SSL is widely accepted as a technology that protects site users from certain attacks. But does it really protect them? Are we deploying it right? Probably not. I will show you why
Presented at Just4Meeting, 02/07/11 Cascais.
More info at www.just4meeting.com.
note: this is the third version of this presentation.
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
SSL: limitations, bad practices and how to do it right
1. SSL: limitations, bad practices
and how to do it right
Versão 2.0 - 02/07/2011
Tiago
Mendo
+ago.mendo@telecom.pt
2. Summary
• History
– SSL
– TLS
– SSL
vs
TLS
• Protocol
– Objec9ves
– Applica9ons
• How
it
works
-‐
the
2
minutes
version
• How
it
works
-‐
the
30
minutes
version
– Cer9ficate
valida9on
– Cer9ficate
revoca9on
check
– Cer9ficate
chain
of
trust
check
– Fetching
content
– Redirec9ng
from
HTTP
to
HTTPS
– Full
HTTPS
browsing
– Mixed
content
browsing
• Recommenda9ons
• Conclusions
• Ques9ons
SAPO
Websecurity
Team 2
3. History > SSL
• SSL
-‐
Secure
Sockets
Layer
• 1994
-‐
SSL
1.0
created
by
Netscape,
never
released
• 1995
-‐
SSL
2.0
released
in
Netscape
Navigator
1.1.
Mul9ple
security
flaws
found
• 1996
-‐
SSL
3.0
released
SAPO
Websecurity
Team 3
4. History > TLS
• TLS
-‐
Transport
Layer
Security
• 1999
-‐
TLS
1.0
defined
in
RFC
2246,
using
SSL
3.0
as
basis
• 2006
-‐
TLS
1.1
defined
in
RFC
4346
• 2008
-‐
TLS
1.2
defined
in
RFC
5246
SAPO
Websecurity
Team 4
5. History > SSL vs TLS
SSL TLS
1.0
2.0
3.0
(3.1) 1.0
(3.2) 1.1
(3.3) 1.2
• SSL
3.0
and
TLS
1.0
are
equivalent
in
security,
but
incompa9ble
• “Everybody
knows
SSL.
TLS
is
more
technically
accurate
but
sounds
like
a
cable
TV
network
or
a
disease"
SAPO
Websecurity
Team 5
7. Protocol > Objectives
• Why
SSL?
• To
protect
the
communica9ons
between
two
hosts:
– content
confiden9ality
– integrity
– authen9city
SAPO
Websecurity
Team 6
8. Protocol > Objectives
• Why
SSL?
• To
protect
the
communica9ons
between
two
hosts:
– content
confiden9ality
– integrity
– authen9city
• Host
iden9ty
is
not
protected
(requires
IPSEC)
• Normally
only
the
server
is
authen9cated
SAPO
Websecurity
Team 6
9. Protocol > Applications
Applica+on HTTP
Transport TCP
Network IP
Data
link 802.11
-‐
WLAN
Physical Air
SAPO
Websecurity
Team 7
10. Protocol > Applications
Applica+on HTTP HTTP
/
SSL
Transport TCP TCP
Network IP IP
Data
link 802.11
-‐
WLAN 802.11
-‐
WLAN
Physical Air Air
SAPO
Websecurity
Team 7
11. Protocol > Applications
HTTP
Applica+on HTTP HTTP
/
SSL SSL
Transport TCP TCP TCP
Network IP IP IP
Data
link 802.11
-‐
WLAN 802.11
-‐
WLAN 802.11
-‐
WLAN
Physical Air Air Air
SAPO
Websecurity
Team 7
12. Protocol > Applications
HTTP
Applica+on HTTP HTTP
/
SSL SSL
Transport TCP TCP TCP
Network IP IP IP
Data
link 802.11
-‐
WLAN 802.11
-‐
WLAN 802.11
-‐
WLAN
Physical Air Air Air
• On
top
of
any
Transport
layer
(including
UDP)
• Used
with
any
Applica9on
layer
protocol
• HTTP,
SMTP,
XMPP,
SIP,
etc.
