cs-630: cyber and network securityitsecuritylabs.com/wp-content/uploads/2015/05/...certificate...
TRANSCRIPT
![Page 1: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/1.jpg)
CS-630: Cyber and Network Security
Lecture # 10: HTTPS: Goals and Pitfalls
y y
Lecture # 10: HTTPS: Goals and Pitfalls, Web Session Management
P f D S fi H dProf. Dr. Sufian HameedDepartment of Computer Science
FAST NUCESFAST-NUCES
FAST-NUCES
![Page 2: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/2.jpg)
Overview HTTPS
SSL/TLS OverviewHTTPS in the BrowserProblems with HTTPS and the Lock Icon
FAST-NUCES
![Page 3: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/3.jpg)
Threat Model: Network AttackerNetwork Attacker:
Controls network infrastructure: Routers, DNSPassive attacker: only eavesdrops on net trafficA i k d i j bl k d difi kActive attacker: eavesdrops, injects, blocks, and modifies packets
Examples:Wireless network at Internet Café
Internet access at hotels (untrusted ISP)
FAST-NUCES
![Page 4: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/4.jpg)
SSL/TLS overview
Public key encryption:
Alice Bob
Public-key encryption:
Encm c
Decc m
PKBob SKBob
Bob generates (SKBob , PKBob )
Alice: using PKBob encrypts messages d l B b dand only Bob can decrypt
FAST-NUCES
![Page 5: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/5.jpg)
Certificates
How does Alice (browser) obtain PKBob ?( ) Bob
CABrowser
AlicechooseServer Bob
PK andproof “I am Bob”
check
choose(SK,PK)
SKCAproofissue Cert with SKCA :
PKCA
verify
PKCA
Bob’s key is PKBob’s
key is PK
verifyCert
key is PK
Bob uses Cert for an extended period (e.g. one year)p ( g y )
FAST-NUCES
![Page 6: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/6.jpg)
Certificates: example
Important fields:
FAST-NUCES
![Page 7: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/7.jpg)
Certificates on the web
Subject’s CommonName can be:An explicit name, e.g. khi.nu.edu.pk, orA wildcard cert, e.g.*.nu.edu.pk
matching rules:IE: “*” must occur in leftmost component does not match “ ”IE: must occur in leftmost component, does not match .example: *.a.com matches x.a.com but not y.x.a.com(as in RFC 2818: “HTTPS over TLS”)FF: “*” matches anything
FAST-NUCES
![Page 8: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/8.jpg)
Certificate Authorities
Browsers accept certificates from a
large number of CAs
top level CAs ≈ 600
Intermediate CAs ≈ 1200
FAST-NUCES
![Page 9: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/9.jpg)
Brief overview of SSL/TLS
browser server
SK
client-hello
server-hello + server-cert (PK)cert
SK( )
key exchange (several options)rand k
client-key-exchange: E(PK, k)
rand. k
k
Finished
HTTP data encrypted with KDF(k)
Most common: server authentication onlyFAST-NUCES
![Page 10: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/10.jpg)
Integrating SSL/TLS with HTTP ⇒ HTTPSweb
Two complications
W b i
webproxy web
server
Web proxies
solution: browser sends CONNECT domain-namecorporate network
before client-hello (dropped by proxy)
Virtual hostingVirtual hostingtwo sites hosted at same IP address.solution in TLS 1 1 SNI ( )solution in TLS 1.1: SNI (RFC 4366)
client_hello_extension: server_name=cnn.comimplemented since FF2 and IE7 (vista)
webserver
client-hello
certCNN
certFOX
server-cert ???
FOX
FAST-NUCES
![Page 11: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/11.jpg)
Why HTTPS is not used for all web traffic?
