Ashwini Oruganti - Introduction to HTTPS: A Comedy of Errors

Ashwini Oruganti - Introduction to HTTPS: A Comedy of Errors

Given recent increases in hostile attacks on internet services and large scale surveillance operations by certain unnamed government organizations, security in our software is becoming ever more important. We'll give you an idea of how modern crypto works in web services and clients, look at some of the common flaws in these crypto implementations, and discuss recent developments in TLS.

https://us.pycon.org/2015/schedule/presentation/372/

D5710b3bca38f1233274b4cbc523dc4b?s=128

PyCon 2015

April 18, 2015
Tweet

Transcript

  1. HTTPS: 
 A Comedy of Errors Ashwini Oruganti twitter.com/_ashfall_ PyCon

    2015
  2. Look at this code obj = urllib2.urlopen(
 ‘https://example.com/’,
 data=‘token=mysecret’ )


    print obj.read() NOPE
  3. Look at this code obj = urllib2.urlopen(
 ‘https://example.com/’,
 data=‘token=mysecret’ )


    print obj.read() Ettercap + mitmproxy = owned
  4. Passive Active (usually MITM) Types of attacks

  5. HTTP / TLS / TCP / IP TLS

  6. SSL vs. TLS Disclaimer

  7. Authentication: Certificates Encryption: Math! Trusting the internet

  8. Can I trust this site? What is cert validation?

  9. Site owner gets Certificate Signed by Certificate Authority CA =

    intermediary for user trust Public Key Infrastructure
  10. On connect, server sends you its certificate Client does crypto

    math to check cert against CAs Thus, the server is authenticated Connection
  11. go to gmail.com. Spoofer sends 
 you a valid cert…

    bobsburgers.com??? Except …
  12. If( cert.hostname != request.hostname ): blow up! Hostname Checking!

  13. Has it expired? Has it been revoked? Other checks

  14. I dunno! Magic? Encryption

  15. How does session setup work? TLS in depth (kinda)

  16. Handshake Handshake

  17. Handshake Server Hello with cipher suite options Server sends cert

    Client verifies signature Client generates random key (pre-master secret??) Handshake
  18. Protocol version? Encryption algorithm?? Hash algorithm??? Key-exchange algorithm???? Cipher suites?????

    Decisions, decisions
  19. Unencrypted -> Encrypted

  20. Software that implements TLS Software that uses TLS Software

  21. OpenSSL: most servers, non- browser clients BoringSSL: Google’s fork of

    OpenSSL Secure Transport: iOS and OS X TLS Implementations
  22. NSS: Firefox, Chrome on PC Schannel: Windows GnuTLS: Hippies TLS

    Implementations
  23. Problems with TLS

  24. Heartbleed (OpenSSL 2014) Implementation Flaws

  25. leaf certs signing certs (Secure Transport 2011, MS CryptoAPI 2002)

    Implementation Flaws
  26. #define HOST_NAME "www.random.org" #define HOST_PORT "443" #define HOST_RESOURCE "/cgi-bin/randbyte?nbytes=32&format=h" long

