PyTennessee 2015: HTTPS

Transcript

1. HTTPS: 
 A Comedy of Errors Ashwini Oruganti Christopher Armstrong

   @_ashfall_
 @radix PyTennessee 2015

2. Look at this code obj = urllib2.urlopen(
 ‘https://example.com/’,
 data=‘token=mysecret’ )


   print obj.read() NOPE

3. Look at this code obj = urllib2.urlopen(
 ‘https://example.com/’,
 data=‘token=mysecret’ )


   print obj.read() Ettercap + mitmproxy = owned

4. Passive Active (usually MITM) Types of attacks

5. HTTP / TLS / TCP / IP TLS

6. SSL vs. TLS Disclaimer

7. Authentication: Certificates Encryption: Math! Trusting the internet

8. Can I trust this site? What is cert validation?

9. Site owner gets Certificate Signed by Certificate Authority CA =

   intermediary for user trust Public Key Infrastructure

10. On connect, server sends you its certificate Client does crypto

    math to check cert against CAs Thus, the server is authenticated Connection

11. go to gmail.com. Spoofer sends 
 you a valid cert…

    bobsburgers.com??? Except …

12. If( cert.hostname != request.hostname ): blow up! Hostname Checking!

13. Has it expired? Has it been revoked? Other checks

14. I dunno! Magic? Encryption

15. How does session setup work? TLS in depth (kinda)

16. Handshake Handshake

17. Handshake Server Hello with cipher suite options Server sends cert

    Client verifies signature Client generates random key (pre-master secret??) Handshake

18. Protocol version? Encryption algorithm?? Hash algorithm??? Key-exchange algorithm???? Cipher suites?????

    Decisions, decisions

19. Unencrypted -> Encrypted

20. Software that implements TLS Software that uses TLS Software

21. OpenSSL: most servers, non- browser clients BoringSSL: Google’s fork of

    OpenSSL Secure Transport: iOS and OS X TLS Implementations

22. NSS: Firefox, Chrome on PC Schannel: Windows GnuTLS: Hippies TLS

    Implementations

23. Problems with TLS

24. Heartbleed (OpenSSL 2014) Implementation Flaws

25. leaf certs signing certs (Secure Transport 2011, MS CryptoAPI 2002)

    Implementation Flaws

26. #define HOST_NAME "www.random.org" #define HOST_PORT "443" #define HOST_RESOURCE "/cgi-bin/randbyte?nbytes=32&format=h" long

    res = 1; SSL_CTX* ctx = NULL; BIO *web = NULL, *out = NULL; SSL *ssl = NULL; init_openssl_library(); const SSL_METHOD* method = SSLv23_method(); if(!(NULL != method)) handleFailure(); ctx = SSL_CTX_new(method); if(!(ctx != NULL)) handleFailure(); /* Cannot fail ??? */ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); /* Cannot fail ??? */ SSL_CTX_set_verify_depth(ctx, 4); /* Cannot fail ??? */ const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; SSL_CTX_set_options(ctx, flags); res = SSL_CTX_load_verify_locations(ctx, "random-org-chain.pem", NULL); if(!(1 == res)) handleFailure(); web = BIO_new_ssl_connect(ctx); if(!(web != NULL)) handleFailure(); res = BIO_set_conn_hostname(web, HOST_NAME ":" HOST_PORT); if(!(1 == res)) handleFailure(); BIO_get_ssl(web, &ssl); if(!(ssl != NULL)) handleFailure(); const char* const PREFERRED_CIPHERS = "HIGH:!aNULL:!kRSA:!PSK:!SRP!MD5:!RC4"; res = SSL_set_cipher_list(ssl, PREFERRED_CIPHERS); if(!(1 == res)) handleFailure(); res = SSL_set_tlsext_host_name(ssl, HOST_NAME); if(!(1 == res)) handleFailure(); out = BIO_new_fp(stdout, BIO_NOCLOSE); if(!(NULL != out)) handleFailure(); res = BIO_do_connect(web); if(!(1 == res)) handleFailure(); res = BIO_do_handshake(web); if(!(1 == res)) handleFailure(); /* Step 1: verify a server certificate was presented during the negotiation */ X509* cert = SSL_get_peer_certificate(ssl); if(cert) { X509_free(cert); } /* Free immediately */ if(NULL == cert) handleFailure(); /* Step 2: verify the result of chain verification */ res = SSL_get_verify_result(ssl); if(!(X509_V_OK == res)) handleFailure(); /* Step 3: hostname verification */ /* An exercise left to the reader */ BIO_puts(web, "GET " HOST_RESOURCE " HTTP/1.1\r\n" "Host: " HOST_NAME "\r\n" "Connection: close\r\n\r\n"); BIO_puts(out, "\n"); int len = 0; do { char buff[1536] = {}; len = BIO_read(web, buff, sizeof(buff)); if(len > 0) BIO_write(out, buff, len); } while (len > 0 || BIO_should_retry(web)); if(out) BIO_free(out); if(web != NULL) BIO_free_all(web); if(NULL != ctx) SSL_CTX_free(ctx); API Design Flaws

27. Downgrade Attacks Protocol Flaws

28. Problems with HTTPS

29. Another approach that could be used by the attacker is

    to redirect the user to the same host- name and port 443 (which will be open) but force plaintext with http://www.example.com: 443. Even though this request fails because the browser is attempting to speak plaintext HTTP on an encrypted port, the attempted request contains all the insecure cookies and thus all the information the attacker wants to obtain. Figure 5.2. Man-in-the-middle attacker stealing unsecured cookies User establishes a secure connection with a web site and receives a cookie User visits any other HTTP site Browser automatically follows the redirection and reveals the cookie Browser Server Attacker https://victim.example.com http://plaintext.example.com Attacker intercepts request and issues a redirection HTTP/1.1 302 Found Location: http://victim.example.com:443 HTTP/1.1 400 Bad Request Cookie http://victim.example.com:443/ Cookie Cookie Stealing

30. If you do set the secure flag, you can still

    have cookies overwritten. Cookie Injection

31. User as a Security Flaw

32. Figure 5.4. Examples of certi cate warnings in current browsers

    Safari 7 Firefox 28 Internet Explorer 11 Chrome 33 Really?

33. Software that uses TLS obj = urllib2.urlopen(
 ‘https://example.com/’,
 data=‘token=mysecret’ )


    print obj.read() NOPE

34. Well, yeah, but… Is urllib2 really bad?

35. Requests import requests
 obj = requests.get(
 ‘https://example.com/’,
 data=‘my-secret’
 )

36. Sorry :-( Things are getting better! People are starting to

    care. Doom and Gloom

37. More eyeballs on OpenSSL More implementation alternatives Getting Better

38. pyca/cryptography pyca/tls Things could still be better

39. Use SSL Labs security test:
 www.ssllabs.com/ssltest/ Read Hynek’s page on

    configuring TLS:
 tinyurl.com/hynek-tls Test your clients against servers with bad certs What can we do?

40. Read: Bulletproof SSL and TLS
 tinyurl.com/bulletproof-tls Read: The Tangled Web


    tinyurl.com/the-tangled-web `pip install cryptography`
 A great library for crypto in Python What can we do?

41. Scary? Be Brave. Learn! Help us. Chip in!

42. Thank You! twitter.com/@_ashfall_
 twitter.com/@radix