luke valenta gabbi fisher lukevalenta gabbifish systems
play

Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems - PowerPoint PPT Presentation

Jun 30, 2023 •313 likes •701 views

Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems Engineer, Cloudflare Outline 1. HTTPS Interceptors and How to Find Them: Common sources of MITM (Monsters in the Middle). 2. A technique for

  2. Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems Engineer, Cloudflare

  3. Outline 1. “HTTPS Interceptors and How to Find Them”: Common sources of MITM (Monsters in the Middle). 2. A technique for detecting HTTPS interception 3. Building tools for detecting Internet-scale HTTPS detection: MITMEngine and MALCOLM

  4. HTTPS Without Interception Server has certificate for example.com Client Server TLS

  5. HTTPS Without Interception Server has CA cert for example.com Client MITM Server TLS TLS Middlebox knows nothing about what traffic it is proxying; it only sees encrypted data.

  6. Attempting HTTPS Interception Middlebox root cert issues Server has CA cert for cert for example.com example.com Client MITM Server TLS TLS ⚠ I don’t trust this certificate...

  7. How HTTPS Interception Works Interceptor installs new Middlebox root cert issues Server has CA cert for root cert cert for example.com example.com Client MITM Server TLS TLS Middlebox inspects HTTP traffic

  8. Types of HTTPS Interception Antivirus/Corporate/Government ● Detect malware ● Detect C&C traffic ● Detect exfiltration ● Anti-terrorism ● Censorship

  9. Types of HTTPS Interception Antivirus/Corporate/Government ● Detect malware ● Detect C&C traffic ● Detect exfiltration ● Anti-terrorism ● Censorship

  10. Types of HTTPS Interception Malware ● Inject ads ● Steal private data

  11. Types of HTTPS Interception Malware ● Inject ads ● Steal private data

  12. Types of HTTPS Interception Types of HTTPS Interception Leaky Proxies ● Product features ● Convenience

  13. Types of HTTPS Interception Types of HTTPS Interception Leaky Proxies ● Product features ● Convenience

  14. Types of HTTPS Interception Types of HTTPS Interception As easy as guessing “SennheiserCC!” ¯\_( ツ )_/¯ Leaky Proxies ● Product features ● Convenience

  15. Types of HTTPS Interception Types of HTTPS Interception Reverse Proxies ● Security ● Performance ● Reliability

  16. Types of HTTPS Interception Types of HTTPS Interception Reverse Proxies ● Security ● Performance ● Reliability

  17. Types of HTTPS Interception Types of HTTPS Interception Antivirus/Corporate/Government Malware ● Detect malware ● Inject ads ● Detect C&C traffic ● Steal private data ● Detect exfiltration ● Anti-terrorism ● Censorship Leaky Proxies Reverse Proxies ● Security ● Product features ● Performance ● Convenience ● Reliability

  18. Detecting HTTPS Interception [Durumeric et al., 2017] Client Middlebox Server TLS TLS Plaintext HTTP HTTP User-Agent: Chrome

  19. Detecting HTTPS Interception [Durumeric et al., 2017] Client Middlebox Server TLS TLS ? HTTP: Plaintext HTTP TLS: HTTP User-Agent: Chrome Server can detect mismatch between layers

  20. Identifying HTTP and TLS Clients HTTP Parse User Agent Header Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

  21. Identifying HTTP and TLS Clients HTTP Parse User Agent Header Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 TLS No identifying field is present in the protocol. Instead, use known techniques for fingerprinting browsers based on TLS Client Hello.

  22. TLS Client Hello Fingerprinting [Ristić; 2009] HTTP client fingerprinting using SSL handshake analysis. ● [Majkowski; 2012] SSL fingerprinting for p0f. ● [Brotherston; 2015] TLS Fingerprinting: Smarter Defending & Stealthier Attacking. ● [Anderson et al.; 2016] Classifying Encrypted Traffic with TLS-Aware Telemetry ● [Durumeric et al.; 2017] The Security Impact of HTTPS Interception. ● [Althouse, Atkinson, Atkins; 2017]. TLS Fingerprinting with JA3 and JA3S. ● [Anderson, McGrew; 2019]. TLS Fingerprinting in the Real World. ● [Frolov, Wustrow; 2019]. TLS Fingerprint. ●

  23. TLS Handshake (RFC 5246)

  24. TLS Handshake (RFC 5246)

  25. TLS Handshake (RFC 5246) TLS libraries tend to keep these fields the same!

  26. TLS Fingerprinting based on Client Hello [...] [...] [...]

  27. HTTPS Interception Detection Process

  28. HTTPS Interception Detection Process 1. Build database of HTTP and TLS browser fingerprints

  29. HTTPS Interception Detection Process 1. Build database of HTTP and 2. Check HTTP and TLS fingerprints of TLS browser fingerprints incoming requests against database