• Used
in
OpenVPN
SAPO
Websecurity
Team 7
13. How it works - the 2 minutes version
• Type
hdps://www.facebook.com
and
hit
enter
SAPO
Websecurity
Team 8
14. How it works > Traffic without SSL
SAPO
Websecurity
Team 9
15. How it works > Traffic with SSL
SAPO
Websecurity
Team 10
16. How it works - the 30 minutes version
• Type
hdps://www.facebook.com
and
hit
enter
• Browser
connects
to
www.facebook.com:443
• SSL
handshake
is
ini9ated
• Server
sends
its
X.509
cer9ficate
to
the
client
• The
client
starts
the
valida9on
process
SAPO
Websecurity
Team 11
17. How it works > Certificate validation
• CN
matches
URL
• For
each
cert.
in
the
chain
– Has
not
expired
– Was
not
revoked
– Was
emided
by
a
trusted
CA
SAPO
Websecurity
Team 12
18. How it works > Certificate validation
• CN
matches
URL
• For
each
cert.
in
the
chain
– Has
not
expired
– Was
not
revoked
– Was
emided
by
a
trusted
CA
SAPO
Websecurity
Team 13
19. How it works > Certificate validation
• CN
matches
URL
• For
each
cert.
in
the
chain
– Has
not
expired
– Was
not
revoked
– Was
emided
by
a
trusted
CA
SAPO
Websecurity
Team 14
20. How it works > Certificate validation
• CN
matches
URL
• For
each
cert.
in
the
chain
– Has
not
expired
– Was
not
revoked
– Was
emided
by
a
trusted
CA
SAPO
Websecurity
Team 15
21. How it works > Certificate revocation check
• CRL
-‐
Cer9ficate
Revoca9on
List
• The
CRL
is
a
list
of
revoked
serial
numbers
• The
cer9ficate
specifies
a
CRL
URL
• CRL
managed
by
the
issuing
CA
• Answer
can
be
cached
for
a
few
months
• The
CRL
can
be
very
large:
enter
OCSP
– expired
certs.
are
removed
from
the
CRL
SAPO
Websecurity
Team 16
22. How it works > Certificate revocation check
• OCSP
-‐
Online
Cer9ficate
Status
Protocol
• The
cer9ficate
specifies
a
OCSP
server
• Browser
asks
the
server
if
a
specific
cert.
is
s9ll
valid
• OSCP
server
managed
by
the
issuing
CA
• Answer
can
be
cached
for
a
few
days
• A
cert.
can
specify
both
the
CRL
and
OCSP
SAPO
Websecurity
Team 17
23. How it works > Certificate revocation check
• What
can
go
wrong?
SAPO
Websecurity
Team 18
24. How it works > Certificate revocation check
• What
can
go
wrong?
• CRL
and
OCSP
servers
can
be
unreachable
– Browsers
will
allow
user
to
con9nue
– You
may
or
may
not
be
warned
about
this
– Moxie
Marlinspike
found
that
OCSP
“try
again”
message
(error
code
3)
is
not
signed
– Adack:
MiTM
with
a
revoked
cert.
and
reply
3
to
the
OCSP
requests.
SAPO
Websecurity
Team 18
25. How it works > Certificate revocation check
• How
to
mi9gate
this
problem?
SAPO
Websecurity
Team 19
26. How it works > Certificate revocation check
• How
to
mi9gate
this
problem?
• OCSP
Stapling
-‐
Kerberos
style
9cket
– Cert.
owner
frequently
asks
the
OCSP
for
a
9cket
– Ticket
says
“I,
CA
guarantee
with
my
signature
that
this
cer9ficate
is
valid
for
a
few
hours”
– Site
presents
this
9cket
to
reques9ng
browser
• Fallback
to
OCSP
• Support:
Chrome
on
Windows
Vista
or
higher
SAPO
Websecurity
Team 19
27. How it works > Certificate revocation check
• How
to
mi9gate
this
problem?
