SSL is widely accepted as a technology that protects site users from certain attacks. But does it really protect them? Are we deploying it right? Probably not. I will show you why Presented at Confraria Security & IT, 22/06/11, Lisbon. note: this is the second version of this presentation. Please see the other presentations for updated content.

1. SSL, HSTS and other stuff with two eSSes
Versão 1.1 - 22/06/2011
Confraria
Security
&
IT Tiago
Mendo
-­‐
,ago.mendo@telecom.pt

2. Summary
• History
– SSL
– TLS
– SSL
vs
TLS
• Protocol
– Objec9ves
– Applica9ons
• How
it
works
-­‐
the
2
minutes
version
• How
it
works
-­‐
the
30
minutes
version
– Cer9ficate
valida9on
– Cer9ficate
revoca9on
check
– Cer9ficate
chain
of
trust
check
– Fetching
content
– Redirec9ng
from
HTTP
to
HTTPS
– Full
HTTPS
browsing
– Mixed
content
browsing
• Recommenda9ons
• Conclusions
• Ques9ons
SAPO
Websecurity
Team 2

3. History > SSL
• SSL
-­‐
Secure
Sockets
Layer
• 1994
-­‐
SSL
1.0
created
by
Netscape,
never
released
• 1995
-­‐
SSL
2.0
released
in
Netscape
Navigator
1.1.
Mul9ple
security
flaws
found
• 1996
-­‐
SSL
3.0
released
SAPO
Websecurity
Team 3

4. History > TLS
• TLS
-­‐
Transport
Layer
Security
• 1999
-­‐
TLS
1.0
defined
in
RFC
2246,
using
SSL
3.0
as
basis
• 2006
-­‐
TLS
1.1
defined
in
RFC
4346
• 2008
-­‐
TLS
1.2
defined
in
RFC
5246
SAPO
Websecurity
Team 4

5. History > SSL vs TLS
SSL TLS
1.0
2.0
3.0
(3.1) 1.0
(3.2) 1.1
(3.3) 1.2
• SSL
3.0
and
TLS
1.0
are
equivalent
in
security,
but
incompa9ble
• “Everybody
knows
SSL.
TLS
is
more
technically
accurate
but
sounds
like
a
cable
TV
network
or
a
disease"
SAPO
Websecurity
Team 5

6. Protocol > Objectives
• Why
SSL?
SAPO
Websecurity
Team 6

7. Protocol > Objectives
• Why
SSL?
• To
protect
the
communica9ons
between
two
hosts:
– content
confiden9ality
– integrity
– authen9city
SAPO
Websecurity
Team 6

8. Protocol > Objectives
• Why
SSL?
• To
protect
the
communica9ons
between
two
hosts:
– content
confiden9ality
– integrity
– authen9city
• Host
iden9ty
is
not
protected
(requires
IPSEC)
• Normally
only
the
server
is
authen9cated
SAPO
Websecurity
Team 6

9. Protocol > Applications
Applica,on HTTP
Transport TCP
Network IP
Data
link 802.11
-­‐
WLAN
Physical Air
SAPO
Websecurity
Team 7

10. Protocol > Applications
Applica,on HTTP HTTP
/
SSL
Transport TCP TCP
Network IP IP
Data
link 802.11
-­‐
WLAN 802.11
-­‐
WLAN
Physical Air Air
SAPO
Websecurity
Team 7

11. Protocol > Applications
HTTP
Applica,on HTTP HTTP
/
SSL SSL
Transport TCP TCP TCP
Network IP IP IP
Data
link 802.11
-­‐
WLAN 802.11
-­‐
WLAN 802.11
-­‐
WLAN
Physical Air Air Air
SAPO
Websecurity
Team 7

12. Protocol > Applications
HTTP
Applica,on HTTP HTTP
/
SSL SSL
Transport TCP TCP TCP
Network IP IP IP
Data
link 802.11
-­‐
WLAN 802.11
-­‐
WLAN 802.11
-­‐
WLAN
Physical Air Air Air
• On
top
of
any
Transport
layer
(including
UDP)
• Used
with
any
Applica9on
layer
protocol
• HTTP,
SMTP,
XMPP,
SIP,
etc.
• Used
in
OpenVPN
SAPO
Websecurity
Team 7

