How it works > Redirecting from HTTP to HTTPS • What  can  go  wrong?SAPO  Websecurity  Team 35
  49. 49. How it works > Redirecting from HTTP to HTTPS • What  can  go  wrong? • Moxie  Marlinskipe  and  his  sslstrip  toolSAPO  Websecurity  Team 35
  50. 50. How it works > Redirecting from HTTP to HTTPS • What  can  go  wrong? • Moxie  Marlinskipe  and  his  sslstrip  toolSAPO  Websecurity  Team 35
  51. 51. How it works > Redirecting from HTTP to HTTPS • sslstrip  func9oning – MiTM  tool – maps  HTTPS  links  to  HTTP – maps  redirects  to  HTTPS  back  to  HTTP – maps  HTTPS  links  to  homograph-­‐similar  HTTPS   links – can  supply  a  lock  favicon – logging!SAPO  Websecurity  Team 36
  52. 52. How it works > Redirecting from HTTP to HTTPS • sslstrip  func9oningSAPO  Websecurity  Team 37
  53. 53. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 38
  54. 54. How it works > Redirecting from HTTP to HTTPS • You  type  hdp://www.facebook.com  and  get   redirected  to  hdps://www.facebook.com GET / HTTP/1.1 Host: www.facebook.com HTTP/1.1 302 Found Location: https://www.facebook.com/ • These  requests  are  not  protected  with  SSL!SAPO  Websecurity  Team 39
  55. 55. How it works > Redirecting from HTTP to HTTPS • How  to  mi9gate  this  problem?SAPO  Websecurity  Team 40
  56. 56. How it works > Redirecting from HTTP to HTTPS • How  to  mi9gate  this  problem? • Make  site  available  only  in  HTTPS – Does  not  work:  most  users  type  HTTP  and   redirects  are  dangerousSAPO  Websecurity  Team 40
  57. 57. How it works > Redirecting from HTTP to HTTPS • How  to  mi9gate  this  problem? • Make  site  available  only  in  HTTPS – Does  not  work:  most  users  type  HTTP  and   redirects  are  dangerous • Use  HSTS:  HTTP  Strict  Transport  Security – Formerly  STS – Server  defined  policy  that  browsers  must  honor – Server  sends  HTTP  header  with  policySAPO  Websecurity  Team 40
  58. 58. How it works > Redirecting from HTTP to HTTPS Strict-Transport-Security: max-age=15768000;includeSubdomains • This  header  says  two  things: – “Browser,  convert  all  requests  to  my  domain  to   HTTPS” – “Browser,  if  there  is  any  security  issue  with  the   connec9on  do  not  allow  progress” • Consequences: – the  user  types  hdp://www.facebook.com  and  the   browser  requests  hdps://www.facebook.com – any  HTTP  link  in  the  response  turns  to  HTTPSSAPO  Websecurity  Team 41
  59. 59. How it works > Redirecting from HTTP to HTTPS • S9ll,  there  is  a  problem:SAPO  Websecurity  Team 42
  60. 60. How it works > Redirecting from HTTP to HTTPS • S9ll,  there  is  a  problem: • We  have  never  visited  the  site  or  policy   expired – browser  does  not  know  the  site  HSTS  policy – if  the  user  types  hdp://www.facebook.com  the   request  is  done  using  HTTP – TOFU:  Trust  On  First  Use • Recommenda9ons – first  visit  using  a  safe  wired  network – manually  instruct  the  browser  to  use  HSTS  SAPO  Websecurity  Team 42
  61. 61. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 43
  62. 62. How it works > Redirecting from HTTP to HTTPS • Server  support:  all,  just  send  the  header • Browser  support – Chrome  4.0.211.0  (with  preloaded  domain  list) – Firefox  4 • Plugins – Safari  SSL  Everywhere – Firefox  EFF  HTTPS  Everywhere – Firefox  ForceTLS  (simple  list  edi9ng)SAPO  Websecurity  Team 43
  63. 63. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 44
  64. 64. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 44
