Upload File

breaking out hsts (and hpkp) on firefox, ie/edge and ... · @unapibageek - @ssantosv ie/edge...

  • Home
  • Documents
  • Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,
36
@unapibageek - @ssantosv Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (Possibly) Chrome.

Upload: others

Post on 27-Jun-2020

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (Possibly) Chrome.

Page 2: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Sheila Ayelen Berta Sergio De Los Santos

Security Researcher ElevenPaths

(Telefonica Digital cyber security unit)

Head of Innovation and Lab ElevenPaths

(Telefonica Digital cyber security unit)

22 years old - N/A :p -

Page 3: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

HTTP://www.example.com/login

Username: John / Password: 1234

C

Page 4: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

HTTPS://www.example.com/login

Username: John / Password: 1234

(

C

Page 5: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 6: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

SSLSTRIP

COMMONATTACKS

ROGUE CERTIFICATES

SOLUTIONS?HTTP Strict Transport Security

HPKPHSTSHTTP Public Key Pinning

Page 7: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

HSTS – First time requests

Page 8: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

HSTS – HTTP requests after HSTS header is setted

THERE IS NOT A FIRST HTTP (UNSECURE) REQUEST.SSLSTRIP HAS NOTHING TO INTERCEPT, IT WON’T WORK.

Page 9: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

HPKP – Certificate Pinning

pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";pin-sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho=";

Page 10: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

HPKP – Certificate Pinning

Page 11: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Attacking HSTS (and HPKP) browsers implementation

Page 12: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 13: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

The curious thing…

1024 ENTRIES

AS MAXIMUM

Page 14: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 15: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

DEMO

Page 16: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 17: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 18: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Attack improvement… defeating FF’s score system

CJUNK HSTS ENTRIES INJECTION

JUNK HSTS ENTRIES INJECTION

JUNK HSTS ENTRIES INJECTION

DELOREAN +1 DAY

DELOREAN +1 DAY

SCORE = 0

SCORE = 1

SCORE = 2

DEMO

Page 19: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

DEMO

FF’s highlights – Cons :

• Attack might be a little complex to achieve:MITM + DELOREAN + HSTS Injection.

• We need time enough inside the target’s network.(It may be some hours).

Internal Pentests, Hotels… are the best scenarios ;)

Page 20: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

DEMO

FF’s highlights - Pros:

• Attack effectiveness.

JUNK ENTRY – SCORE = 2

HS

TS

S

LO

TS

JUNK ENTRY – SCORE = 2

JUNK ENTRY – SCORE = 2

REAL ENTRY – SCORE = 0 NEW ENTRY – SCORE = 0

Page 21: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 22: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 23: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 24: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

The curious thing…

NO STORAGE LIMITS

Page 25: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 26: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

DEMO

Page 27: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Chrome highlights:

• Attack is very easy to achieve and you can try it in different ways.(WiFi Portal / MITM attack / etc).

• Chrome stops working properly in a few minutes.

• User is forced to clear browsing data in Chrome and therefore the TransportSecurity file starts over again = HSTS/HPKP broken ;)

Page 28: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 29: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Page 30: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

The curious thing…

Page 31: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

WININET.DLL

HttpIsHostHstsEnabled

CheckHsts()

GetHstsEnabled()

IsHostHstsA()

GetHstsEntry()

SetHstsEntry()

UpdateHstsEntry()

AddHstsEntry()

CheckHstsInternal()

Page 32: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

CheckHsts()

GetHstsEnabled()

CheckHstsInternal()

IsHostHstsA()

IsHostHstsInternal()

ConvertURLtoHTTPS()

Landing issues…

AddHstsEntry()

SetHstsEntry()

SaveEntryToStore()

?

?

Page 33: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

CACHE

I remember if you visited the website over

https or http… but not because of HSTS itself...

DEMO

Page 34: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

IE/Edge highlights:

• Most of the websites will not be remembered as webs protected with HSTS, due to problems in the storage process.

• Browser cache is the one that remembers if you have entered the website over http or https… but not HSTS itself.

• Restarting the browser, the machine or (most effectively) clearingthe cache, leaves the user without a real HSTS protection.

Page 35: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

Conclusions…

We can tell there is not a strong bet yet forimproving this implementations in browsers so…

No one is safe….even with HSTS.

Page 36: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,

@unapibageek - @ssantosv

THANK YOU!

Sheila Ayelen Berta Sergio De Los Santos

Security Researcher – ElevenPaths(Telefonica Digital cyber security unit)

@[email protected]

Head of Research – ElevenPaths(Telefonica Digital cyber security unit)

@[email protected]


Cisco Industrial Ethernet 4010 Series Switches · The IE 4010 complements the existing Cisco IE 2000, IE 2000U, IE 3200, IE 3300, IE 3400, IE 4000, and IE 5000 Series Switching families,

Naam: - Collegiate...dr ie v ie r t ie n f ie ts d ie p t ie r m ie r d ie r s ie k d ie f p ie p s ie n br ie f pap ie r w ie n ie ie PIEP! PIEP! sounds like “ i ” in English

HSTS: Integrating Planning and Scheduling

HPKP Spearing Superfish with - c0nrad.io · 2019. 12. 4. · HPKP Hmmm, is Yahoo!’s SPKI in my pinset? NO! STOP CONNECTION MITM No Secrets Agency Subject: yahoo.com SPKI: jkl Valid