13. How it works - the 2 minutes version
• Type
hdps://www.facebook.com
and
hit
enter
SAPO
Websecurity
Team 8

14. How it works > Traffic without SSL
SAPO
Websecurity
Team 9

15. How it works > Traffic with SSL
SAPO
Websecurity
Team 10

16. How it works - the 30 minutes version
• Type
hdps://www.facebook.com
and
hit
enter
• Browser
connects
to
www.facebook.com:443
• SSL
handshake
is
ini9ated
• Server
sends
its
X.509
cer9ficate
to
the
client
• The
client
starts
the
valida9on
process
SAPO
Websecurity
Team 11

17. How it works > Certificate validation
• CN
matches
URL
• For
each
cert.
in
the
chain
– Has
not
expired
– Was
not
revoked
– Was
emided
by
a
trusted
CA
SAPO
Websecurity
Team 12

18. How it works > Certificate validation
• CN
matches
URL
• For
each
cert.
in
the
chain
– Has
not
expired
– Was
not
revoked
– Was
emided
by
a
trusted
CA
SAPO
Websecurity
Team 13

19. How it works > Certificate validation
• CN
matches
URL
• For
each
cert.
in
the
chain
– Has
not
expired
– Was
not
revoked
– Was
emided
by
a
trusted
CA
SAPO
Websecurity
Team 14

20. How it works > Certificate validation
• CN
matches
URL
• For
each
cert.
in
the
chain
– Has
not
expired
– Was
not
revoked
– Was
emided
by
a
trusted
CA
SAPO
Websecurity
Team 15

21. How it works > Certificate revocation check
• CRL
-­‐
Cer9ficate
Revoca9on
List
• The
cer9ficate
specifies
a
CRL
URL
• The
CRL
is
a
list
of
revoked
serial
numbers
• Answer
can
be
cached
for
a
few
months
– period
defined
by
the
CA
• The
CRL
can
be
very
large:
enter
OCSP
– expired
certs.
are
removed
from
the
CRL
SAPO
Websecurity
Team 16

22. How it works > Certificate revocation check
• OCSP
-­‐
Online
Cer9ficate
Status
Protocol
• The
cer9ficate
specifies
a
OCSP
server
• Browser
asks
the
server
if
a
specific
cert.
is
s9ll
valid
• Answer
can
be
cached
for
a
few
days
– period
defined
by
the
CA
• A
cert.
can
specify
both
the
CRL
and
OCSP
SAPO
Websecurity
Team 17

23. How it works > Certificate revocation check
• What
can
go
wrong?
SAPO
Websecurity
Team 18

24. How it works > Certificate revocation check
• What
can
go
wrong?
• CRL
and
OCSP
servers
can
be
unreachable
– Browsers
will
allow
user
to
con9nue
– You
may
or
may
not
be
warned
about
this
– Moxie
Marlinspike
found
that
OCSP
“try
again”
message
(error
code
3)
is
not
signed
– Adack:
MiTM
with
a
revoked
cert.
and
reply
3
to
the
OCSP
requests.
SAPO
Websecurity
Team 18

25. How it works > Certificate revocation check
• How
to
mi9gate
this
problem?
SAPO
Websecurity
Team 19

26. How it works > Certificate revocation check
• How
to
mi9gate
this
problem?
• OCSP
Stapling
-­‐
Kerberos
style
9cket
– Cert.
owner
frequently
asks
the
OCSP
for
a
9cket
– Ticket
says
“I,
CA
guarantee
with
my
signature
that
this
cer9ficate
is
valid
for
a
few
hours”
– Site
presents
this
9cket
to
reques9ng
browser
• Fallback
to
OCSP
• Support:
Chrome
on
Windows
Vista
or
higher
SAPO
Websecurity
Team 19

27. How it works > Certificate revocation check
• How
to
mi9gate
this
problem?
SAPO
Websecurity
Team 20

28. How it works > Certificate revocation check
• How
to
mi9gate
this
problem?
• CRL
and
OCSP
cache
SAPO
Websecurity
Team 20

