Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PyCon 2015: Introduction to HTTPS - A comedy of errors

PyCon 2015: Introduction to HTTPS - A comedy of errors

Given recent increases in hostile attacks on internet services and large scale surveillance operations by certain unnamed government organizations, security in our software is becoming ever more important. We'll give you an idea of how modern crypto works in web services and clients, look at some of the common flaws in these crypto implementations, and discuss recent developments in TLS.

Ashwini Oruganti

April 10, 2015

More Decks by Ashwini Oruganti

Other Decks in Programming


  1. Site owner gets Certificate Signed by Certificate Authority CA =

    intermediary for user trust Public Key Infrastructure
  2. On connect, server sends you its certificate Client does crypto

    math to check cert against CAs Thus, the server is authenticated Connection
  3. Handshake Server Hello with cipher suite options Server sends cert

    Client verifies signature Client generates random key (pre-master secret??) Handshake
  4. OpenSSL: most servers, non- browser clients BoringSSL: Google’s fork of

    OpenSSL Secure Transport: iOS and OS X TLS Implementations
  5. #define HOST_NAME "www.random.org" #define HOST_PORT "443" #define HOST_RESOURCE "/cgi-bin/randbyte?nbytes=32&format=h" long

    res = 1; SSL_CTX* ctx = NULL; BIO *web = NULL, *out = NULL; SSL *ssl = NULL; init_openssl_library(); const SSL_METHOD* method = SSLv23_method(); if(!(NULL != method)) handleFailure(); ctx = SSL_CTX_new(method); if(!(ctx != NULL)) handleFailure(); /* Cannot fail ??? */ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); /* Cannot fail ??? */ SSL_CTX_set_verify_depth(ctx, 4); /* Cannot fail ??? */ const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; SSL_CTX_set_options(ctx, flags); res = SSL_CTX_load_verify_locations(ctx, "random-org-chain.pem", NULL); if(!(1 == res)) handleFailure(); web = BIO_new_ssl_connect(ctx); if(!(web != NULL)) handleFailure(); res = BIO_set_conn_hostname(web, HOST_NAME ":" HOST_PORT); if(!(1 == res)) handleFailure(); BIO_get_ssl(web, &ssl); if(!(ssl != NULL)) handleFailure(); const char* const PREFERRED_CIPHERS = "HIGH:!aNULL:!kRSA:!PSK:!SRP!MD5:!RC4"; res = SSL_set_cipher_list(ssl, PREFERRED_CIPHERS); if(!(1 == res)) handleFailure(); res = SSL_set_tlsext_host_name(ssl, HOST_NAME); if(!(1 == res)) handleFailure(); out = BIO_new_fp(stdout, BIO_NOCLOSE); if(!(NULL != out)) handleFailure(); res = BIO_do_connect(web); if(!(1 == res)) handleFailure(); res = BIO_do_handshake(web); if(!(1 == res)) handleFailure(); /* Step 1: verify a server certificate was presented during the negotiation */ X509* cert = SSL_get_peer_certificate(ssl); if(cert) { X509_free(cert); } /* Free immediately */ if(NULL == cert) handleFailure(); /* Step 2: verify the result of chain verification */ res = SSL_get_verify_result(ssl); if(!(X509_V_OK == res)) handleFailure(); /* Step 3: hostname verification */ /* An exercise left to the reader */ BIO_puts(web, "GET " HOST_RESOURCE " HTTP/1.1\r\n" "Host: " HOST_NAME "\r\n" "Connection: close\r\n\r\n"); BIO_puts(out, "\n"); int len = 0; do { char buff[1536] = {}; len = BIO_read(web, buff, sizeof(buff)); if(len > 0) BIO_write(out, buff, len); } while (len > 0 || BIO_should_retry(web)); if(out) BIO_free(out); if(web != NULL) BIO_free_all(web); if(NULL != ctx) SSL_CTX_free(ctx); API Design Flaws
  6. Another approach that could be used by the attacker is

    to redirect the user to the same host- name and port 443 (which will be open) but force plaintext with http://www.example.com: 443. Even though this request fails because the browser is attempting to speak plaintext HTTP on an encrypted port, the attempted request contains all the insecure cookies and thus all the information the attacker wants to obtain. Figure 5.2. Man-in-the-middle attacker stealing unsecured cookies User establishes a secure connection with a web site and receives a cookie User visits any other HTTP site Browser automatically follows the redirection and reveals the cookie Browser Server Attacker https://victim.example.com http://plaintext.example.com Attacker intercepts request and issues a redirection HTTP/1.1 302 Found Location: http://victim.example.com:443 HTTP/1.1 400 Bad Request Cookie http://victim.example.com:443/ Cookie Cookie Stealing
  7. If you do set the secure flag, you can still

    have cookies overwritten. Cookie Injection
  8. Figure 5.4. Examples of certi cate warnings in current browsers

    Safari 7 Firefox 28 Internet Explorer 11 Chrome 33 Really?
  9. Use SSL Labs security test:
 www.ssllabs.com/ssltest/ Read Hynek’s page on

    configuring TLS:
 tinyurl.com/hynek-tls Test your clients against servers with bad certs What can we do?
  10. Read: Bulletproof SSL and TLS
 tinyurl.com/bulletproof-tls Read: The Tangled Web

    tinyurl.com/the-tangled-web Read: Crypto101
 https://www.crypto101.io/ What can we do?