Slows down web serversBreaks Internet caching
ISPs cannot cache HTTPS trafficResults in increased traffic at web site
Incompatible with virtual hosting (older browsers)May. 2012: IE6 ≈ 6.7% (ie6countdown.com)
FAST-NUCES
![Page 12: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/12.jpg)
HTTPS in the Browser
FAST-NUCES
![Page 13: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/13.jpg)
The lock icon: SSL indicator
Intended goal:g• Provide user with identity of page origin• Indicate to user that page contents were not d cate to use t at page co te ts we e ot
viewed or modified by a network attacker
In reality:In reality:Origin ID is not always helpful
Company’s page can be hosted some where else Many other problems (next few slides)
FAST-NUCES
![Page 14: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/14.jpg)
When is the (basic) lock icon displayed( ) p y
• All elements on the page fetched using HTTPS(with some exceptions)
• For all elements:• HTTPS cert issued by a CA trusted by browser• HTTPS cert is valid (e.g. not expired)HTTPS cert is valid (e.g. not expired)• CommonName in cert matches domain in URL
FAST-NUCES
![Page 15: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/15.jpg)
The lock UI: helps users authenticate site
uninformative
FAST-NUCES
![Page 16: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/16.jpg)
The lock UI: Extended Validation (EV) Certs
• Harder to obtain than regular certs• requires human lawyer at CA to approve cert request• requires human lawyer at CA to approve cert request
• Designed for banks and large e-commerce sites
• Helps block “semantic attacks”: www.bankofthevvest.comp
![Page 17: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/17.jpg)
A general UI attack: picture-in-pictureA general UI attack: picture in picture
Trained users are more likely to fall victim to this [JSTB’07]
FAST-NUCES
![Page 18: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/18.jpg)
HTTPS and login pages: incorrect versiong p g
Users often land on loginUsers often land on login page over HTTP:
Type site’s HTTP URL into address bar, or
Google links to the HTTP pagepage
View source:
<form method="post" action="https://onlineservices.wachovia.com/..."
![Page 19: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/19.jpg)
HTTPS and login pages: guidelinesGeneral guideline:
• Response to http://login.site.com
should be Redirect: https://login.site.com p g
FAST-NUCES
![Page 20: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/20.jpg)
Problems with HTTPS and the Lock Icon
FAST-NUCES
![Page 21: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/21.jpg)
Problems with HTTPS and the Lock Icon1 U d f HTTP t HTTPS1. Upgrade from HTTP to HTTPS
2. Semantic attacks on certs
3. Invalid certs and forged certs
4. Certificate Issuance Woes
Mi d5. Mixed contentHTTP and HTTPS on the same page
6. Does HTTPS hide web traffic?
FAST-NUCES
![Page 22: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/22.jpg)
1. HTTP → HTTPS upgradepgCommon use pattern:
bro se site o er HTTP; mo e to HTTPS for checko t• browse site over HTTP; move to HTTPS for checkout• connect to bank over HTTP; move to HTTPS for login
Easy attack: prevent the upgrade (ssl_strip) [Moxie’08]
web
SSLHTTP
<a href=https://…> ⇒ <a href=http://…>
webserverattacker
Location: https://... ⇒ Location: http://... (redirect)
<form action=https://… > ⇒ <form action=http://…>p pFAST-NUCES
![Page 23: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/23.jpg)
Tricks and Details
Tricks: drop-in a clever fav icon (older browsers)Tricks: drop in a clever fav icon (older browsers)
D il
⇒
Details:Erase existing session and force user to login:
ssl_strip injects “Set-cookie” headers to delete existing session cookies in browser.