29. How it works > Certificate revocation check
• How
to
mi9gate
this
problem?
• CRL
and
OCSP
cache
• Which
introduces
another
problem
– If
a
cert.
is
compromised,
there
may
a
significant
window
of
vulnerability
(months
for
a
CRL)
– Remember
the
Comodo
RA
compromise?
– 9
certs.
were
issued
to
7
domains
– certs.
were
revoked
in
15
minutes
– Browser
vendors
immediately
issued
browser
updates
SAPO
Websecurity
Team 20

30. How it works > Certificate validation
• CN
matches
URL
• For
each
cert.
in
the
chain
– Has
not
expired
– Was
not
revoked
– Was
emi@ed
by
a
trusted
CA
SAPO
Websecurity
Team 21

31. How it works > Certificate chain of trust check
• The
server
sends
the
whole
cer9ficate
chain
• For
each
cert.
in
the
chain
verify
– is
properly
signed
by
the
CA
cer9ficate
immediately
higher
in
the
hierarchy
– last
cer9ficate
is
explicitly
trusted
by
the
browser,
so
no
signature
verifica9on
is
done
SAPO
Websecurity
Team 22

32. How it works > Certificate chain of trust check
• What
can
go
wrong?
SAPO
Websecurity
Team 23

33. How it works > Certificate chain of trust check
SAPO
Websecurity
Team 24

34. How it works > Certificate chain of trust check
• What
can
go
wrong?
• The
browser
does
not
know
the
root
CA
– can
happen
if
you
are
using
an
old
browser/device
SAPO
Websecurity
Team 25

35. How it works > Certificate chain of trust check
• What
can
go
wrong?
• The
browser
does
not
know
the
root
CA
– can
happen
if
you
are
using
an
old
browser/device
• How
to
mi9gate
this
problem?
• Mul9-­‐roo9ng
CAs
– Server
sends
a
longer
chain
with
more
CA
cer9ficates
higher
in
the
hierarchy
– Both
CAs
trusted
by
Firefox
SAPO
Websecurity
Team 25

36. How it works > Certificate chain of trust check
• What
can
go
wrong?
SAPO
Websecurity
Team 26

37. How it works > Certificate chain of trust check
• What
can
go
wrong?
• You
do
not
trust
what
your
browser
trusts
– Firefox
ships
with
76
CAs
• Chunghwa
Telecom
Co.,
Ltd
• Türkiye
Bilimsel
ve
Teknolojik
AraşUrma
Kurumu
-­‐
TÜBİTAK
– Are
all
of
them
secure
and
properly
managed?
SAPO
Websecurity
Team 26

38. How it works > Certificate chain of trust check
• What
can
go
wrong?
• You
do
not
trust
what
your
browser
trusts
– Firefox
ships
with
76
CAs
• Chunghwa
Telecom
Co.,
Ltd
• Türkiye
Bilimsel
ve
Teknolojik
AraşUrma
Kurumu
-­‐
TÜBİTAK
– Are
all
of
them
secure
and
properly
managed?
– “I
have
not
been
able
to
find
the
current
owner
of
this
root.
Both
RSA
and
VeriSign
have
stated
in
email
that
they
do
not
own
this
root.”
said
one
of
the
maintainers
of
Mozilla
CA
list
(early
2010)
SAPO
Websecurity
Team 26

39. How it works > Certificate chain of trust check
• What
can
go
wrong?
• You
do
not
trust
what
your
browser
trusts
– Recent
request
to
add
a
CA
to
Firefox
• “This
is
a
request
to
add
the
CA
root
cerAficate
for
Honest
Achmed's
Used
Cars
and
CerAficates.”
• “Achmed's
uncles
all
vouch
for
the
fact
that
he's
honest.”
• “The
purpose
of
this
cerAficate
is
to
allow
Honest
Achmed
to
sell
bucketloads
of
other
cerAficates
and
make
a
lot
of
money.”
– It
was
not
granted.
This
9me.
SAPO
Websecurity
Team 27

40. How it works > Certificate chain of trust check
• How
to
mi9gate
this
problem?
• Remove
trust
or
delete
CAs
– they
might
come
back
aler
solware
updates
– how
do
you
evaluate
if
a
CA
can
be
trusted?
– can
you
do
this
in
your
smartphone?
SAPO
Websecurity
Team 28

41. How it works > Fetching content
• At
this
point
the
browser
trusts
the
site
cer9ficate
• No
HTTP
request
was
made
yet!
• First
HTTP
request
is
made
only
now
GET / HTTP/1.1
Host: www.facebook.com
SAPO
Websecurity
Team 29