  30. MITMEngine: HTTPS Interception Detection Library Open sourced at https://github.com/cloudflare/mitmengine. PRs welcome! Goal #1: Maintainability ● Fingerprints quickly go stale with browser updates ○ Time-consuming to generate new fingerprints manually ○ Goal is to automatically generate ground truth fingerprints from Cloudflare’s network ○ Goal #2: Flexibility ● Currently support a flexible fingerprint format to model a variety of browser behavior ○ Plan to add support for other TLS fingerprint formats (JA3, tlsfingerprint.io) ○ Goal #3: Performance ● The system should be fast enough to deploy at scale ○ Currently deployed on a 5% sample of Cloudflare TLS requests ○

  31. MALCOLM: HTTPS Interception on Cloudflare’s Network Public dashboard located at https://malcolm.cloudflare.com. Provides insight into HTTPS ● Interception observed by Cloudflare Powered by MITMEngine ● Allows for filtering by OS, browser, ● HTTPS interception tool, etc.

  32. MALCOLM: HTTPS Interception Analytics

  33. MALCOLM: HTTPS Interception Analytics

  34. Takeaways / Sound Bytes TLS-terminating middleboxes pose serious threats to network security Heuristics based on HTTP and TLS fingerprints can be effective at detecting HTTPS interception Our new open source tool and public dashboard provide insight into the state of HTTPS interception on the Internet https://github.com/cloudflare/mitmengine ● https://malcolm.cloudflare.com ●

  35. Thank you! @gabbifish @lukevalenta

  36. References [Ristić; 2009] HTTP client fingerprinting using SSL handshake analysis. ● https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html [Majkowski; 2012] SSL fingerprinting for p0f. https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f ● [Brotherston; 2015] TLS Fingerprinting: Smarter Defending & Stealthier Attacking. ● https://blog.squarelemon.com/tls-fingerprinting/ [Anderson et al.; 2016] Classifying Encrypted Traffic with TLS-Aware Telemetry. ● https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=449962 [Durumeric et al.; 2017] The Security Impact of HTTPS Interception. ● https://jhalderm.com/pub/papers/interception-ndss17.pdf [Althouse, Atkinson, Atkins; 2017]. TLS Fingerprinting with JA3 and JA3S. ● https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 [Frolov, Wustrow; 2019]. TLS Fingerprint. Tlsfingerprint.io ● [Anderson, McGrew; 2019]. TLS Fingerprinting in the Real World. ● https://blogs.cisco.com/security/tls-fingerprinting-in-the-real-world [Raman et al.; 2019] Kazakhstan’s HTTPS Interception. https://censoredplanet.org/kazakhstan ●

  37. Questions and Answers Q: Can’t middleware simply mimic browsers? A: The signatures of popular browsers are constanting changing, and mimicking the signatures would require the middleware to actually support all of the protocols and features of the browser (which would be great!). Q: Does this work for TLS 1.3? A: TLS 1.3 client hellos can be fingerprinted just the same as TLS 1.2 client hellos, since the record and handshake formats are kept the same.

Recommend

In search of CurveSwap: Measuring elliptic curve implementations in the wild Luke Valenta ,

In search of CurveSwap: Measuring elliptic curve implementations in the wild Luke Valenta ,

In search of CurveSwap: Measuring elliptic curve implementations in the wild Luke Valenta , Nick Sullivan , Antonio Sanso , Nadia Heninger University of Pennsylvania, Cloudflare, Adobe April 26th, 2018 1 / 19

1.28k views • 55 slides
Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian , Antonio Sanso , Shaanan Cohney , Joshua Fried , Marcella Hastings , J. Alex Halderman , Nadia Heninger University of

461 views • 42 slides
Introduction to Database Systems Module 1, Lecture 1 M. Valenta - KSI CTU FIT in Prague

Introduction to Database Systems Module 1, Lecture 1 M. Valenta - KSI CTU FIT in Prague

Introduction to Database Systems Module 1, Lecture 1 M. Valenta - KSI CTU FIT in Prague Michal.Valenta @fit.cvut.cz Based on slides: R. Ramakrishnan ( raghu@cs.wisc.edu) Materials Web site: https://edux.fit.cvut.cz/courses/BIE-DBS/ there:

945 views • 14 slides
Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri, Nadia Heninger University of Pennsylvania seclab.upenn.edu/projects/faas Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq

401 views • 39 slides
Automated logging of drill core M.Klawitter 1 , R.Valenta 1 , N.Spanswick 2 , I.Fahey 2 1

Automated logging of drill core M.Klawitter 1 , R.Valenta 1 , N.Spanswick 2 , I.Fahey 2 1

Automated logging of drill core M.Klawitter 1 , R.Valenta 1 , N.Spanswick 2 , I.Fahey 2 1 University of Queensland, Sustainable Minerals Institute, Brisbane, QLD 4072 2 Glencore plc, George Fisher Mine, Mount Isa Qld 4825 CRICOS code 00025B

193 views • 16 slides
Countering quantum FUD Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke

Countering quantum FUD Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke

Countering quantum FUD Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke Valenta Countering quantum FUD Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta All crypto is broken? FUD : Nobody knows exactly when

509 views • 13 slides
Post-quantum RSA (pqRSA) Daniel J. Bernstein Joint work with: Josh Fried Nadia Heninger Paul

Post-quantum RSA (pqRSA) Daniel J. Bernstein Joint work with: Josh Fried Nadia Heninger Paul

Post-quantum RSA (pqRSA) Daniel J. Bernstein Joint work with: Josh Fried Nadia Heninger Paul Lou Luke Valenta Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta Parameters Scaled-down targets for

404 views • 29 slides
Luk Luke 15: e 15: 1-10 10 Luk Luke 15:1 e 15:1 Now all the tax collectors and sinners

Luk Luke 15: e 15: 1-10 10 Luk Luke 15:1 e 15:1 Now all the tax collectors and sinners

Luk Luke 15: e 15: 1-10 10 Luk Luke 15:1 e 15:1 Now all the tax collectors and sinners were coming near to listen to him. Luk Luke 15:2 e 15:2 And the Pharisees and the scribes were grumbling and saying, This fellow welcomes

1.01k views • 74 slides
BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit

BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit

BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit Super Happy Dev House 45 1 Inspired by Matt Mights (@mattmight) collection of Bash and Perl: 3 shell scripts to improve your writing, or My

306 views • 6 slides
MERRY FISHER 1095 New 2018 PROVISIONAL DOCUMENT MERRY FISHER 1095 : THE JOY OF CRUISING 2 In

MERRY FISHER 1095 New 2018 PROVISIONAL DOCUMENT MERRY FISHER 1095 : THE JOY OF CRUISING 2 In

1 MERRY FISHER 1095 New 2018 PROVISIONAL DOCUMENT MERRY FISHER 1095 : THE JOY OF CRUISING 2 In the pure tradition of the Merry Fisher line, the Merry Fisher 1095 is a weekender and an ideal family cruiser. The new Merry Fisher 1095 takes full

227 views • 22 slides
Luke 23 Luke as painter St Luke drawing the Listening to Lukes story of the cross Virgin by

Luke 23 Luke as painter St Luke drawing the Listening to Lukes story of the cross Virgin by

Luke 23 Luke as painter St Luke drawing the Listening to Lukes story of the cross Virgin by Rogier van der Weyden Steve Walton painted c.14351440 Trinity College, Bristol 1 2 Luke 23 Lukes theology of the cross central

641 views • 7 slides
Forgiveness and Three Parables of Lost Things Luke 15: 1 32 Luke 15:1, Then all the

Forgiveness and Three Parables of Lost Things Luke 15: 1 32 Luke 15:1, Then all the

Forgiveness and Three Parables of Lost Things Luke 15: 1 32 Luke 15:1, Then all the tax collectors and the sinners drew near to Him to hear Him. Luke 15:2, And the Pharisees and scribes complained, saying, This Man receives

630 views • 39 slides
Lu Luke 3: 3:15 15-17, 17, 21 21-22 22 Luke ke 3: 3:15 15 As the people were filled

Lu Luke 3: 3:15 15-17, 17, 21 21-22 22 Luke ke 3: 3:15 15 As the people were filled

Lu Luke 3: 3:15 15-17, 17, 21 21-22 22 Luke ke 3: 3:15 15 As the people were filled with expectation, and all were questioning in their hearts concerning John, whether he might be the Messiah, Luke ke 3: 3:16 16 John answered

572 views • 29 slides
Luke 24:13-35 Luke 24:13-35 New International Version Now that same day two of them were going

Luke 24:13-35 Luke 24:13-35 New International Version Now that same day two of them were going

Luke 24:13-35 Luke 24:13-35 New International Version Now that same day two of them were going to a village called Emmaus, about seven miles from Jerusalem. 14 They were talking with each other about everything that had happened. 15 As they

