CS-630: Cyber and Network Security

Lecture # 10: HTTPS: Goals and Pitfalls

y y

Lecture # 10: HTTPS: Goals and Pitfalls, Web Session Management

P f D S fi H dProf. Dr. Sufian HameedDepartment of Computer Science

FAST NUCESFAST-NUCES

FAST-NUCES

Overview HTTPS

SSL/TLS OverviewHTTPS in the BrowserProblems with HTTPS and the Lock Icon

FAST-NUCES

Threat Model: Network AttackerNetwork Attacker:

Controls network infrastructure: Routers, DNSPassive attacker: only eavesdrops on net trafficA i k d i j bl k d difi kActive attacker: eavesdrops, injects, blocks, and modifies packets

Examples:Wireless network at Internet Café

Internet access at hotels (untrusted ISP)

FAST-NUCES

SSL/TLS overview

Public key encryption:

Alice Bob

Public-key encryption:

Encm c

Decc m

PKBob SKBob

Bob generates (SKBob , PKBob )

Alice: using PKBob encrypts messages d l B b dand only Bob can decrypt

FAST-NUCES

Certificates

How does Alice (browser) obtain PKBob ?( ) Bob

CABrowser

AlicechooseServer Bob

PK andproof “I am Bob”

check

choose(SK,PK)

SKCAproofissue Cert with SKCA :

PKCA

verify

PKCA

Bob’s key is PKBob’s

key is PK

verifyCert

key is PK

Bob uses Cert for an extended period (e.g. one year)p ( g y )

FAST-NUCES

Certificates: example

Important fields:

FAST-NUCES

Certificates on the web

Subject’s CommonName can be:An explicit name, e.g. khi.nu.edu.pk, orA wildcard cert, e.g.*.nu.edu.pk

matching rules:IE: “*” must occur in leftmost component does not match “ ”IE: must occur in leftmost component, does not match .example: *.a.com matches x.a.com but not y.x.a.com(as in RFC 2818: “HTTPS over TLS”)FF: “*” matches anything

FAST-NUCES

Certificate Authorities

Browsers accept certificates from a

large number of CAs

top level CAs ≈ 600

Intermediate CAs ≈ 1200

FAST-NUCES

Brief overview of SSL/TLS

browser server

SK

client-hello

server-hello + server-cert (PK)cert

SK( )

key exchange (several options)rand k

client-key-exchange: E(PK, k)

rand. k

k

Finished

HTTP data encrypted with KDF(k)

Most common: server authentication onlyFAST-NUCES

Integrating SSL/TLS with HTTP ⇒ HTTPSweb

Two complications

W b i

webproxy web

server

Web proxies

solution: browser sends CONNECT domain-namecorporate network

before client-hello (dropped by proxy)

Virtual hostingVirtual hostingtwo sites hosted at same IP address.solution in TLS 1 1 SNI ( )solution in TLS 1.1: SNI (RFC 4366)

client_hello_extension: server_name=cnn.comimplemented since FF2 and IE7 (vista)

webserver

client-hello

certCNN

certFOX

server-cert ???

FOX

FAST-NUCES

Why HTTPS is not used for all web traffic?

Slows down web serversBreaks Internet caching

ISPs cannot cache HTTPS trafficResults in increased traffic at web site

Incompatible with virtual hosting (older browsers)May. 2012: IE6 ≈ 6.7% (ie6countdown.com)

FAST-NUCES

HTTPS in the Browser

FAST-NUCES

The lock icon: SSL indicator

Intended goal:g• Provide user with identity of page origin• Indicate to user that page contents were not d cate to use t at page co te ts we e ot

viewed or modified by a network attacker

In reality:In reality:Origin ID is not always helpful

Company’s page can be hosted some where else Many other problems (next few slides)

FAST-NUCES

When is the (basic) lock icon displayed( ) p y

• All elements on the page fetched using HTTPS(with some exceptions)

• For all elements:• HTTPS cert issued by a CA trusted by browser• HTTPS cert is valid (e.g. not expired)HTTPS cert is valid (e.g. not expired)• CommonName in cert matches domain in URL

FAST-NUCES

The lock UI: helps users authenticate site

uninformative

FAST-NUCES

The lock UI: Extended Validation (EV) Certs

• Harder to obtain than regular certs• requires human lawyer at CA to approve cert request• requires human lawyer at CA to approve cert request

• Designed for banks and large e-commerce sites

• Helps block “semantic attacks”: www.bankofthevvest.comp

A general UI attack: picture-in-pictureA general UI attack: picture in picture

Trained users are more likely to fall victim to this [JSTB’07]

FAST-NUCES

HTTPS and login pages: incorrect versiong p g

Users often land on loginUsers often land on login page over HTTP:

Type site’s HTTP URL into address bar, or

Google links to the HTTP pagepage

View source:

<form method="post" action="https://onlineservices.wachovia.com/..."

