Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Blue Team TLS Hugs
Search
Lee Brotherston
July 29, 2017
Technology
0
350
Blue Team TLS Hugs
My talk given at the Crypto & Privacy Village at Defcon 25
Lee Brotherston
July 29, 2017
Tweet
Share
More Decks by Lee Brotherston
See All by Lee Brotherston
TLS Tools for Blue Teams
leebrotherston
0
150
Abusing TLS For Defensive Wins
leebrotherston
2
1.1k
TLS Fingerprinting SecTorCA Edition
leebrotherston
0
180
Stealthier Attacks and Smarter Defending with TLS Fingerprinting
leebrotherston
0
230
The Cynical Trust Model
leebrotherston
0
58
Corporation In The Middle
leebrotherston
0
120
Corporation In The Middle - SecTor
leebrotherston
0
43
Incident Response for Cheapskates - BSidesTO 2013
leebrotherston
0
69
Other Decks in Technology
See All in Technology
履歴 on Rails: Bitemporal Data Modelで実現する履歴管理/history-on-rails-with-bitemporal-data-model
hypermkt
0
1.9k
Sidekiq その前に:Webアプリケーションにおける非同期ジョブ設計原則
morihirok
17
6.7k
「技術負債にならない・間違えない」 権限管理の設計と実装
naro143
34
10k
今改めてServiceクラスについて考える 〜あるRails開発者の10年〜
joker1007
20
9.8k
“2件同時配達”の開発舞台裏 〜出前館PMが挑んだダブルピック実現に向けた体験設計〜
demaecan
0
170
Railsアプリケーション開発者のためのブックガイド
takahashim
13
5.7k
Why React!?? Next.jsそしてReactを改めてイチから選ぶ
ypresto
10
3.9k
バイブコーディングと継続的デプロイメント
nwiizo
2
380
いまさら聞けない ABテスト入門
skmr2348
1
170
5年間のFintech × Rails実践に学ぶ - 基本に忠実な運用で築く高信頼性システム / 5 Years Fintech Rails Retrospective
ohbarye
9
4.1k
BirdCLEF+2025 Noir 5位解法紹介
myso
0
170
Trust as Infrastructure
bcantrill
0
260
Featured
See All Featured
Rails Girls Zürich Keynote
gr2m
95
14k
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.7k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
950
Learning to Love Humans: Emotional Interface Design
aarron
274
40k
Writing Fast Ruby
sferik
629
62k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Making the Leap to Tech Lead
cromwellryan
135
9.5k
Building an army of robots
kneath
306
46k
Six Lessons from altMBA
skipperchong
28
4k
Context Engineering - Making Every Token Count
addyosmani
3
160
RailsConf 2023
tenderlove
30
1.2k
Transcript
Blue Team TLS Hugs Lee Brotherston - @synackpse - #TLSHugs
SSL TLS does what now? Lee Brotherston - @synackpse -
#TLSHugs
Renegotiation... Encrypted Data Key Exchange Kittens... Unicorn Tears Pixie Dust
Client Client Hello Server Server Hello Lee Brotherston - @synackpse - #TLSHugs
Current State of the Art Lee Brotherston - @synackpse -
#TLSHugs
- Ignore TLS - Break TLS - Embrace TLS Lee
Brotherston - @synackpse - #TLSHugs
Ignore TLS Lee Brotherston - @synackpse - #TLSHugs
IDS Rules Protocol ClearText TLS Enabled HTTP(S) 1572 25 IMAP(S)
34 10 SMTP(S) 73 10 Lee Brotherston - @synackpse - #TLSHugs
permit any > any port 443 Universal Firewall Bypass Port!