42. How it works > Fetching content
SAPO
Websecurity
Team 30

43. How it works > Redirecting from HTTP to HTTPS
• Lets
go
back
a
lidle
• Imagine
you
type
hdp://www.facebook.com
instead
of
hdps...
• Hit
enter!
SAPO
Websecurity
Team 31

44. How it works > Redirecting from HTTP to HTTPS
• Lets
go
back
a
lidle
• Imagine
you
type
hdp://www.facebook.com
instead
of
hdps...
• Hit
enter!
• Browser
connects
to
www.facebook.com:80
SAPO
Websecurity
Team 31

45. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 32

46. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 33

47. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 34

48. How it works > Redirecting from HTTP to HTTPS
• What
can
go
wrong?
SAPO
Websecurity
Team 35

49. How it works > Redirecting from HTTP to HTTPS
• What
can
go
wrong?
• Moxie
Marlinskipe
and
his
sslstrip
tool
SAPO
Websecurity
Team 35

50. How it works > Redirecting from HTTP to HTTPS
• What
can
go
wrong?
• Moxie
Marlinskipe
and
his
sslstrip
tool
SAPO
Websecurity
Team 35

51. How it works > Redirecting from HTTP to HTTPS
• sslstrip
func9oning
– MiTM
tool
– maps
HTTPS
links
to
HTTP
– maps
redirects
to
HTTPS
back
to
HTTP
– maps
HTTPS
links
to
homograph-­‐similar
HTTPS
links
– can
supply
a
lock
favicon
– logging!
SAPO
Websecurity
Team 36

52. How it works > Redirecting from HTTP to HTTPS
• sslstrip
func9oning
SAPO
Websecurity
Team 37

53. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 38

54. How it works > Redirecting from HTTP to HTTPS
• You
type
hdp://www.facebook.com
and
get
redirected
to
hdps://www.facebook.com
GET / HTTP/1.1
Host: www.facebook.com
HTTP/1.1 302 Found
Location: https://www.facebook.com/
• These
requests
are
not
protected
with
SSL!
SAPO
Websecurity
Team 39

55. How it works > Redirecting from HTTP to HTTPS
• How
to
mi9gate
this
problem?
SAPO
Websecurity
Team 40

56. How it works > Redirecting from HTTP to HTTPS
• How
to
mi9gate
this
problem?
• Make
site
available
only
in
HTTPS
– Does
not
work:
most
users
type
HTTP
and
redirects
are
dangerous
SAPO
Websecurity
Team 40

57. How it works > Redirecting from HTTP to HTTPS
• How
to
mi9gate
this
problem?
• Make
site
available
only
in
HTTPS
– Does
not
work:
most
users
type
HTTP
and
redirects
are
dangerous
• Use
HSTS:
HTTP
Strict
Transport
Security
– Formerly
STS
– Server
defined
policy
that
browsers
must
honor
– Server
sends
HTTP
header
with
policy
SAPO
Websecurity
Team 40

58. How it works > Redirecting from HTTP to HTTPS
Strict-Transport-Security: max-age=15768000;includeSubdomains
• This
header
says
two
things:
– “Browser,
convert
all
requests
to
my
domain
to
HTTPS”
– “Browser,
if
there
is
any
security
issue
with
the
connec9on
do
not
allow
progress”
• Consequences:
– the
user
types
hdp://www.facebook.com
and
the
browser
requests
hdps://www.facebook.com
– any
HTTP
link
in
the
response
turns
to
HTTPS
SAPO
Websecurity
Team 41

59. How it works > Redirecting from HTTP to HTTPS
• S9ll,
there
is
a
problem:
SAPO
Websecurity
Team 42

60. How it works > Redirecting from HTTP to HTTPS
• S9ll,
there
is
a
problem:
• We
have
never
visited
the
site
or
policy
expired
– browser
does
not
know
the
site
HSTS
policy
– if
the
user
types
hdp://www.facebook.com
the
request
is
done
using
HTTP
– TOFU:
Trust
On
First
Use
• Recommenda9ons
– first
visit
using
a
safe
wired
network
– manually
instruct
the
browser
to
use
HSTS
SAPO
Websecurity
Team 42

61. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 43

62. How it works > Redirecting from HTTP to HTTPS
• Server
support:
all,
just
send
the
header
• Browser
support
– Chrome
4.0.211.0
(with
preloaded
domain
list)
– Firefox
4
• Plugins
– Safari
SSL
Everywhere
– Firefox
EFF
HTTPS
Everywhere
– Firefox
ForceTLS
(simple
list
edi9ng)
SAPO
Websecurity
Team 43

63. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 44

64. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 44

65. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 45

66. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 45

67. How it works > Full HTTPS browsing
• At
this
point
we
have
all
the
contents
of
the
site
served
over
HTTPS.
• How
can
we
be
sure?
• No9ce
the
green
hdps
text
SAPO
Websecurity
Team 46

68. How it works > Mixed content browsing
• How
about
this
situa9on?
• No9ce
the
red
strikethrough
hdps
text
SAPO
Websecurity
Team 47

69. How it works > Mixed content browsing
• Chrome
console
output:
SAPO
Websecurity
Team 48

70. How it works > Mixed content browsing
• What
is
the
problem?
SAPO
Websecurity
Team 49

71. How it works > Mixed content browsing
• What
is
the
problem?
• Sensi9ve
informa9on
can
be
captured
– images:
your
last
night
weird
photos
– javascript:
can
be
replaced
with
malicious
code
– cookies:
sent
in
every
request!
– full
browsing
informa9on
• Browser
warnings
– can
affect
site
reputa9on
– most
users
ignore
this
SAPO
Websecurity
Team 49

72. How it works > Mixed content browsing
SAPO
Websecurity
Team 50

73. How it works > Mixed content browsing
SAPO
Websecurity
Team 50

74. How it works > Mixed content browsing
• How
to
mi9gate
this
problem?
SAPO
Websecurity
Team 51

75. How it works > Mixed content browsing
• How
to
mi9gate
this
problem?
• HSTS
– you
have
to
specify
all
domains
used
by
the
site
– some
links
might
not
work
over
HTTPS
– not
a
solu9on
for
all
sites
SAPO
Websecurity
Team 51

76. How it works > Mixed content browsing
• How
to
mi9gate
this
problem?
• HSTS
– you
have
to
specify
all
domains
used
by
the
site
– some
links
might
not
work
over
HTTPS
– not
a
solu9on
for
all
sites
• Use
only
HTTPS
links
:)
– use
a
proxy:
make
your
server
fetch
the
HTTP
content
and
serve
it
over
HTTPS
– do
not
forget
the
favicon
SAPO
Websecurity
Team 51

77. How it works > Mixed content browsing
• How
to
minimize
this
problem?
SAPO
Websecurity
Team 52

78. How it works > Mixed content browsing
• How
to
minimize
this
problem?
• Secure
Cookies
– the
server
can
set
the
secure
flag
for
the
cookie
– a
secure
cookie
is
only
sent
over
HTTPS
– beware:
this
does
not
prevent
the
mixed
content
warning,
it
ONLY
prevents
cookies
from
being
sent
over
HTTP
SAPO
Websecurity
Team 52

79. Recommendations
• A
few
more
recommenda9ons
SAPO
Websecurity
Team 53

80. Recommendations
• A
few
more
recommenda9ons
• Make
a
bookmark
with
the
HTTPS
link
for
the
site
(specially
homebanking
sites)
– avoids
requests
using
HTTP
– avoids
adacks
caused
by
typos
• Use
a
plugin
that
warns
you
if
the
cer9ficate
has
changed
– Perspec9ves
(www.networknotary.org)
– Cer9ficate
Patrol
SAPO
Websecurity
Team 53

81. Conclusions
• Conclusions
– SSL
3.0
and
TLS
1.0+
are
the
way
to
go
– Use
HSTS
and
manually
add
your
important
sites
– Update
your
browser
olen
or
automa9cally
– Do
not
visit
sites
which
the
first
page
is
HTTP
using
public
wireless
networks
– Do
not
create
sites
with
mixed
HTTP(S)
content
– If
your
site
is
HTTPS
only,
use
secure
cookies
SAPO
Websecurity
Team 54

82. Questions
Any
ques9ons?
9ago.mendo@telecom.pt
SAPO
Websecurity
Team 55