HTTPS and login pages: guidelinesGeneral guideline:

• Response to http://login.site.com

should be Redirect: https://login.site.com p g

FAST-NUCES

Problems with HTTPS and the Lock Icon

FAST-NUCES

Problems with HTTPS and the Lock Icon1 U d f HTTP t HTTPS1. Upgrade from HTTP to HTTPS

2. Semantic attacks on certs

3. Invalid certs and forged certs

4. Certificate Issuance Woes

Mi d5. Mixed contentHTTP and HTTPS on the same page

6. Does HTTPS hide web traffic?

FAST-NUCES

1. HTTP → HTTPS upgradepgCommon use pattern:

bro se site o er HTTP; mo e to HTTPS for checko t• browse site over HTTP; move to HTTPS for checkout• connect to bank over HTTP; move to HTTPS for login

Easy attack: prevent the upgrade (ssl_strip) [Moxie’08]

web

SSLHTTP

<a href=https://…> ⇒ <a href=http://…>

webserverattacker

Location: https://... ⇒ Location: http://... (redirect)

<form action=https://… > ⇒ <form action=http://…>p pFAST-NUCES

Tricks and Details

Tricks: drop-in a clever fav icon (older browsers)Tricks: drop in a clever fav icon (older browsers)

D il

⇒

Details:Erase existing session and force user to login:

ssl_strip injects “Set-cookie” headers to delete existing session cookies in browser.

FAST-NUCES

Defense: Strict Transport Security (HSTS)p y ( )web

serverStrict-Transport-Security max-age=31 106;Strict Transport Security max age 31 10 ;

Header tells browser to always connect over HTTPS

After first visit subsequent visits are over HTTPSAfter first visit, subsequent visits are over HTTPS

• self signed cert results in an error

STS flag deleted when user “clears private data”

( h )(chrome)• Compromise: security vs. privacy

FAST-NUCES

2. Semantic attacks on certsInternational domains: xyz.cn

R d d i i t ti l h t tRendered using international character setObservation: Chinese character set contains chars that look lik “/” d “?” d “ ” d “ ”like “/” and “?” and “.” and “=”

Attack: buy domain cert for *.badguy.cnsetup domain called:www.bank.com/accounts/login.php?q=me.badguy.cnnote: single cert *.badguy.cn works for all sites

Extended validation (EV) certs may help defeat this

FAST-NUCES

FAST-NUCES

3. Invalid certsExamples of invalid certificates:

expired: current-date > date-in-certpCommonName in cert does not match domain in URLunknown CA (e.g. self signed certs)( g g )

Small sites may not want to pay for cert

Users often ignore warning:Users often ignore warning:

Is it a mis-configuration or an attack? User can’t tell.

Accepting invalid cert enables man-in-middle attacks(see http://crypto.stanford.edu/ssl-mitm )( p yp )

FAST-NUCES

Man in the middle attack using invalid certs

BankCertBadguyCertGET https://bank.com

bankattackerClientHello ClientHello

ServerCert (Bank)ServerCert (Badguy)bad certwarning!

SSL key exchange SSL key exchangek k k kk1 k1 k2 k2

HTTP data enc with k1 HTTP data enc with k2

Attacker proxies data between user and bank. Sees all traffic and can modify data at will.y

FAST-NUCES

Statistics

25% of active web sites support HTTPS (port 443)25% of active web sites support HTTPS (port 443)

O l 3% f HTTPS it h tOnly 3% of HTTPS sites have proper cert:

For 97% of sites domain name does not match %Common Name in cert

Source: Qualys, June 2010FAST-NUCES

Invalid cert dialoggA difficult security prompt: user wants to proceed and

doesn’t understand warningg

FAST-NUCES

4. Certificate Issuance Woes

Wrong issuance:2011: Comodo and DigiNotar RAs hacked, issue certs for

Gmail, Yahoo! Mail, …

Rogue CA:2009 Eti l t CA i UAE2009: Etisalat CA in UAE

Signs software patch on behalf of RIM

PacketForensics: HTTPS MiTM for law enforcement(see also crypto stanford edu/ssl-mitm )(see also crypto.stanford.edu/ssl mitm )

enables eavesdropping w/o a warning in user’s browserpp g gFAST-NUCES

5. Mixed Content: HTTP and HTTPS

Page loads over HTTPS, but contains content over HTTP(e.g. <script src=“http://.../script.js> )

Active network attacker can hijack sessionModifies script en-route to browserp

FAST-NUCES

Mixed Content: HTTP and HTTPS

IE7: Chrome:

No SSL lock in address bar:

FAST-NUCES

7. Peeking through SSLg gNetwork traffic reveals length of HTTPS packets TLS

t t 256 b t f ddisupports up to 256 bytes of paddingAJAX-rich pages have lots and lots of interactions with the server

Th i i ifi i l f hThese interactions expose specific internal state of the page

BAM!BAM!BAM!BAM!

Side-Channel Leaks in Web Applications Chen, Wang, Wang, Zhang 2010

FAST-NUCES

Acknowledgements

Material in this lecture are taken from the slides preparedMaterial in this lecture are taken from the slides prepared by:Prof Dan Boneh (Stanford)Prof. Dan Boneh (Stanford)

FAST-NUCES