SAPO
Websecurity
Team 20
28. How it works > Certificate revocation check
• How
to
mi9gate
this
problem?
• CRL
and
OCSP
cache
SAPO
Websecurity
Team 20
29. How it works > Certificate revocation check
• How
to
mi9gate
this
problem?
• CRL
and
OCSP
cache
• Which
introduces
another
problem
– If
a
cert.
is
compromised,
there
may
a
significant
window
of
vulnerability
(months
for
a
CRL)
– Remember
the
Comodo
RA
compromise?
– 9
certs.
were
issued
to
7
domains
– certs.
were
revoked
in
15
minutes
– Browser
vendors
immediately
issued
browser
updates
SAPO
Websecurity
Team 20
30. How it works > Certificate revocation check
• What
can
go
wrong?
SAPO
Websecurity
Team 21
31. How it works > Certificate revocation check
• What
can
go
wrong?
• Browsers
have
vulnerabili9es
– OS
X
v10.6.8
June
2011
update
changelog
– “An
error
handling
issue
existed
in
the
Cer?ficate
Trust
Policy.
If
an
Extended
Valida?on
(EV)
cer?ficate
has
no
OCSP
URL,
and
CRL
checking
is
enabled,
the
CRL
will
not
be
checked
and
a
revoked
cer?ficate
may
be
accepted
as
valid.
This
issue
is
mi?gated
as
most
EV
cer?ficates
specify
an
OCSP
URL.”
– Update,
update,
update.
SAPO
Websecurity
Team 21
32. How it works > Certificate validation
• CN
matches
URL
• For
each
cert.
in
the
chain
– Has
not
expired
– Was
not
revoked
– Was
emi?ed
by
a
trusted
CA
SAPO
Websecurity
Team 22
33. How it works > Certificate chain of trust check
• The
server
sends
the
whole
cer9ficate
chain
• For
each
cert.
in
the
chain
verify
– is
properly
signed
by
the
CA
cer9ficate
immediately
higher
in
the
hierarchy
– last
cer9ficate
is
explicitly
trusted
by
the
browser,
so
no
signature
verifica9on
is
done
SAPO
Websecurity
Team 23
34. How it works > Certificate chain of trust check
• What
can
go
wrong?
SAPO
Websecurity
Team 24
35. How it works > Certificate chain of trust check
SAPO
Websecurity
Team 25
36. How it works > Certificate chain of trust check
SAPO
Websecurity
Team 26
37. How it works > Certificate chain of trust check
• What
can
go
wrong?
• The
browser
does
not
know
the
root
CA
– can
happen
if
you
are
using
an
old
browser/device
SAPO
Websecurity
Team 27
38. How it works > Certificate chain of trust check
• What
can
go
wrong?
• The
browser
does
not
know
the
root
CA
– can
happen
if
you
are
using
an
old
browser/device
• How
to
mi9gate
this
problem?
• Mul9-‐roo9ng
CAs
– Server
sends
a
longer
chain
with
more
CA
cer9ficates
higher
in
the
hierarchy
– Both
CAs
trusted
by
Firefox
SAPO
Websecurity
Team 27
39. How it works > Certificate chain of trust check
• What
can
go
wrong?
SAPO
Websecurity
Team 28
40. How it works > Certificate chain of trust check
• What
can
go
wrong?
• The
server
did
not
sent
the
whole
chain
– sending
the
domain
cer9ficate
is
not
enough
SAPO
Websecurity
Team 28
41. How it works > Certificate chain of trust check
• What
can
go
wrong?
• The
server
did
not
sent
the
whole
chain
– sending
the
domain
cer9ficate
is
not
enough
• How
to
mi9gate
this
problem?
• Send
the
whole
chain
– Using
Apache:
SSLEngine on
SSLCertificateFile <path_to_your_cert>
SSLCertificateKeyFile <path_to_your_private_key>
SSLCACertificateFile <path_to_the_CA_chain>
SAPO
Websecurity
Team 28
42. How it works > Certificate chain of trust check
• What
can
go
wrong?