FAST-NUCES
![Page 24: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/24.jpg)
Defense: Strict Transport Security (HSTS)p y ( )web
serverStrict-Transport-Security max-age=31 106;Strict Transport Security max age 31 10 ;
Header tells browser to always connect over HTTPS
After first visit subsequent visits are over HTTPSAfter first visit, subsequent visits are over HTTPS
• self signed cert results in an error
STS flag deleted when user “clears private data”
( h )(chrome)• Compromise: security vs. privacy
FAST-NUCES
![Page 25: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/25.jpg)
2. Semantic attacks on certsInternational domains: xyz.cn
R d d i i t ti l h t tRendered using international character setObservation: Chinese character set contains chars that look lik “/” d “?” d “ ” d “ ”like “/” and “?” and “.” and “=”
Attack: buy domain cert for *.badguy.cnsetup domain called:www.bank.com/accounts/login.php?q=me.badguy.cnnote: single cert *.badguy.cn works for all sites
Extended validation (EV) certs may help defeat this
FAST-NUCES
![Page 26: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/26.jpg)
FAST-NUCES
![Page 27: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/27.jpg)
3. Invalid certsExamples of invalid certificates:
expired: current-date > date-in-certpCommonName in cert does not match domain in URLunknown CA (e.g. self signed certs)( g g )
Small sites may not want to pay for cert
Users often ignore warning:Users often ignore warning:
Is it a mis-configuration or an attack? User can’t tell.
Accepting invalid cert enables man-in-middle attacks(see http://crypto.stanford.edu/ssl-mitm )( p yp )
FAST-NUCES
![Page 28: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/28.jpg)
Man in the middle attack using invalid certs
BankCertBadguyCertGET https://bank.com
bankattackerClientHello ClientHello
ServerCert (Bank)ServerCert (Badguy)bad certwarning!
SSL key exchange SSL key exchangek k k kk1 k1 k2 k2
HTTP data enc with k1 HTTP data enc with k2
Attacker proxies data between user and bank. Sees all traffic and can modify data at will.y
FAST-NUCES
![Page 29: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/29.jpg)
Statistics
25% of active web sites support HTTPS (port 443)25% of active web sites support HTTPS (port 443)
O l 3% f HTTPS it h tOnly 3% of HTTPS sites have proper cert:
For 97% of sites domain name does not match %Common Name in cert
Source: Qualys, June 2010FAST-NUCES
![Page 30: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/30.jpg)
Invalid cert dialoggA difficult security prompt: user wants to proceed and
doesn’t understand warningg
FAST-NUCES
![Page 31: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/31.jpg)
4. Certificate Issuance Woes
Wrong issuance:2011: Comodo and DigiNotar RAs hacked, issue certs for
Gmail, Yahoo! Mail, …
Rogue CA:2009 Eti l t CA i UAE2009: Etisalat CA in UAE
Signs software patch on behalf of RIM
PacketForensics: HTTPS MiTM for law enforcement(see also crypto stanford edu/ssl-mitm )(see also crypto.stanford.edu/ssl mitm )
enables eavesdropping w/o a warning in user’s browserpp g gFAST-NUCES
![Page 32: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/32.jpg)
5. Mixed Content: HTTP and HTTPS
Page loads over HTTPS, but contains content over HTTP(e.g. <script src=“http://.../script.js> )
Active network attacker can hijack sessionModifies script en-route to browserp
FAST-NUCES
![Page 33: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/33.jpg)
Mixed Content: HTTP and HTTPS
IE7: Chrome:
No SSL lock in address bar:
FAST-NUCES
![Page 34: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/34.jpg)
7. Peeking through SSLg gNetwork traffic reveals length of HTTPS packets TLS
t t 256 b t f ddisupports up to 256 bytes of paddingAJAX-rich pages have lots and lots of interactions with the server
Th i i ifi i l f hThese interactions expose specific internal state of the page
BAM!BAM!BAM!BAM!
Side-Channel Leaks in Web Applications Chen, Wang, Wang, Zhang 2010
FAST-NUCES
![Page 35: CS-630: Cyber and Network Securityitsecuritylabs.com/wp-content/uploads/2015/05/...Certificate Authorities Browsers accept certificates from a large number of CAs top level CAs ≈](https://reader034.vdocuments.us/reader034/viewer/2022051811/601c7f692649d73b09274de1/html5/thumbnails/35.jpg)
Acknowledgements
Material in this lecture are taken from the slides preparedMaterial in this lecture are taken from the slides prepared by:Prof Dan Boneh (Stanford)Prof. Dan Boneh (Stanford)
FAST-NUCES