  65. 65. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 45
  66. 66. How it works > Redirecting from HTTP to HTTPSSAPO  Websecurity  Team 45
  67. 67. How it works > Full HTTPS browsing • At  this  point  we  have  all  the  contents  of  the   site  served  over  HTTPS.   • How  can  we  be  sure? • No9ce  the  green  hdps  textSAPO  Websecurity  Team 46
  68. 68. How it works > Mixed content browsing • How  about  this  situa9on? • No9ce  the  red  strikethrough  hdps  textSAPO  Websecurity  Team 47
  69. 69. How it works > Mixed content browsing • Chrome  console  output:SAPO  Websecurity  Team 48
  70. 70. How it works > Mixed content browsing • What  is  the  problem?SAPO  Websecurity  Team 49
  71. 71. How it works > Mixed content browsing • What  is  the  problem? • Sensi9ve  informa9on  can  be  captured – images:  your  last  night  weird  photos – javascript:  can  be  replaced  with  malicious  code – cookies:  sent  in  every  request! – full  browsing  informa9on • Browser  warnings – can  affect  site  reputa9on – most  users  ignore  thisSAPO  Websecurity  Team 49
  72. 72. How it works > Mixed content browsingSAPO  Websecurity  Team 50
  73. 73. How it works > Mixed content browsingSAPO  Websecurity  Team 50
  74. 74. How it works > Mixed content browsing • How  to  mi9gate  this  problem?  SAPO  Websecurity  Team 51
  75. 75. How it works > Mixed content browsing • How  to  mi9gate  this  problem?   • HSTS – you  have  to  specify  all  domains  used  by  the  site – some  links  might  not  work  over  HTTPS – not  a  solu9on  for  all  sitesSAPO  Websecurity  Team 51
  76. 76. How it works > Mixed content browsing • How  to  mi9gate  this  problem?   • HSTS – you  have  to  specify  all  domains  used  by  the  site – some  links  might  not  work  over  HTTPS – not  a  solu9on  for  all  sites • Use  only  HTTPS  links  :) – use  a  proxy:  make  your  server  fetch  the  HTTP   content  and  serve  it  over  HTTPS – do  not  forget  the  faviconSAPO  Websecurity  Team 51
  77. 77. How it works > Mixed content browsing • How  to  minimize  this  problem?  SAPO  Websecurity  Team 52
  78. 78. How it works > Mixed content browsing • How  to  minimize  this  problem?   • Secure  Cookies – the  server  can  set  the  secure  flag  for  the  cookie – a  secure  cookie  is  only  sent  over  HTTPS – beware:  this  does  not  prevent  the  mixed  content   warning,  it  ONLY  prevents  cookies  from  being  sent   over  HTTPSAPO  Websecurity  Team 52
  79. 79. Recommendations • A  few  more  recommenda9onsSAPO  Websecurity  Team 53
  80. 80. Recommendations • A  few  more  recommenda9ons • Make  a  bookmark  with  the  HTTPS  link  for  the   site  (specially  homebanking  sites) – avoids  requests  using  HTTP – avoids  adacks  caused  by  typos • Use  a  plugin  that  warns  you  if  the  cer9ficate   has  changed – Perspec9ves  (www.networknotary.org) – Cer9ficate  PatrolSAPO  Websecurity  Team 53
  81. 81. Conclusions • Conclusions – SSL  3.0  and  TLS  1.0+  are  the  way  to  go – Use  HSTS  and  manually  add  your  important  sites – Update  your  browser  olen  or  automa9cally – Do  not  visit  sites  which  the  first  page  is  HTTP  using   public  wireless  networks – Do  not  create  sites  with  mixed  HTTP(S)  content – If  your  site  is  HTTPS  only,  use  secure  cookiesSAPO  Websecurity  Team 54
  82. 82. Questions Any  ques9ons? 9ago.mendo@telecom.ptSAPO  Websecurity  Team 55

×