Upgrade to Pro — share decks privately, control downloads, hide ads and more …

『プロフェッショナルSSL/TLS』読書会 第7章前半資料

Avatar for sylph01 sylph01
October 06, 2017

『プロフェッショナルSSL/TLS』読書会 第7章前半資料

7.1 〜 7.3まで。

Avatar for sylph01

sylph01

October 06, 2017
Tweet

More Decks by sylph01

Other Decks in Technology

Transcript

  1. 7.1.2 Ҿ͖ى͜͢ํ๏ • ΫϥΠΞϯτʹΑΔ࠶ωΰγΤʔγϣϯΛڐՄ͍ͯ͠Δαʔό • IISΛআ͘ • Server Gated Cryptography

    • ༌ग़༻҉߸ͰωΰγΤʔγϣϯͨ͠ޙΑΓڧ͍҉߸ڧ౓ʹ Ҿ্͖͛Δͱ͍͏ํ๏ • ΫϥΠΞϯτূ໌ॻ
  2. 7.1.3 HTTPʹର͢Δ߈ܸ 1. ೚ҙͷGETϦΫΤετͷ࣮ߦ GET /path/to/hoge HTTP/1.0 X-Ignore: GET /index.jsp

    HTTP/1.0 Cookie: JSESSIONID=XXX X-Ignore:ͷίϩϯ·Ͱ͕߈ܸऀͷϦΫΤετɻ͜͏͢Δͱຊདྷ ͷϦΫΤετͷ1ߦ໨ΛϔομԽͯ͠ແࢹ͢Δ͜ͱ͕Ͱ͖ɺ೚ҙͷ GET͕੒ཱ͢Δɻ CSRFͱͦΜͳʹมΘΒͳ͍͔Βݟա͝͞Ε͍͕ͯͨ…
  3. 2. POST΁ͷԠ༻ POST /statuses/update.xml HTTP/1.0 Authorization: Basic [߈ܸऀͷcred] Content-Type: application/x-www-form-urlencoded

    Content-Length: [ਪଌ͞ΕΔ௕͞] status=POST /statuses/update.xml HTTP/1.1 Authorization: Basic [٘ਜ਼ऀͷcred] status=ͷ=·Ͱ͕߈ܸऀͷϦΫΤετɻ
  4. 3. ͦͷଞ • ϦμΠϨΫτͷ࢖༻ • ΦʔϓϯϦμΠϨΫτ͕͋Ε͹ͦ͜ʹඈ͹ͤΔ • ฏจͷϦμΠϨΫτ͕͋Ε͹ࣄ্࣮ฏจ௨৴ʹͰ͖Δ • HTTP

    307(Temporary Redirect)Λฦ͢ϦμΠϨΫτ͕ଘࡏ͢Δ ͱɺHTTP 307͸ϦμΠϨΫτ࣌΋ಉ͡ϝιουͰϦμΠϨΫ τ͢ΔͨΊɺPOST͕POSTͱͯ͠ϦμΠϨΫτͰ͖Δʂ
  5. ѹॖΦϥΫϧͷ࢓૊Έ DEFLATEѹॖ͸LZ77ͱϋϑϚϯූ߸ԽΛ࢖͏ɻ͜ΕΒ͸ڞ௨ͷ෦ ෼จࣈྻ͕͋Δͱѹॖ͕ޮ͘ɻ LZ77ͷྫ: Google is so googley -> Google

    is so g(-13, 5)y ͜ͷੑ࣭Λ༻͍ͯɺʮ࣮ࡍͷCookieʯ+ʮ༧૝ʯͷ૊Έ߹ΘͤΛϦ ΫΤετ͠ɺѹॖ͕ޮ͍ͨΒʮ༧૝ʯͷ಺༰͸࣮ࡍͷCookie಺ʹ ଘࡏ͢Δʂ→܁Γฦͯ͠શମΛʮ༧૝ʯʂ
  6. CRIME߈ܸ Compression Ration Info-leak Made Easyͷུɻ σʔλѹॖΛߦ͏HTTPS/SPDY্ΛྲྀΕΔCookieͷ಺༰Λ෮ݩ͠ɺ ηογϣϯϋΠδϟοΫΛ࣮ݱ͢Δɻ ߈ܸऀ͕҉߸จͷ௕͞ΛݟΕΔ͜ͱ +

    ಉ࣌ʹϒϥ΢β͔Βෳ਺ͷ ૢ࡞͞ΕͨϦΫΤετΛૹΕΔ͜ͱΛલఏʹɺ҉߸จͷ௕͞Λར ༻ͯ͠ฏจΛׂΓग़͢ख๏ɻ ൃݟऀ͸BEASTͷൃݟऀͱಉ͡2໊ɻ
  7. ԿͰ࣌ؒଌఆͰ௕͕͞Θ͔Δͷʁ TCP Slow Start Algorithm • Ϩεϙϯε͸Maximum Segment Size(MSS)୯Ґʹ෼ׂ͞ΕΔ •

    ࠷ॳ͸initial congestion windowʢ᫔᫓΢Οϯυ΢ʣͷݸ਺ͷη άϝϯτ෼(͍͍ͩͨͷ৔߹10)͚ͩૹ৴ • ACK͕དྷΔ͝ͱʹcongestion windowΛগͣͭ͠େ͖ͯ͘͠ଳҬ Λ૿΍͍ͯ͘͠
  8. BREACH߈ܸ Browser Reconnaissance and Exfiltration via Adaptive Compression of HypertextͷུɻΑ͘ࢥ͍ͭ͘ͳ͋

    CRIME߈ܸͷHTTPS + HTTP compression(gzip, DEFLATE)ʹର͢Δϰ ΝϦΤʔγϣϯɻ CRIME߈ܸ͕HTTP requestʹରͯ͠߈ܸͨ͠ͷʹର͠ɺBREACH߈ ܸ͸HTTP responseʹରͯ͠߈ܸΛ͢ΔɻϦΫΤετͷҰ෦͕Ϩε ϙϯεʹ൓ө͞ΕΔ(reflected)͜ͱΛར༻͢Δɻ
  9. 7.3.4, 7.3.5 ؇࿨ࡦ • TLSͷѹॖ͸ഇΕ͍ͯΔ(1.3Ͱ͸શഇ) • HTTPͷѹॖΛແޮԽ͢Δͷ͸͔ͳΓ೉͍͠ • ϦΫΤετϨʔτΛ੍ޚɻେྔͷϦΫΤετ͕ඞཁ •

    ༨ܭͳۭന౳ΛೖΕͯຊ౰ͷ௕͞ΛӅ͢ • CSRFରࡦτʔΫϯͷϚεΩϯάʢHTMLʹݱΕΔ΋ͷ͕ຊ౰ ͷτʔΫϯͰͳ͍Α͏ʹ͢Δʣ • ෦෼తʹѹॖΛແޮԽ͢Δ