HTTPS Ca an Byte Me Blackhat Briefings Blackhat Briefings s - PowerPoint PPT Presentation

HTTPS Ca an Byte Me Blackhat Briefings Blackhat Briefings s November 2010 s November, 2010 1

� Robert “RSnake” Han nsen - CEO � SecTheor Ltd � SecTheory Ltd � http://www.sectheory y.com/ - the company � http //ha ckers org/ � http://ha.ckers.org/ - - the lab the lab � http://sla.ckers.org/ - - the forum � Josh Sokol – InfoSec P � Josh Sokol InfoSec P Program Owner Program Owner � National Instruments s � http://www.ni.com/ h // i / d - don’t hax0r me pls ’ h 0 l � http://www.webadm minblog.com/ – my blog � http://austin.owasp.o � htt // ti org/– Austin OWASP / A ti OWASP 2

Thi This preso is not i t primarily about i il b SSL/TLS flaw s – it is mostly about the flaws s in the browser implementati p on of HTTPS! 3

4

“I think all of these p problems have to do with browser design ith bro ser design rather than security rather than securit or protocol. It's intere esting because SSL gets blamed for all th bl d f ll h he stuff, but [they h ff b [ h are] actually not even n related to SSL.” - Taher Elgamal http://www.zdnetasia.com/insight/se ecurity/0,39044829,62053759,00.htm 5

SSL 1.0 – never released � SSL 2.0 – 1995 � � Identical cryptographic key Id ti l t hi k ys are used for message d f authentication and encrypti ion. � MACs are weakened in the "export mode" required by U.S. export restrictions and relie export restrictions and relie s solely on the MD5 hash function. s solely on the MD5 hash function � SSL v2 does not have any pr rotection for the handshake, meaning a man-in-the-midd dle downgrade attack can go undetected. � SSL v2 uses the TCP connec ction close to indicate the end of data. This means that trunca ation attacks are possible: the attacker simply forges a TCP P FIN, leaving the recipient unaware of an illegitimate e unaware of an illegitimate e end of data message end of data message. � Doesn’t work on virtual hos sts. SSL 3.0 – 1996 � TLS is already up to 1.2 TLS is already up to 1 2 � � 6

“The TLS protocol al llows client/server applications to comm applications to comm municate across a municate across a network in a way de esigned to prevent eavesdropping and t dr pping nd t t mp ring TLS tampering. TLS provides endpoint a uthentication and communications con i i nfidentiality over the fid i li h Internet using crypto ography.” - Wikipedia http://en.wikipedia.org/wik ki/Transport_Layer_Security 7

� Types in http://w www.bank.com/ � DNS lookup (plain l k ( l ntext) ) � DNS response (pla DNS response (pla aintext) aintext) � HTTP request (pla aintext) � HTTP response (p HTTP ( plaintext) l i ) � 301/302, JS, Meta redir rect, or link/form � HTTPS negotiatio n (ciphered) � HTTPS content (ci � HTTPS content (ci iphered) iphered) 8

Built by Moxie Marlinspike e to strip links to HTTPS sites � Changes: g � <a href=https://login.bank.co m/>Login Securely</a> � To: � <a href=http://login.bank.com < h f htt //l i b k m/>Login Securely</a> />L i S l </ > � MitM the rest of the connec ction by being a proxy for � https://login.bank.com/ p g User is usually none the wi iser, except for the missing � lock, the missing character in the URL and the missing background color in some b background color in some b browsers browsers. 9

Found by Martin Rex and M Marsh Ray: � GET /highsecurity/index.htm ml HTTP/1.1 Host: example.com Connection: keep-alive GET / GET /account/do.php?evilStu t/d h ? ilSt uff=here HTTP/1.1 ff h HTTP/1 1 Host: example.com Connection: close Connection: close X-ignore-what-comes-next: GE ET /index.html HTTP/1.1 Cookie: AuthMe=Now ... 10

11

12

Developed by Alex Sotirov De eloped b Alex Sotiro v and team: and team � � 200 Playstations � A few hundred in new cert A few hundred in new cert ts to find out the ts to find out the � � RapidSSL “random numbe er” generator wasn’t actually random C Create a collision and swap t lli i d p the cert th t � Man in the middle to 0wn t the web � 13

