Tweet
Tweet

Slide 1

Slide 1 text

HTTPS: 
 A Comedy of Errors Ashwini Oruganti Christopher Armstrong @_ashfall_
 @radix PyTennessee 2015

Slide 2

Slide 2 text

Look at this code obj = urllib2.urlopen(
 ‘https://example.com/’,
 data=‘token=mysecret’ )
 print obj.read() NOPE

Slide 3

Slide 3 text

Look at this code obj = urllib2.urlopen(
 ‘https://example.com/’,
 data=‘token=mysecret’ )
 print obj.read() Ettercap + mitmproxy = owned

Slide 4

Slide 4 text

Passive Active (usually MITM) Types of attacks

Slide 5

Slide 5 text

HTTP / TLS / TCP / IP TLS

Slide 6

Slide 6 text

SSL vs. TLS Disclaimer

Slide 7

Slide 7 text

Authentication: Certificates Encryption: Math! Trusting the internet

Slide 8

Slide 8 text

Can I trust this site? What is cert validation?

Slide 9

Slide 9 text

Site owner gets Certificate Signed by Certificate Authority CA = intermediary for user trust Public Key Infrastructure

Slide 10

Slide 10 text

On connect, server sends you its certificate Client does crypto math to check cert against CAs Thus, the server is authenticated Connection

Slide 11

Slide 11 text

go to gmail.com. Spoofer sends 
 you a valid cert… bobsburgers.com??? Except …

Slide 12

Slide 12 text

If( cert.hostname != request.hostname ): blow up! Hostname Checking!

Slide 13

Slide 13 text

Has it expired? Has it been revoked? Other checks

Slide 14

Slide 14 text

I dunno! Magic? Encryption

Slide 15

Slide 15 text

How does session setup work? TLS in depth (kinda)

Slide 16

Slide 16 text

Handshake Handshake

Slide 17

Slide 17 text

Handshake Server Hello with cipher suite options Server sends cert Client verifies signature Client generates random key (pre-master secret??) Handshake

Slide 18

Slide 18 text

Protocol version? Encryption algorithm?? Hash algorithm??? Key-exchange algorithm???? Cipher suites????? Decisions, decisions

Slide 19

Slide 19 text

Unencrypted -> Encrypted

Slide 20

Slide 20 text

Software that implements TLS Software that uses TLS Software

Slide 21

Slide 21 text

OpenSSL: most servers, non- browser clients BoringSSL: Google’s fork of OpenSSL Secure Transport: iOS and OS X TLS Implementations

Slide 22

Slide 22 text

NSS: Firefox, Chrome on PC Schannel: Windows GnuTLS: Hippies TLS Implementations

Slide 23

Slide 23 text

Problems with TLS

Slide 24

Slide 24 text

Heartbleed (OpenSSL 2014) Implementation Flaws

Slide 25

Slide 25 text

leaf certs signing certs (Secure Transport 2011, MS CryptoAPI 2002) Implementation Flaws

