James Hall & Lawrence Dudley - Circumventing SSL

Transcript

1. Circumventing SSL Never trust your network ! James Hall &

   Lawrence Dudley

2. Circumventing SSL Never trust your network ! James Hall &

   Lawrence Dudley

3. Contents • How local networks work - introduction to ARP

   • ARP spoofing • Man in the middle - demo • SSL in brief • Certificate validation and user feedback • SSL strip - demo • Super evil injection - demo

4. How do local networks work?

5. How we thought they worked: 1. You plug it in

   2. You get an IP address 3. Internet

6. There’s more to it than meets the eye As web

   developers we forget that the things we do run on hardware. We think of networks as TCP/IP or even just HTTP. ! There’s actually 7 layers involved. ! We’re going to discuss layers 2 and 3 - network and data link.

7. Layer 3 - Network This is typically IPv4 and consists

   of IP addresses. ! ! ! ! Layer 2 - Data Link This layer communicates using MAC addresses. Layers 2 and 3 - what do they do? 192.168.1.1 10:DD:B1:F3:38:66

8. This packet wants to go to 192.168.1.1 Example network request

   Data Packet Destination: 192.168.1.1

9. The network translates this to a MAC address Example network

   request Data Packet Destination: 10:DD:B1:F3:38:66

10. IP/MAC Relationship IP addresses are translated into a MAC address

    for transport on the network. IP addresses are an abstraction. ! How does a host know which IP belongs on which MAC?

11. Address resolution protocol ARP is essentially a shared network phone

    book that maps IP and MAC addresses together. ! Each host tells the rest of the network which IP/MAC combinations it has. MAC Address IP Address 10:DD:B1:F3:38:66 192.168.1.1 00:B0:D0:86:BB:F6 192.168.1.1 00:B0:D0:86:BB:F8 192.168.1.2 00:B0:D0:86:BB:F7 192.168.1.3

12. The problem ARP lacks any kind of authentication. If you

    tell a node that a certain IP address belongs on a MAC address, it will believe you.

13. Normal operation Data Packet Destination: 192.168.1.1 Data Packet Destination: 10:DD:B1:F3:38:66

    MAC Address IP Address 10:DD:B1:F3:38:66 192.168.1.1 00:B0:D0:86:BB:F6 192.168.1.1 00:B0:D0:86:BB:F8 192.168.1.2 00:B0:D0:86:BB:F7 192.168.1.3

14. Device on network sends false info Data Packet Destination: 192.168.1.1

    Data Packet Destination: 10:DD:B1:F3:38:66 MAC Address IP Address 10:DD:B1:F3:38:66 192.168.1.1 00:B0:D0:86:BB:F6 192.168.1.1 00:B0:D0:86:BB:F8 192.168.1.2 00:B0:D0:86:BB:F7 192.168.1.3

15. MAC Address IP Address 10:DD:B1:F3:38:66 192.168.1.1 00:B0:D0:86:BB:F6 192.168.1.1 00:B0:D0:86:BB:F8 192.168.1.2

    00:B0:D0:86:BB:F7 192.168.1.3 Device on network sends false info ! ! ! ! Data Packet Destination: 192.168.1.1 Data Packet Destination: 00:A0:C9:14:C8:29 MAC Address IP Address 00:A0:C9:14:C8:29 192.168.1.1 00:B0:D0:86:BB:F6 192.168.1.1 00:B0:D0:86:BB:F8 192.168.1.2 00:B0:D0:86:BB:F7 192.168.1.3 Data Packet Destination: 10:DD:B1:F3:38:66 Because ARP doesn’t contain any authentication, it’s trivial to convince a node to send data to the wrong place.

16. Typical local network Most networks these days have clients, switches

    and routers. Most networks have a combined switch/router.

17. Internet access Access to the Internet is via the router.

    A client sends packets to the router which sends them to the Internet.

18. Internet access Access to the Internet is via the router.

    A client sends packets to the router which sends them to the Internet. Data Packet

19. Internet access Access to the Internet is via the router.

    A client sends packets to the router which sends them to the Internet. Data Packet

20. Man in the middle By spoofing the MAC address, it’s

    possible to direct the data elsewhere, then send it on to the router. Data Packet

21. Man in the middle By spoofing the MAC address, it’s

    possible to direct the data elsewhere, then send it on to the router. Data Packet

22. Man in the middle By spoofing the MAC address, it’s

    possible to direct the data elsewhere, then send it on to the router. Data Packet

23. Live Demo

24. The Solution: SSL SSL was invented to get around man

    in the middle attacks. “OMG at hey!stack watching @helloparallax. It’s awesome”

25. 09FqtFo9rVxzrM8dMWyR6vBS3fWk72v5y +bl7d4U0zcq7I/ M8ofdnG3+NdcWqO2fxHOXd5JcksmrmuXNFsem6+n ovl8Kx9mvj8mwc/EdHoaRS2XFirSObXHvG +0dURSOndrDifKnW6jonL6un6mKOZG3dvHtT83i2mZ neZ3nvnpn5yjLuz7uTVvX7m7THKmOr +6wY228bAomjEszcrnnXVw1+UdXdq2TxD0gaenRgxZ Ms/rW2x1/ The Solution:

    SSL SSL was invented to get around man in the middle attacks.

26. SSL Validation SSL works on a trust basis. When a

    certificate isn’t trusted, you know about it.

27. SSL Validation What about positive messaging? It’s weak.

28. Question Would people know about it if we sneakily did

    away with SSL? Probably not…

29. SSL strip Let’s imagine a normal SSL connection.

30. SSL Strip Now let’s divert the connection via our evil

    network node.

31. SSL Strip We take the HTTPS connection and turn it

    into an HTTP one, ignoring any redirects to the secure version of a site. The average user is none the wiser.

32. Live Demo