“Packet Forensics' devices are d designed to be inserted-into and removed-from busy netwo orks without causing any noticeable interruption [. . . ] Th noticeable interruption [. . . ] Th his allows you to conditionally his allows you to conditionally intercept web, e-mail, VoIP and d other traffic at-will, even while it remains protected insid de an encrypted tunnel on the wire. Using `man-in-the-middle i U i ` i th iddl e' to intercept TLS or SSL is ' t i t t TLS SSL i essentially an attack against the e underlying Diffe-Hellman cryptographic key agreement p yp g p y g p protocol [. . . ] To use our p [ ] product in this scenario, [gover rnment] users have the ability to import a copy of any legitim mate key they obtain (potentially by court order) or t (potentially by court order) or t they can generate `look alike' they can generate look-alike' keys designed to give the subje ect a false sense of confidence in its authenticity." http://files.cloudpri ivacy.net/ssl-mitm.pdf 14

15

16

17

� SSL/TLS relies on unen ncrypted email � https://login.live.com (ssladmin@hotmail.com) � Extended Validation (A E t d d V lid ti (A Alex Sotirov & Mike Al S ti & Mik Zusman - CanSecWest 09) SSL rebinding � � Pros/cons of negative U UI security model verses positive - Blue backgro unds, etc - Jay Graver � Updates over HTTP tha � Updates over HTTP tha at use signed EXEs at use signed EXEs � Non-Browser SSL/TLS S Clients E.g.: Itunes/ssh/SSL VPNs � STS – ugh! STS h! � Cookies are over HTTP P most of the time anyway � How XSS breaks HTTP � How XSS breaks HTTP PS security (much) PS security (much)… 18

19

� Ciphered content piggybacking on single sockets single sockets � Browsers are noisy y y/multiple sockets p Favicons � Headers etc… � � No referring URL once the user leaves HTTPS HTTPS � Supposedly no wa ay to inject content or commands (int or commands (int egrit requirement) egrity requirement) 20

� Shuo Chen, Rui W Wang, XiaoFeng Wang, Kehuan Zh g, hang: g � Size Difference � One way data/user o � One way data/user o or server initiated or server initiated request � Timed requests (long � Timed requests (long g term analysis) g term analysis) http://www.informatics.indiana.edu u/xw7/WebAppSideChannel-final.pdf 21

22

23

24

25

� Can the attacker m map out the domain ahead of time? ahead of time? Can the attacker force pre-cache of the content? � � How did the user � How did the user get there and leave? get there and leave? Last and Next non-SSL L URL � � Known HTTP and K HTTP d d SSL headers d SSL h d Non-Secure Cookies � � DNS Queries and Host headers Embedded 3 rd party bedded 3 pa ty domains do a s � Embedded non-encry ypted SSL content � 26

� Browsers lack true e tab isolation: � Users often surf with m � U ft f ith more than one tab open th t b � SSL timing based on p pre-cached images, CSS, javascript, et al. javascript et al � Using timing to map o out the application or content ( (scarybeasts/Chris Ev y ans) � CSRF to force session s state (logout) which will force someone to go th hrough the same flow but with less chatter becau ith l h tt b use things are cached. thi h d � %-- and security=restr ricted tricks etc… 1 27

� Popunder/popundr co ookies survive deletion! � Works only on HTTP e even if noscript was disabled on HTTPS! � Noscript enables JS on HTTP/S both by default & “Full Addresses” do & Full Addresses do esn’t respect ports esn t respect ports 2-4 28

� Identifying Histor ry � Some products try to S d t t t o mask referrers but you k f b t can still use documen nt.referrer in JS space except: except: � SSL � New frames � Bookmarks � file:/// � CSS history stealing (requires refresh/reload and won’t work in fu uture versions of FF) � history.length upon e hi l h entrance and exit d i 5 29

� Metering traffic � Server locking and tim ming � Uses Pyloris (n-1 ports s) � Requires Apache (etc… � R i A h ( t …) without load balancing, and ) ith t l d b l i d requires a small amou unt of other users on the system � CSS download socket exhaustion and timing � Uses ports + link tags + chunked encoding � Doesn’t matter which webserver but browsers may vary and requires a se d eparate attacker controlled tab k ll d b to be open � It’s slooooooow from � It s slooooooow from a victim’s perspective a victim s perspective 6-7 30

<a href="javascript:clickit();">Go to our HTTPS site</A> <script> function clickit() { var w = window open('https://www whatever com/main var w = window.open('https://www.whatever.com/main. .html'); html'); setTimeout(function () { w.location = 'http://www.whatever.com/ffpopup.xpi'; }, 2000); } </script> 8 31