Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PyCon 2015: Introduction to HTTPS - A comedy of errors

PyCon 2015: Introduction to HTTPS - A comedy of errors

Given recent increases in hostile attacks on internet services and large scale surveillance operations by certain unnamed government organizations, security in our software is becoming ever more important. We'll give you an idea of how modern crypto works in web services and clients, look at some of the common flaws in these crypto implementations, and discuss recent developments in TLS.

Ashwini Oruganti

April 10, 2015
Tweet

More Decks by Ashwini Oruganti

Other Decks in Programming

Transcript

  1. HTTPS: 

    A Comedy of Errors
    Ashwini Oruganti
    twitter.com/_ashfall_
    PyCon 2015

    View full-size slide

  2. Look at this code
    obj = urllib2.urlopen(

    ‘https://example.com/’,

    data=‘token=mysecret’
    )

    print obj.read()
    NOPE

    View full-size slide

  3. Look at this code
    obj = urllib2.urlopen(

    ‘https://example.com/’,

    data=‘token=mysecret’
    )

    print obj.read()
    Ettercap + mitmproxy = owned

    View full-size slide

  4. Passive
    Active (usually MITM)
    Types of attacks

    View full-size slide

  5. HTTP / TLS / TCP / IP
    TLS

    View full-size slide

  6. SSL vs. TLS
    Disclaimer

    View full-size slide

  7. Authentication: Certificates
    Encryption: Math!
    Trusting the internet

    View full-size slide

  8. Can I trust this site?
    What is cert validation?

    View full-size slide

  9. Site owner gets Certificate
    Signed by Certificate Authority
    CA = intermediary for user trust
    Public Key Infrastructure

    View full-size slide

  10. On connect, server sends you its certificate
    Client does crypto math to check cert against CAs
    Thus, the server is authenticated
    Connection

    View full-size slide

  11. go to gmail.com.
    Spoofer sends 

    you a valid cert…
    bobsburgers.com???
    Except …

    View full-size slide

  12. If(
    cert.hostname !=
    request.hostname
    ):
    blow up!
    Hostname Checking!

    View full-size slide

  13. Has it expired?
    Has it been revoked?
    Other checks

    View full-size slide

  14. I dunno! Magic?
    Encryption

    View full-size slide

  15. How does session setup work?
    TLS in depth (kinda)

    View full-size slide

  16. Handshake
    Handshake

    View full-size slide

  17. Handshake
    Server Hello with cipher suite options
    Server sends cert
    Client verifies signature
    Client generates random key (pre-master secret??)
    Handshake

    View full-size slide

  18. Protocol version?
    Encryption algorithm??
    Hash algorithm???
    Key-exchange algorithm????
    Cipher suites?????
    Decisions, decisions

    View full-size slide

  19. Unencrypted -> Encrypted

    View full-size slide

  20. Software that implements TLS
    Software that uses TLS
    Software

    View full-size slide

  21. OpenSSL: most servers, non-
    browser clients
    BoringSSL: Google’s fork of OpenSSL
    Secure Transport: iOS and OS X
    TLS Implementations

    View full-size slide

  22. NSS: Firefox, Chrome on PC
    Schannel: Windows
    GnuTLS: Hippies
    TLS Implementations

    View full-size slide

  23. Problems with TLS

    View full-size slide

  24. Heartbleed
    (OpenSSL 2014)
    Implementation Flaws

    View full-size slide

  25. leaf certs signing certs
    (Secure Transport 2011, MS
    CryptoAPI 2002)
    Implementation Flaws