Herringbone - Spot On · line, creating two half-square triangles (HSTs). Press toward the darker fabric. Repeat to make seventy-seven A/B HSTs and twenty-two C/D HSTs. Trim each

IE 366 IE 366: Work Systems Engineering Introduction

Sarasin IE Global Equity Opportunities (GBP) Sarasin IE

The High School Transcript Study: The 2000 High School ...HSTS 1987, and HSTS 1990. The Special Education category belongs to the Personal/Other Courses group and includes a large

BATCH : 2018-19 SYMBIOSIS COLLEGE OF ARTS & … · priya nath fbc-18-19-4118 8 r 11-21 | | IE 20011C16 IE 20041C16 IE 20051C16 IE 20123C16 IE 20131C16 | | IE 20132C16 IE 20152C16

BBA13SEA.TXT - Notepadcollegecirculars.unipune.ac.in/College Summary Statements and Stud… · bba13sea.txt (1840000917262 ) ie 301 ie 302 ie 303 ie 304 ie 305 ie 306 25016 1011400006

HTTPS in the real world: a spooky tale 12.pdf · No way to undo HSTS besides waiting In practice, organizations deploy with gradually increasing max-age. HSTS gotchas Does not protect

BBA08SEA 2015 1collegecirculars.unipune.ac.in/College Summary Statements...2015/03/09  · 20064 1011300072 CHETAN KUMAR SAH MINA 6 FR (150008558298 ) IE 518 IE 611 IE 612 IE 613 IE

sunset star - Windham Fabrics · with a 10” 40171-37 Red-Royal square. You will make (24) 4½” HSTs in each print for a total of (96) HSTs. 7. Arrange the 4½“ HSTs and 40171-37

ABUSING CERTIFICATE TRANSPARENCY CON 25/DEF CON 25...(HPKP) 10 CERTIFICATE AUTHORITY AUTHORIZATION (CAA) 11 CERTIFICATE TRANSPARENCY (CT) 12 PUBLIC LOGS Let's put all certificates

Bull-ie Wool-ie

Bid Packet 2 for Soil Evaluation and HSTS Designs

SSL, HSTS and other stuff with two eSSes

These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide

IE-05bar - DIMENSIONAMIENTO DE BARRAScatedra.ing.unlp.edu.ar/electrotecnia/sispot/Libros 2007/libros/ie... · bar06.jpg bar05 file:///C|/cd-rif/cdsispot/libros/ie-temas/ie-05/utn/ie-05fig.htm

IE IL IE vrr vrr IE IE&

SYSTEM DESIGN IE 477 - IE 478

SEALS WITH NITRILE AND FLUOROCARBON...9,2 19 5,3 IE NBR 722003 9,8 18 16 5 5 IOS IE NBR FKM 726787 722393 10 18 19 22 22 22 25 26 28,5 35 5 7 7 7x8 8 8 7 8 8 IE IE IE IEL IE IE IE

HIGH SPEED TEXT SEARCH SYSTEM HSTS HARDWARE … · Title: HIGH SPEED TEXT SEARCH SYSTEM HSTS HARDWARE DRAWINGS VOLUME 2 OF 2 : Subject: HIGH SPEED TEXT SEARCH SYSTEM HSTS HARDWARE

Biomedical Technology Aligned Document…  · Web viewA2.1. A2.3. A2.4. A4.5. A6.3 (9-12) (B-5c) (9-12)IE1b (IE-1c) (IE-1d) (IE-1e) (IE-1f) (IE-1n) (IE-1m) (7) AF1.5. Throughout

Mission Accomplished? HTTPS Security after DigiNotar · TLS/HTTPS Security Extensions • Certificate Transparency • HSTS (HTTP Strict Transport Security) • HPKP (HTTP Public

IE-33 & IE-35 - Purdue UniversityIvie IE-33 & IE-35 Manual page 3 Press power button to turn on IE-33. Using the stylus tap on "Start." Start using the IE-33. Insert the iPAQ into

Y Professor Parabellum's HSTS UNW Magazine Catch Pivot set

Cutting - FabShop Hop...Add Background HSTs to all four corners. Press toward HSTs. Trim and square completed block to measure 11⅞"x11⅞" with seams. Repeat steps above to make

transunion.com | Osano€¦ · HTTP Strict Transport Security (HSTS) HSTS policy for : max-age=15768000; includeSubDomains Pass Test max-age set to at least 6 months

Emerging Web Application Security Standards Scott HelmeTransport security is largely a solved problem 1. Deploy encryption 2. Use good configuration 3. Deploy HSTS 4. Deploy HPKP (only

Available online at ScienceDirect2013), HSTS (Hodges et al., 2012), HPKP (Evans and Palmer, 2011), SISCA (Karapanos and Capkun, 2014), and other best practices (e.g., enabling CSP

Can HTTP Strict Transport Security Meaningfully …...Mozilla Firefox has implemented HSTS since version 4.0 Google Chrome has implemented HSTS since version 4.0.211.0 Opera has implemented

Y Professor Parabellum's HSTS UNW Adjustable Buttstock

11 Sorting Buffers on HSTs Harald Räcke Matthias Englert Matthias Westermann

30 ms High Speed Transfer System (HSTS) … Description 30 ms High Speed Transfer System (HSTS) | 5 1 General 1.1 Description of the 30 ms high speed transfer system HSTS In order