Slide 26

Slide 26 text

#define HOST_NAME "www.random.org" #define HOST_PORT "443" #define HOST_RESOURCE "/cgi-bin/randbyte?nbytes=32&format=h" long res = 1; SSL_CTX* ctx = NULL; BIO *web = NULL, *out = NULL; SSL *ssl = NULL; init_openssl_library(); const SSL_METHOD* method = SSLv23_method(); if(!(NULL != method)) handleFailure(); ctx = SSL_CTX_new(method); if(!(ctx != NULL)) handleFailure(); /* Cannot fail ??? */ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); /* Cannot fail ??? */ SSL_CTX_set_verify_depth(ctx, 4); /* Cannot fail ??? */ const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; SSL_CTX_set_options(ctx, flags); res = SSL_CTX_load_verify_locations(ctx, "random-org-chain.pem", NULL); if(!(1 == res)) handleFailure(); web = BIO_new_ssl_connect(ctx); if(!(web != NULL)) handleFailure(); res = BIO_set_conn_hostname(web, HOST_NAME ":" HOST_PORT); if(!(1 == res)) handleFailure(); BIO_get_ssl(web, &ssl); if(!(ssl != NULL)) handleFailure(); const char* const PREFERRED_CIPHERS = "HIGH:!aNULL:!kRSA:!PSK:!SRP!MD5:!RC4"; res = SSL_set_cipher_list(ssl, PREFERRED_CIPHERS); if(!(1 == res)) handleFailure(); res = SSL_set_tlsext_host_name(ssl, HOST_NAME); if(!(1 == res)) handleFailure(); out = BIO_new_fp(stdout, BIO_NOCLOSE); if(!(NULL != out)) handleFailure(); res = BIO_do_connect(web); if(!(1 == res)) handleFailure(); res = BIO_do_handshake(web); if(!(1 == res)) handleFailure(); /* Step 1: verify a server certificate was presented during the negotiation */ X509* cert = SSL_get_peer_certificate(ssl); if(cert) { X509_free(cert); } /* Free immediately */ if(NULL == cert) handleFailure(); /* Step 2: verify the result of chain verification */ res = SSL_get_verify_result(ssl); if(!(X509_V_OK == res)) handleFailure(); /* Step 3: hostname verification */ /* An exercise left to the reader */ BIO_puts(web, "GET " HOST_RESOURCE " HTTP/1.1\r\n" "Host: " HOST_NAME "\r\n" "Connection: close\r\n\r\n"); BIO_puts(out, "\n"); int len = 0; do { char buff[1536] = {}; len = BIO_read(web, buff, sizeof(buff)); if(len > 0) BIO_write(out, buff, len); } while (len > 0 || BIO_should_retry(web)); if(out) BIO_free(out); if(web != NULL) BIO_free_all(web); if(NULL != ctx) SSL_CTX_free(ctx); API Design Flaws

Slide 27

Slide 27 text

Downgrade Attacks Protocol Flaws

Slide 28

Slide 28 text

Problems with HTTPS

Slide 29

Slide 29 text

Another approach that could be used by the attacker is to redirect the user to the same host- name and port 443 (which will be open) but force plaintext with http://www.example.com: 443. Even though this request fails because the browser is attempting to speak plaintext HTTP on an encrypted port, the attempted request contains all the insecure cookies and thus all the information the attacker wants to obtain. Figure 5.2. Man-in-the-middle attacker stealing unsecured cookies User establishes a secure connection with a web site and receives a cookie User visits any other HTTP site Browser automatically follows the redirection and reveals the cookie Browser Server Attacker https://victim.example.com http://plaintext.example.com Attacker intercepts request and issues a redirection HTTP/1.1 302 Found Location: http://victim.example.com:443 HTTP/1.1 400 Bad Request Cookie http://victim.example.com:443/ Cookie Cookie Stealing

Slide 30

Slide 30 text

If you do set the secure flag, you can still have cookies overwritten. Cookie Injection

Slide 31

Slide 31 text

User as a Security Flaw

Slide 32

Slide 32 text

Figure 5.4. Examples of certi cate warnings in current browsers Safari 7 Firefox 28 Internet Explorer 11 Chrome 33 Really?

Slide 33

Slide 33 text

Software that uses TLS obj = urllib2.urlopen(
 ‘https://example.com/’,
 data=‘token=mysecret’ )
 print obj.read() NOPE

Slide 34

Slide 34 text

Well, yeah, but… Is urllib2 really bad?

Slide 35

Slide 35 text

Requests import requests
 obj = requests.get(
 ‘https://example.com/’,
 data=‘my-secret’
 )

Slide 36

Slide 36 text

Sorry :-( Things are getting better! People are starting to care. Doom and Gloom

Slide 37

Slide 37 text

More eyeballs on OpenSSL More implementation alternatives Getting Better

Slide 38

Slide 38 text

pyca/cryptography pyca/tls Things could still be better

Slide 39

Slide 39 text

Use SSL Labs security test:
 www.ssllabs.com/ssltest/ Read Hynek’s page on configuring TLS:
 tinyurl.com/hynek-tls Test your clients against servers with bad certs What can we do?

Slide 40

Slide 40 text

Read: Bulletproof SSL and TLS
 tinyurl.com/bulletproof-tls Read: The Tangled Web
 tinyurl.com/the-tangled-web `pip install cryptography`
 A great library for crypto in Python What can we do?

Slide 41

Slide 41 text

Scary? Be Brave. Learn! Help us. Chip in!

Slide 42

Slide 42 text

Thank You! twitter.com/@_ashfall_
 twitter.com/@radix