Lee Brotherston - @synackpse - #TLSHugs
ssh -p443 user@myhost (don’t pretend you don’t) Lee Brotherston -
@synackpse - #TLSHugs
So, what then? Lee Brotherston - @synackpse - #TLSHugs
EndMalVirusPointRansomWhitelistWareProtection Lee Brotherston - @synackpse - #TLSHugs
Blacklists Lee Brotherston - @synackpse - #TLSHugs
Break TLS Lee Brotherston - @synackpse - #TLSHugs
Request Request Response Proxy Server Client TLS Handshake TLS Handshake
Response ClearText Actual Certificate Authority work CA :) Lee Brotherston - @synackpse - #TLSHugs
Break The CA Model …. even more Lee Brotherston -
@synackpse - #TLSHugs
Compromised Appliance Lee Brotherston - @synackpse - #TLSHugs
Compromised Internal CA/Key Lee Brotherston - @synackpse - #TLSHugs
Key Management is Haaarrrddd Lee Brotherston - @synackpse - #TLSHugs
Poor Certificate Validation Lee Brotherston - @synackpse - #TLSHugs
“Trusted” CA List Lee Brotherston - @synackpse - #TLSHugs
Trust What The Appliance Trusts *cough* WoSign *cough* Lee Brotherston
- @synackpse - #TLSHugs
Certificate [un]Pinning Lee Brotherston - @synackpse - #TLSHugs
Malicious Insider Lee Brotherston - @synackpse - #TLSHugs
Embracing TLS? Lee Brotherston - @synackpse - #TLSHugs
Goals Lee Brotherston - @synackpse - #TLSHugs
Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate
Checks Cryptographic Checks Granular Content Filtering In-Page Exploits Malware Detection Data Exfiltration DLP Lee Brotherston - @synackpse - #TLSHugs
“Perfection is the enemy of good enough” Lee Brotherston -
@synackpse - #TLSHugs
Lee Brotherston - @synackpse - #TLSHugs
Lee Brotherston - @synackpse - #TLSHugs
Fun with Packet Sniffing Lee Brotherston - @synackpse - #TLSHugs
TLS Fingerprinting (I hear someone did a talk on that)
…. (it was me) Lee Brotherston - @synackpse - #TLSHugs
Spotting $bad Lee Brotherston - @synackpse - #TLSHugs
None
[semi]Automated fingerprinting Lee Brotherston - @synackpse - #TLSHugs
Pseudo “anomaly based detection” Lee Brotherston - @synackpse - #TLSHugs
Fingerprint Canaries Lee Brotherston - @synackpse - #TLSHugs
None
Incident Response & Attribution(ish) Lee Brotherston - @synackpse - #TLSHugs
Vorführeffekt
OK, Enough Fingerprinting Lee Brotherston - @synackpse - #TLSHugs
Server Responses Lee Brotherston - @synackpse - #TLSHugs
Certificates Lee Brotherston - @synackpse - #TLSHugs
Do You Even IDS, Bro? Lee Brotherston - @synackpse -
#TLSHugs
Inline TLS Shenanigans Lee Brotherston - @synackpse - #TLSHugs
TLS Handshake Mangling Lee Brotherston - @synackpse - #TLSHugs
Request Request Response Proxy Server Client TLS Handshake TLS Handshake
Response Nope Lee Brotherston - @synackpse - #TLSHugs
Proxy Server Client TLS Request Response Request Response TLS Version
Ciphersuites Hashing Algorithms Hostname (SNI) Curves Server Hello Certificates Lee Brotherston - @synackpse - #TLSHugs
Subtractive only Lee Brotherston - @synackpse - #TLSHugs
The Compliances Lee Brotherston - @synackpse - #TLSHugs
A Remaining Problem Lee Brotherston - @synackpse - #TLSHugs
None
None
None
None
A Solution…. Kinda Lee Brotherston - @synackpse - #TLSHugs
None
None
None
None
Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate
Checks In-Page Exploits Malware Detection Data Exfiltration DLP How Did we Do? ✓ ✓ ✓ ✓ ✓ ✓ ✗ …? Lee Brotherston - @synackpse - #TLSHugs ✓
One more thing… Lee Brotherston - @synackpse - #TLSHugs
8138561f1c4407e872a729a2d4a8f03d1927a7cd5dc9cb2f4812b50986c386a 116ab557841a5e4c9d80680697fc2c13ef7b01bb5e4e6ae71940e58fa757316 e0ee8ef327d403bba2e1c2bde3ead4166b4e1f93135e3a7acd3cddf3893b349 a120b27ed522d3176d08fc2c0984b911bd09f9601133180702542cb99dea311 0d31a40c75493db1ca59bb5e168df86ccea981f81e0466cc584461eac7dae86 6d3cc0f69e166c7d0a3019f1a163a7ba9273be13e404be0f432b65ea574badd 06a2fcc7ccff992a028c6c40c5de50428af37a1ec8f6db7d1a07af8de1486db c1a69c6bbc734cf17a1f13a48d27a218887b36b1e103964a66b38c74a73c6b9 602da341089709ef7e833e1715fe3bd85151 Lee
Brotherston - @synackpse - #TLSHugs
Host: www.myhost.com User-Agent: MyBrowser/10.4 (Some OS) CoolWebKit/537.36 Accept: text/html,application/xhtml+xml,application/xml Accept-Encoding:
gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 GET /XXXXXXXXXXX HTTP/1.1 227 206 151 95 58 26 Lee Brotherston - @synackpse - #TLSHugs
Conclusion Lee Brotherston - @synackpse - #TLSHugs
Stuff … TLS Fingerprinting: https://github.com/LeeBrotherston/tls-fingerprinting https://blog.squarelemon.com/tls-fingerprinting/ TLS Mangler (soon): https://github.com/LeeBrotherston/<somewhere>
TLS Profiling: https://gist.github.com/wxsBSD/6d5e777afc31b3cf46d0 https://gist.github.com/wxsBSD/0c6584913bcc5e6da31b Slide Deck: https://speakerdeck.com/leebrotherston/ The Twitters (me): @synackpse Lee Brotherston - @synackpse - #TLSHugs
Any Questions? Lee Brotherston - @synackpse - #TLSHugs