Believe It Or Not SSL Attacks
•Als PPTX, PDF herunterladen•
0 gefällt mir•829 views
A talk about attacks against SSL that have been uncovered in the last 3-4 years. This talk delves into about what exactly was attacked and how it was attacked and how SSL is still a pretty useful piece of technology. This was given at null Bangalore April Meeting.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Believe It Or Not SSL Attacks
Ähnlich wie Believe It Or Not SSL Attacks (20)
Mehr von Akash Mahajan
Mehr von Akash Mahajan (17)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Believe It Or Not SSL Attacks
- 1. Believe it or not SSL attacks Akash Mahajan That Web Application Security Guy
- 2. HTTP + SSL/TLS = HTTPS
- 4. SSL/TLS O Encrypted Communication – Eavesdropping and Tampering O Secure Identification of a Network – Are you talking to the right server?
- 5. Attacking The Encryption Algorithm O Attack like the BEAST (Browser Exploit Against SSL/TLS ) target the underlying encryption. O Usually the encryption has held against attacks. Even BEAST requires injecting client side JavaScript to work O http://threatpost.com/en_us/blogs/new- attack-breaks-confidentiality-model-ssl- allows-theft-encrypted-cookies-091611
- 6. Attacking The Authenticity O The low hanging fruit. Most of the times when that sslstrip guy talks about SSL issues he talks about attacking the authenticity. O Why is the authenticity important? O How do you bypass it?
- 7. How is the authenticity maintained? O A implicitly trusted certificate will tell you that a server’s particular certificate is trust worthy or not. O When a server got a certificate trusted by a root CA they get added to a list. O If a server is removed from the trusted listed they get added to a revocation list.
- 8. Is your browser checking the revocation list? O Chrome relies on frequent updates for this. O Firefox ? O IE - Online Certificate List O Online Certificate Status Protocol
- 9. Bad Things can Happen O Comodo an affiliate of a root CA was hacked. O DigiNotar was hacked. O Hundreds of certificates for google, yahoo, mozilla, MS windows update were released. O SSL assumes that both end points aren’t evil
- 10. I hacked the internet and all I have is a t-shirt O Attack against the PKI because of MD5 O The attack was against Intermediate CAs O There were theoretical attacks against MD5 since 2004 O They found out that RapidSSL had issued 97% certificates with MD5 hash.
- 11. I hacked the internet and all I have is a t-shirt O Also the certificate serial number was sequential and time could be predicted O Used 200 PS3s to generate a certificate which had most parts from a legitimate cert but something different. O http://www.trailofbits.com/resources/creati ng_a_rogue_ca_cert_paper.pdf
- 13. SSLStrip attacks HTTP O Attacked correct attributes not being setup in Certificates O Now looks at HTTP traffic going by. O Has a valid certificate for a weird looking domain name whose puny code looks like /?
- 14. Akash Mahajan | That Web Application Security Guy O akashmahajan@gmail.com O @makash | akashm.com O http://slideshare.net/akashm O OWASP Bangalore Chapter Lead O Null Co-Founder and Community Manager
- 15. References O SSL Lock image from http://elie.im/blog/security/evolution-of-the-https-lock-icon- infographic/ O http://arstechnica.com/business/news/2011/09/new-javascript-hacking-tool-can- intercept-paypal-other-secure-sessions.ars O http://technet.microsoft.com/en-us/library/cc962078.aspx O https://freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate- authority-trust-model O http://arstechnica.com/security/news/2011/08/earlier-this-year-an-iranian.ars O http://arstechnica.com/security/news/2011/03/independent-iranian-hacker-claims- responsibility-for-comodo-hack.ars O http://en.wikipedia.org/wiki/Certificate_authority#cite_note-3 O http://vnhacker.blogspot.in/2011/09/beast.html O http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows- theft-encrypted-cookies-091611