Believe It Or Not SSL Attacks

Believe It Or Not SSL Attacks

A talk about attacks against SSL that have been uncovered in the last 3-4 years. This talk delves into about what exactly was attacked and how it was attacked and how SSL is still a pretty useful piece of technology.


Akash Mahajan

April 22, 2012


  1. 4.

    SSL/TLS O Encrypted Communication – Eavesdropping and Tampering O Secure

    Identification of a Network – Are you talking to the right server?
  2. 5.

    Attacking The Encryption Algorithm O Attack like the BEAST (Browser

    Exploit Against SSL/TLS ) target the underlying encryption. O Usually the encryption has held against attacks. Even BEAST requires injecting client side JavaScript to work O attack-breaks-confidentiality-model-ssl- allows-theft-encrypted-cookies-091611
  3. 6.

    Attacking The Authenticity O The low hanging fruit. Most of

    the times when that sslstrip guy talks about SSL issues he talks about attacking the authenticity. O Why is the authenticity important? O How do you bypass it?
  4. 7.

    How is the authenticity maintained? O A implicitly trusted certificate

    will tell you that a server’s particular certificate is trust worthy or not. O When a server got a certificate trusted by a root CA they get added to a list. O If a server is removed from the trusted listed they get added to a revocation list.
  5. 8.

    Is your browser checking the revocation list? O Chrome relies

    on frequent updates for this. O Firefox ? O IE - Online Certificate List O Online Certificate Status Protocol
  6. 9.

    Bad Things can Happen O Comodo an affiliate of a

    root CA was hacked. O DigiNotar was hacked. O Hundreds of certificates for google, yahoo, mozilla, MS windows update were released. O SSL assumes that both end points aren’t evil
  7. 10.

    I hacked the internet and all I have is a

    t-shirt O Attack against the PKI because of MD5 O The attack was against Intermediate CAs O There were theoretical attacks against MD5 since 2004 O They found out that RapidSSL had issued 97% certificates with MD5 hash.
  8. 11.

    I hacked the internet and all I have is a

    t-shirt O Also the certificate serial number was sequential and time could be predicted O Used 200 PS3s to generate a certificate which had most parts from a legitimate cert but something different. O ng_a_rogue_ca_cert_paper.pdf
  9. 12.
  10. 13.

    SSLStrip attacks HTTP O Attacked correct attributes not being setup

    in Certificates O Now looks at HTTP traffic going by. O Has a valid certificate for a weird looking domain name whose puny code looks like / ?
  11. 14.

    Akash Mahajan | That Web Application Security Guy O

    O @makash | O O OWASP Bangalore Chapter Lead O Null Co-Founder and Community Manager
  12. 15.

    References O SSL Lock image from infographic/ O

    intercept-paypal-other-secure-sessions.ars O O authority-trust-model O O responsibility-for-comodo-hack.ars O O O theft-encrypted-cookies-091611