SAPO
Websecurity
Team 29
43. How it works > Certificate chain of trust check
• What
can
go
wrong?
• The
cer9ficate
is
self
signed
– you
are
being
cheap
SAPO
Websecurity
Team 29
44. How it works > Certificate chain of trust check
• What
can
go
wrong?
• The
cer9ficate
is
self
signed
– you
are
being
cheap
• How
to
mi9gate
this
problem?
• Get
a
cer9ficate
signed
by
a
trusted
CA!
– StartSSL:
free
– GoDaddy:
€36.99/year
SAPO
Websecurity
Team 29
45. How it works > Certificate chain of trust check
• What
can
go
wrong?
SAPO
Websecurity
Team 30
46. How it works > Certificate chain of trust check
• What
can
go
wrong?
• The
cer9ficate
is
self
signed
SAPO
Websecurity
Team 30
47. How it works > Certificate chain of trust check
• What
can
go
wrong?
• The
cer9ficate
is
self
signed
• How
to
mi9gate
this
problem?
• DNSSEC
– CERT
/
TLSCERT
/
TXT
RR
holds
cert.
(or
its
hash)
– trust
the
DNSSEC
chain,
trust
the
cer9ficate
– DNS
clients
need
to
be
DNSSEC
aware
– stapling:
DNSSEC
chain
in
a
cer9ficate
extension
SAPO
Websecurity
Team 30
48. How it works > Certificate chain of trust check
• What
can
go
wrong?
SAPO
Websecurity
Team 31
49. How it works > Certificate chain of trust check
• What
can
go
wrong?
• You
do
not
trust
what
your
browser
trusts
– Firefox
ships
with
162
CAs
• Chunghwa
Telecom
Co.,
Ltd
• Türkiye
Bilimsel
ve
Teknolojik
AraşSrma
Kurumu
-‐
TÜBİTAK
– Are
all
of
them
secure
and
properly
managed?
SAPO
Websecurity
Team 31
50. How it works > Certificate chain of trust check
• What
can
go
wrong?
• You
do
not
trust
what
your
browser
trusts
– Firefox
ships
with
162
CAs
• Chunghwa
Telecom
Co.,
Ltd
• Türkiye
Bilimsel
ve
Teknolojik
AraşSrma
Kurumu
-‐
TÜBİTAK
– Are
all
of
them
secure
and
properly
managed?
– “I
have
not
been
able
to
find
the
current
owner
of
this
root.
Both
RSA
and
VeriSign
have
stated
in
email
that
they
do
not
own
this
root.”
said
one
of
the
maintainers
of
Mozilla
CA
list
(early
2010)
SAPO
Websecurity
Team 31
51. How it works > Certificate chain of trust check
• What
can
go
wrong?
• You
do
not
trust
what
your
browser
trusts
– Recent
request
to
add
a
CA
to
Firefox
• “This
is
a
request
to
add
the
CA
root
cer?ficate
for
Honest
Achmed's
Used
Cars
and
Cer?ficates.”
• “Achmed's
uncles
all
vouch
for
the
fact
that
he's
honest.”
• “The
purpose
of
this
cer?ficate
is
to
allow
Honest
Achmed
to
sell
bucketloads
of
other
cer?ficates
and
make
a
lot
of
money.”
– It
was
not
granted.
This
9me.
SAPO
Websecurity
Team 32
52. How it works > Certificate chain of trust check
• What
can
go
wrong?
SAPO
Websecurity
Team 33
53. How it works > Certificate chain of trust check
• What
can
go
wrong?
• You
do
not
trust
what
your
browser
trusts
– PKI
is
adacked
from
all
sides
• VeriSign
issued
2
“MicrosoZ
Corpora+on”
cer+ficates
to
an
unknown
person
(January
2001)
• MD5
collision:
rogue
CA
created
(December
2008)
• COMODO:
9
cer+ficates
issued
(March
2011)
• StartSSL:
cer+ficate
issuance
suspended
(June
2011)
SAPO
Websecurity
Team 33
54. How it works > Certificate chain of trust check
• How
to
mi9gate
this
problem?