    View full-size slide

  26. #define HOST_NAME "www.random.org"
    #define HOST_PORT "443"
    #define HOST_RESOURCE "/cgi-bin/randbyte?nbytes=32&format=h"
    long res = 1;
    SSL_CTX* ctx = NULL;
    BIO *web = NULL, *out = NULL;
    SSL *ssl = NULL;
    init_openssl_library();
    const SSL_METHOD* method = SSLv23_method();
    if(!(NULL != method)) handleFailure();
    ctx = SSL_CTX_new(method);
    if(!(ctx != NULL)) handleFailure();
    /* Cannot fail ??? */
    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
    /* Cannot fail ??? */
    SSL_CTX_set_verify_depth(ctx, 4);
    /* Cannot fail ??? */
    const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
    SSL_CTX_set_options(ctx, flags);
    res = SSL_CTX_load_verify_locations(ctx, "random-org-chain.pem", NULL);
    if(!(1 == res)) handleFailure();
    web = BIO_new_ssl_connect(ctx);
    if(!(web != NULL)) handleFailure();
    res = BIO_set_conn_hostname(web, HOST_NAME ":" HOST_PORT);
    if(!(1 == res)) handleFailure();
    BIO_get_ssl(web, &ssl);
    if(!(ssl != NULL)) handleFailure();
    const char* const PREFERRED_CIPHERS = "HIGH:!aNULL:!kRSA:!PSK:!SRP!MD5:!RC4";
    res = SSL_set_cipher_list(ssl, PREFERRED_CIPHERS);
    if(!(1 == res)) handleFailure();
    res = SSL_set_tlsext_host_name(ssl, HOST_NAME);
    if(!(1 == res)) handleFailure();
    out = BIO_new_fp(stdout, BIO_NOCLOSE);
    if(!(NULL != out)) handleFailure();
    res = BIO_do_connect(web);
    if(!(1 == res)) handleFailure();
    res = BIO_do_handshake(web);
    if(!(1 == res)) handleFailure();
    /* Step 1: verify a server certificate was presented during the negotiation */
    X509* cert = SSL_get_peer_certificate(ssl);
    if(cert) { X509_free(cert); } /* Free immediately */
    if(NULL == cert) handleFailure();
    /* Step 2: verify the result of chain verification */
    res = SSL_get_verify_result(ssl);
    if(!(X509_V_OK == res)) handleFailure();
    /* Step 3: hostname verification */
    /* An exercise left to the reader */
    BIO_puts(web, "GET " HOST_RESOURCE " HTTP/1.1\r\n"
    "Host: " HOST_NAME "\r\n"
    "Connection: close\r\n\r\n");
    BIO_puts(out, "\n");
    int len = 0;
    do
    {
    char buff[1536] = {};
    len = BIO_read(web, buff, sizeof(buff));
    if(len > 0)
    BIO_write(out, buff, len);
    } while (len > 0 || BIO_should_retry(web));
    if(out)
    BIO_free(out);
    if(web != NULL)
    BIO_free_all(web);
    if(NULL != ctx)
    SSL_CTX_free(ctx);
    API Design Flaws

    View full-size slide

  27. Downgrade Attacks
    Protocol Flaws

    View full-size slide

  28. Problems with HTTPS

    View full-size slide

  29. Another approach that could be used by the attacker is to redirect the user to the same host-
    name and port 443 (which will be open) but force plaintext with http://www.example.com:
    443. Even though this request fails because the browser is attempting to speak plaintext
    HTTP on an encrypted port, the attempted request contains all the insecure cookies and
    thus all the information the attacker wants to obtain.
    Figure 5.2. Man-in-the-middle attacker stealing unsecured cookies
    User establishes a secure
    connection with a web site
    and receives a cookie
    User visits any
    other HTTP site
    Browser automatically
    follows the redirection
    and reveals the cookie
    Browser Server
    Attacker
    https://victim.example.com
    http://plaintext.example.com Attacker intercepts
    request and issues a
    redirection
    HTTP/1.1 302 Found
    Location: http://victim.example.com:443
    HTTP/1.1 400 Bad Request
    Cookie
    http://victim.example.com:443/
    Cookie
    Cookie Stealing

    View full-size slide

  30. If you do set the secure flag, you can
    still have cookies overwritten.
    Cookie Injection

    View full-size slide

  31. User as a
    Security Flaw

    View full-size slide

  32. Figure 5.4. Examples of certi cate warnings in current browsers
    Safari 7
    Firefox 28
    Internet Explorer 11
    Chrome 33
    Really?

    View full-size slide

  33. Software that uses TLS
    obj = urllib2.urlopen(

    ‘https://example.com/’,

    data=‘token=mysecret’
    )

    print obj.read()
    NOPE

    View full-size slide

  34. Well, yeah, but…
    Is urllib2 really bad?

    View full-size slide

  35. Requests
    import requests

    obj = requests.get(

    ‘https://example.com/’,

    data=‘my-secret’

    )

    View full-size slide

  36. Sorry :-(
    Things are getting better!
    People are starting to care.
    Doom and Gloom

    View full-size slide

  37. More eyeballs on OpenSSL
    More implementation alternatives
    Getting Better

    View full-size slide

  38. pyca/cryptography
    pyca/tls
    Things could still be better

    View full-size slide

  39. Use SSL Labs security test:

    www.ssllabs.com/ssltest/
    Read Hynek’s page on configuring TLS:

    tinyurl.com/hynek-tls
    Test your clients against servers with bad certs
    What can we do?

    View full-size slide

  40. Read: Bulletproof SSL and TLS

    tinyurl.com/bulletproof-tls
    Read: The Tangled Web

    tinyurl.com/the-tangled-web
    Read: Crypto101

    https://www.crypto101.io/
    What can we do?

    View full-size slide

  41. Scary?
    Be Brave.
    Learn!
    Help us.
    Chip in!

    View full-size slide

  42. Thank You!
    twitter.com/_ashfall_
    IRC: #cryptography-dev on freenode

    View full-size slide