    res = 1; SSL_CTX* ctx = NULL; BIO *web = NULL, *out = NULL; SSL *ssl = NULL; init_openssl_library(); const SSL_METHOD* method = SSLv23_method(); if(!(NULL != method)) handleFailure(); ctx = SSL_CTX_new(method); if(!(ctx != NULL)) handleFailure(); /* Cannot fail ??? */ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); /* Cannot fail ??? */ SSL_CTX_set_verify_depth(ctx, 4); /* Cannot fail ??? */ const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; SSL_CTX_set_options(ctx, flags); res = SSL_CTX_load_verify_locations(ctx, "random-org-chain.pem", NULL); if(!(1 == res)) handleFailure(); web = BIO_new_ssl_connect(ctx); if(!(web != NULL)) handleFailure(); res = BIO_set_conn_hostname(web, HOST_NAME ":" HOST_PORT); if(!(1 == res)) handleFailure(); BIO_get_ssl(web, &ssl); if(!(ssl != NULL)) handleFailure(); const char* const PREFERRED_CIPHERS = "HIGH:!aNULL:!kRSA:!PSK:!SRP!MD5:!RC4"; res = SSL_set_cipher_list(ssl, PREFERRED_CIPHERS); if(!(1 == res)) handleFailure(); res = SSL_set_tlsext_host_name(ssl, HOST_NAME); if(!(1 == res)) handleFailure(); out = BIO_new_fp(stdout, BIO_NOCLOSE); if(!(NULL != out)) handleFailure(); res = BIO_do_connect(web); if(!(1 == res)) handleFailure(); res = BIO_do_handshake(web); if(!(1 == res)) handleFailure(); /* Step 1: verify a server certificate was presented during the negotiation */ X509* cert = SSL_get_peer_certificate(ssl); if(cert) { X509_free(cert); } /* Free immediately */ if(NULL == cert) handleFailure(); /* Step 2: verify the result of chain verification */ res = SSL_get_verify_result(ssl); if(!(X509_V_OK == res)) handleFailure(); /* Step 3: hostname verification */ /* An exercise left to the reader */ BIO_puts(web, "GET " HOST_RESOURCE " HTTP/1.1\r\n" "Host: " HOST_NAME "\r\n" "Connection: close\r\n\r\n"); BIO_puts(out, "\n"); int len = 0; do { char buff[1536] = {}; len = BIO_read(web, buff, sizeof(buff)); if(len > 0) BIO_write(out, buff, len); } while (len > 0 || BIO_should_retry(web)); if(out) BIO_free(out); if(web != NULL) BIO_free_all(web); if(NULL != ctx) SSL_CTX_free(ctx); API Design Flaws
  27. Downgrade Attacks Protocol Flaws

  28. Problems with HTTPS

  29. Another approach that could be used by the attacker is

    to redirect the user to the same host- name and port 443 (which will be open) but force plaintext with http://www.example.com: 443. Even though this request fails because the browser is attempting to speak plaintext HTTP on an encrypted port, the attempted request contains all the insecure cookies and thus all the information the attacker wants to obtain. Figure 5.2. Man-in-the-middle attacker stealing unsecured cookies User establishes a secure connection with a web site and receives a cookie User visits any other HTTP site Browser automatically follows the redirection and reveals the cookie Browser Server Attacker https://victim.example.com http://plaintext.example.com Attacker intercepts request and issues a redirection HTTP/1.1 302 Found Location: http://victim.example.com:443 HTTP/1.1 400 Bad Request Cookie http://victim.example.com:443/ Cookie Cookie Stealing
  30. If you do set the secure flag, you can still

    have cookies overwritten. Cookie Injection
  31. User as a Security Flaw

  32. Figure 5.4. Examples of certi cate warnings in current browsers

    Safari 7 Firefox 28 Internet Explorer 11 Chrome 33 Really?
  33. Software that uses TLS obj = urllib2.urlopen(
 ‘https://example.com/’,
 data=‘token=mysecret’ )


    print obj.read() NOPE
  34. Well, yeah, but… Is urllib2 really bad?

  35. Requests import requests
 obj = requests.get(
 ‘https://example.com/’,
 data=‘my-secret’
 )

  36. Sorry :-( Things are getting better! People are starting to

    care. Doom and Gloom
  37. More eyeballs on OpenSSL More implementation alternatives Getting Better

  38. pyca/cryptography pyca/tls Things could still be better

  39. Use SSL Labs security test:
 www.ssllabs.com/ssltest/ Read Hynek’s page on

    configuring TLS:
 tinyurl.com/hynek-tls Test your clients against servers with bad certs What can we do?
  40. Read: Bulletproof SSL and TLS
 tinyurl.com/bulletproof-tls Read: The Tangled Web


    tinyurl.com/the-tangled-web Read: Crypto101
 https://www.crypto101.io/ What can we do?
  41. Scary? Be Brave. Learn! Help us. Chip in!

  42. Thank You! twitter.com/_ashfall_ IRC: #cryptography-dev on freenode