• Remove
trust
or
delete
CAs
– they
might
come
back
aper
sopware
updates
– how
do
you
evaluate
if
a
CA
can
be
trusted?
• by
country?
name?
company?
• by
security
audit?
Reports
are
available,
but
they
all
say
the
same:
“approved”.
– can
you
do
this
in
your
smartphone?
SAPO
Websecurity
Team 34
55. How it works > Fetching content
• At
this
point
the
browser
trusts
the
site
cer9ficate
• No
HTTP
request
was
made
yet!
• First
HTTP
request
is
made
only
now
GET / HTTP/1.1
Host: www.facebook.com
SAPO
Websecurity
Team 35
56. How it works > Fetching content
SAPO
Websecurity
Team 36
57. How it works > Redirecting from HTTP to HTTPS
• Lets
go
back
a
lidle
• Imagine
you
type
hdp://www.facebook.com
instead
of
hdps...
• Hit
enter!
SAPO
Websecurity
Team 37
58. How it works > Redirecting from HTTP to HTTPS
• Lets
go
back
a
lidle
• Imagine
you
type
hdp://www.facebook.com
instead
of
hdps...
• Hit
enter!
• Browser
connects
to
www.facebook.com:80
SAPO
Websecurity
Team 37
59. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 38
60. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 39
61. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 40
62. How it works > Redirecting from HTTP to HTTPS
• What
can
go
wrong?
SAPO
Websecurity
Team 41
63. How it works > Redirecting from HTTP to HTTPS
• What
can
go
wrong?
• Moxie
Marlinspike
and
his
sslstrip
tool
SAPO
Websecurity
Team 41
64. How it works > Redirecting from HTTP to HTTPS
• What
can
go
wrong?
• Moxie
Marlinspike
and
his
sslstrip
tool
SAPO
Websecurity
Team 41
65. How it works > Redirecting from HTTP to HTTPS
• sslstrip
func9oning
– MiTM
tool
– maps
HTTPS
links
to
HTTP
– maps
redirects
to
HTTPS
back
to
HTTP
– maps
HTTPS
links
to
homograph-‐similar
HTTPS
links
– can
supply
a
lock
favicon
– logging!
SAPO
Websecurity
Team 42
66. How it works > Redirecting from HTTP to HTTPS
• sslstrip
func9oning
SAPO
Websecurity
Team 43
67. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 44
68. How it works > Redirecting from HTTP to HTTPS
• You
type
hdp://www.facebook.com
and
get
redirected
to
hdps://www.facebook.com
GET / HTTP/1.1
Host: www.facebook.com
HTTP/1.1 302 Found
Location: https://www.facebook.com/
• These
requests
are
not
protected
with
SSL!
SAPO
Websecurity
Team 45
69. How it works > Redirecting from HTTP to HTTPS
• How
to
mi9gate
this
problem?
SAPO
Websecurity
Team 46
70. How it works > Redirecting from HTTP to HTTPS
• How
to
mi9gate
this
problem?
• Make
site
available
only
in
HTTPS
– Does
not
work:
most
users
type
HTTP
and
redirects
are
dangerous
SAPO
Websecurity
Team 46
71. How it works > Redirecting from HTTP to HTTPS
• How
to
mi9gate
this
problem?
