more trick for defeating ssl defcon 17 moxie marlinspike

35
More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Upload: garret-sears

Post on 15-Dec-2015

226 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

More Trick For Defeating SSL

DEFCON 17Moxie Marlinspike

Page 2: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

1. Introduction 2. Background Knowledge

SSL/TLS protocol 3. sslstrip 4. sslsniff

A. Basic Constraints vulnerability B. Null-Prefix Attack C. bypassing OCSP

5. Conclusion

Outline

Page 3: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach.

Introduction

Page 4: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Background KnowledgeSSL/TLS Protocol

Page 5: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

abbreviation for Transport Layer Security and it’s successor Secure Socket Layer

Provide communication security over the Internet.

Even when the network is being MITM attack.

SSL/TLS Introduction

Page 6: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Network Stack

Page 7: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Handshake Process

Page 8: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Handshake Process

Page 9: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

SSLstrip

Page 10: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

demonstration of the HTTPS stripping attacks It will transparently hijack HTTP traffic on a

network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links

SSLstrip Introduction[1]

Page 11: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Bridge www.facebook.com bridge https://www.facebook.com?

302 redirect Hyper link

How it work

Page 12: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

302 Redirect

Page 13: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Detail – Normal Scenario

User type:example.com

http://example.com

https://abc.example.com

Server reply302 redirect tohttps://abc.example.com

SSL/TLS handshake

Serve reply200 ok

User BrowserServer

Page 14: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Detail – Normal Scenario

Page 15: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Detail – Attack Scenario

User/browser Attacker Server

http://example.com http://example.com

Server reply302 redirect tohttps://abc.example.com

Strip https to http

http://abc.example.com

Server reply302 redirect tohttp://abc.example.com

http://abc.example.com

Record url

url match https://abc.example.com

SSL/TLS handshake

Application DataStripped Application Data

Strip https to http

Page 16: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Result(without strip)

Page 17: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Result(with strip)

Page 18: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

the browser query https://abc.example.com directly. Bookmark User typing

Other protocol smtps Ftps Sftp….

What can’t sslstirp do

Page 19: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

SSLsniff -Basic Constraints vulnerability

Page 20: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Certificate Chaining

Page 21: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Certificate Chaining

Page 22: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Verify that the name of the leaf node is the same as the site you're connecting to.

Verify that the leaf certificate has not expired.

Check the signature If the signing CA is in our list of trusted root

CAs, stop. Otherwise, move one up the chain and repeat.

How we verify

Page 23: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike
Page 24: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike
Page 25: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Verify that the name of the leaf node is the same as the site you're connecting to.

Verify that the leaf certificate has not expired.

Check the signature If the signing CA is in our list of trusted root

CAs, stop. Otherwise, move one up the chain and repeat.

What they say

Page 26: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

All the signatures are valid. Nothing has expired. The chain is in tact. The root CA is embedded in the browser and

trusted.

Something must be wrong, but...

But we just created a valid certificate for PayPal, and we're not PayPal?

Page 27: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

The missing piece

Page 28: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Most CAs didn't explicitly set basicConstraints: CA=False

Whether the field was there or not, most SSL implementations didn't bother to check it.

Anyone with a valid leaf node certificate could create and sign a leaf node certificate for any other domain.

When presented with a complete chain, IE, Outlook, Konqueror, OpenSSL, and others considered it valid...

Back in the day

Page 29: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Microsoft claimed that it was impossible to exploit.

So The Author published the tool that exploits it.

And then in 2002...

Page 30: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

SSLsniff detail

User/browser Attacker

https://abc.example.com

SSL/TLS handshake

Application Data

https://abc.example.com

1. Generate a certificate for the site it is connected to2. Sign it with any random valid leaf node certificate.3. Pass that certificate chain to the client.

SSL/TLS handshake

Application Data

1. Get the Data from server2. Encrypt it with our private key3. Send to user

Page 31: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

SSLsniff –Null Prefix Attack

Author’s PPT

Page 32: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

X509 Certificate Version Serial Number Issuer Validity Subject PublicKey

Signature Algorithm Signature

What's with certificates, anyways?

Identify some subjectsGet the public key

Issue by some Issuer

Issuer Signature

Page 33: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike
Page 34: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

Secrecy - Encryption algorithm Authenticity - Digital Signature Integrity - Checksum

The Big Three

Page 35: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike

SSL Handshake Beginnings