546 views • 20 slides
F. Instructions for the disciples on hypocrisy Luke 12:1 12 1. Luke 12:1a Evidently,

F. Instructions for the disciples on hypocrisy Luke 12:1 12 1. Luke 12:1a Evidently,

F. Instructions for the disciples on hypocrisy Luke 12:1 12 1. Luke 12:1a Evidently, these confrontations between Jesus and the Pharisees captivated the interest of thousands. 2. Luke 12:1b Hypocrisy develops slowly and gradually but

270 views • 23 slides
Campaigning in Britain Justin Fisher (Brunel University) PARTY SYSTEMS IN THE UK Calculation of

Campaigning in Britain Justin Fisher (Brunel University) PARTY SYSTEMS IN THE UK Calculation of

Party Systems, Voters and Campaigning in Britain Justin Fisher (Brunel University) PARTY SYSTEMS IN THE UK Calculation of ENEP 1 p i 2 ENEP 2010 1 (.36 + .29 + .23 + .12) 2 = 3.55 BACK TO TWO DOMINANT PARTIES? IMPACT OF DEVOLUTION

816 views • 39 slides
2/22/15 Luke 14:15 Luke 14:16-17 Blessed is the man

2/22/15 Luke 14:15 Luke 14:16-17 Blessed is the man

2/22/15 Luke 14:15 Luke 14:16-17 Blessed is the man who will eat at the feast in 1. The gracious host (16) the kingdom of God.

192 views • 5 slides
LUKE 13:1-9 WE LIVE TO REPENT AND RETURN TO GOD. LUKE 13:1-5 ABOUT THIS TIME JESUS WAS

LUKE 13:1-9 WE LIVE TO REPENT AND RETURN TO GOD. LUKE 13:1-5 ABOUT THIS TIME JESUS WAS

JESUS REVOLUTION 73. CALL TO REPENTANCE LUKE 13:1-9 WE LIVE TO REPENT AND RETURN TO GOD. LUKE 13:1-5 ABOUT THIS TIME JESUS WAS INFORMED THAT PILATE HAD MURDERED SOME PEOPLE FROM GALILEE LUKE 13:1 AS THEY WERE OFFERING

245 views • 22 slides
Nickel: A framework for design and verification of information flow control systems Luke Nelson

Nickel: A framework for design and verification of information flow control systems Luke Nelson

Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New England Systems Verification Day 1

749 views • 31 slides
Luke 2:21-35 Blue Bible pg 1090 Luke 2:21-35 Blue Bible pg 1090 Luke 2:21-35 NLT 21 Eight days

Luke 2:21-35 Blue Bible pg 1090 Luke 2:21-35 Blue Bible pg 1090 Luke 2:21-35 NLT 21 Eight days

Luke 2:21-35 Blue Bible pg 1090 Luke 2:21-35 Blue Bible pg 1090 Luke 2:21-35 NLT 21 Eight days later, when the baby was circumcised, he was named Jesus, the name given him by the angel even before he was conceived. Luke 2:21-35 NLT 22 Then it

501 views • 28 slides
Howard S. Fisher, Esq. & Alexander J. Fisher, Esq. 1 The Case Study # 3 Closely held

Howard S. Fisher, Esq. & Alexander J. Fisher, Esq. 1 The Case Study # 3 Closely held

Howard S. Fisher, Esq. & Alexander J. Fisher, Esq. 1 The Case Study # 3 Closely held business couple in their 30s of Russian origin medical technology "S" corporation grossing $30,000,000 netting $10,000,000; potentially worth

228 views • 11 slides
LUKE 22:7-30 30 LUKE 22:7-30 30 Jesus has been planning for this. FEAST T LORDS

LUKE 22:7-30 30 LUKE 22:7-30 30 Jesus has been planning for this. FEAST T LORDS

LUKE 22:7-30 30 LUKE 22:7-30 30 Jesus has been planning for this. FEAST T LORDS IN THE P AS ASSOVER SUP UPPE PER KINGDO GDOM (FUTURE) (PRESENT) (PAST) Which of us is the greatest? Cultural Kingdom Ego needing

749 views • 20 slides
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom e, Luke Valenta, Benjamin

1.01k views • 34 slides
Luke 9:28-36 Luke 9:28-36 New English Translation Now about eight days after these sayings,

Luke 9:28-36 Luke 9:28-36 New English Translation Now about eight days after these sayings,

Luke 9:28-36 Luke 9:28-36 New English Translation Now about eight days after these sayings, Jesus took with him Peter, John, and James, and went up the mountain to pray. 29 As he was praying, the appearance of his face was transformed, and his

349 views • 19 slides

More recommend