• Make
site
available
only
in
HTTPS
– Does
not
work:
most
users
type
HTTP
and
redirects
are
dangerous
• Use
HSTS:
HTTP
Strict
Transport
Security
– Formerly
STS
– Server
defined
policy
that
browsers
must
honor
– Server
sends
HTTP
header
with
policy
SAPO
Websecurity
Team 46
72. How it works > Redirecting from HTTP to HTTPS
Strict-Transport-Security: max-age=15768000;includeSubdomains
• This
header
says
two
things:
– “Browser,
convert
all
requests
to
my
domain
to
HTTPS”
– “Browser,
if
there
is
any
security
issue
with
the
connec9on
do
not
allow
progress”
• Consequences:
– the
user
types
hdp://www.facebook.com
and
the
browser
requests
hdps://www.facebook.com
– any
HTTP
link
in
the
response
turns
to
HTTPS
SAPO
Websecurity
Team 47
73. How it works > Redirecting from HTTP to HTTPS
• S9ll,
there
is
a
problem:
SAPO
Websecurity
Team 48
74. How it works > Redirecting from HTTP to HTTPS
• S9ll,
there
is
a
problem:
• We
have
never
visited
the
site
or
policy
expired
– browser
does
not
know
the
site
HSTS
policy
– if
the
user
types
hdp://www.facebook.com
the
request
is
done
using
HTTP
– TOFU:
Trust
On
First
Use
• Recommenda9ons
– first
visit
using
a
safe
wired
network
– manually
instruct
the
browser
to
use
HSTS
SAPO
Websecurity
Team 48
75. How it works > Redirecting from HTTP to HTTPS
• Server
support:
all,
just
send
the
header
• Browser
support
– Chrome
4.0.211.0
(with
preloaded
domain
list)
– Firefox
4
• Plugins
– Safari
SSL
Everywhere
– Firefox
EFF
HTTPS
Everywhere
– Firefox
ForceTLS
(simple
list
edi9ng)
SAPO
Websecurity
Team 49
76. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 50
77. How it works > Redirecting from HTTP to HTTPS
SAPO
Websecurity
Team 51
78. How it works > Full HTTPS browsing
• At
this
point
we
have
all
the
contents
of
the
site
served
over
HTTPS.
• How
can
we
be
sure?
• No9ce
the
green
hdps
text
SAPO
Websecurity
Team 52
79. How it works > Mixed content browsing
• How
about
this
situa9on?
• No9ce
the
red
strikethrough
hdps
text
SAPO
Websecurity
Team 53
80. How it works > Mixed content browsing
• Chrome
console
output:
SAPO
Websecurity
Team 54
81. How it works > Mixed content browsing
• What
is
the
problem?
SAPO
Websecurity
Team 55
82. How it works > Mixed content browsing
• What
is
the
problem?
• Sensi9ve
informa9on
can
be
captured
– images:
your
last
night
weird
photos
– javascript:
can
be
replaced
with
malicious
code
– cookies:
sent
in
every
request!
– full
browsing
informa9on
• Browser
warnings
– can
affect
site
reputa9on
– most
users
ignore
this
SAPO
Websecurity
Team 55
83. How it works > Mixed content browsing
SAPO
Websecurity
Team 56
84. How it works > Mixed content browsing
• How
to
mi9gate
this
problem?
SAPO
Websecurity
Team 57
85. How it works > Mixed content browsing
• How
to
mi9gate
this
problem?
• HSTS
– you
have
to
specify
all
domains
used
by
the
site
– some
links
might
not
work
over
HTTPS
– not
a
solu9on
for
all
sites
SAPO
Websecurity
Team 57
86. How it works > Mixed content browsing
• How
to
mi9gate
this
problem?
• HSTS
– you
have
to
specify
all
domains
used
by
the
site
– some
links
might
not
work
over
HTTPS
– not
a
solu9on
for
all
sites
• Use
only
HTTPS
links
:)
– use
a
proxy:
make
your
server
fetch
the
HTTP
content
and
serve
it
over
HTTPS
– do
not
forget
the
favicon
SAPO
Websecurity
Team 57
87. How it works > Mixed content browsing
• How
to
minimize
this
problem?
SAPO
Websecurity
Team 58
88. How it works > Mixed content browsing
• How
to
minimize
this
problem?
• Secure
Cookies
– the
server
can
set
the
secure
flag
for
the
cookie
– a
secure
cookie
is
only
sent
over
HTTPS
– beware:
this
does
not
prevent
the
mixed
content
warning,
it
ONLY
prevents
cookies
from
being
sent
over
HTTP
SAPO
Websecurity
Team 58
89. How it works > Data in transit vs at rest
• Using
SSL
we
protected
the
data
in
transit
• What
happens
aper
it
reaches
the
browser?
SAPO
Websecurity
Team 59
90. How it works > Data in transit vs at rest
• Using
SSL
we
protected
the
data
in
transit
• What
happens
aper
it
reaches
the
browser?
• It
gets
cached.
• What
is
the
problem?
– sensi9ve
data
is
stored
in
clear
– computers
are
shared,
sold,
lost
or
stolen
SAPO
Websecurity
Team 59
91. How it works > Data in transit vs at rest
• Using
SSL
we
protected
the
data
in
transit
• What
happens
aper
it
reaches
the
browser?
• It
gets
cached.
• What
is
the
problem?
– sensi9ve
data
is
stored
in
clear
– computers
are
shared,
sold,
lost
or
stolen
• How
to
mi9gate
this
problem?
Cache-Control: no-cache, no store
Pragma: no-cache
SAPO
Websecurity
Team 59
92. Recommendations
• A
few
more
recommenda9ons
SAPO
Websecurity
Team 60
93. Recommendations
• A
few
more
recommenda9ons
• Make
a
bookmark
with
the
HTTPS
link
for
the
site
(specially
homebanking
sites)
– avoids
requests
using
HTTP
– avoids
adacks
caused
by
typos
• Use
a
plugin
that
warns
you
if
the
cer9ficate
has
changed
– Perspec9ves
(www.networknotary.org)
– Cer9ficate
Patrol
SAPO
Websecurity
Team 60
94. Conclusions
• Conclusions
– SSL
3.0
and
TLS
1.0+
are
the
way
to
go
– Use
HSTS
and
manually
add
your
important
sites
– Update
your
browser
open
or
automa9cally
– Do
not
visit
sites
which
the
first
page
is
HTTP
using
public
wireless
networks
– Do
not
allow
HTTP
access
to
sensi9ve
pages
– Do
not
create
sites
with
mixed
HTTP(S)
content
– If
your
site
is
HTTPS
only,
use
secure
cookies
SAPO
Websecurity
Team 61
95. Questions
Any
ques9ons?
9ago.mendo@telecom.pt
SAPO
Websecurity
Team 62
Hinweis der Redaktion
\n
\n
SSL 2.0 problems\n- vulner&#xE1;vel a MiTM (dumb-down attack to 40bits) - SSL 3.0 previne enviando &#xFA;ltima msg do handshake com hash das msgs anteriores\n- campo padding-length n&#xE3;o &#xE9; autenticado, logo &#xE9; poss&#xED;vel alterar e &#x201C;reduzir&#x201D; o tamanho das mensagens a partir do fim\n\nSSL 3.0 new features\n- renegocia&#xE7;&#xE3;o a meio duma liga&#xE7;&#xE3;o, por iniciativa do cliente (o servidor j&#xE1; podia)\n- record compression\n- 3.0 detects 2.0 and fallsback\n
Definido pela IETF \nchangelog 1.1 \n- protege contra ataques ao CBC (cipher block chaining)\n- handling of padding errors changed\nchangelog 1.2\n- MD5-SHA1 da pseudorandom function e da mensagem finished substitu&#xED;do por SHA-256\n- MD5-SHA1 da assinatura substitu&#xED;do por SHA1 (negoci&#xE1;vel)\n- added support por authenticated encrypted ciphers, como AES\n- TLS extensions defined\n\n
- TLS 1.0/SSL 3.0 can be downgraded/upgraded to SSL 3.0/TLS 1.0\n- Quote by Brad Hill at Black Hat Briefings USA 2007\n- () versions -> value of the field version as specified in the TLS RFC\n
\n
\n
SSL + UDP = Datagram Transport Layer Security (DTLS).\n
SSL + UDP = Datagram Transport Layer Security (DTLS).\n
SSL + UDP = Datagram Transport Layer Security (DTLS).\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
user privacy is lost: CAs know which sites are being visited\n
\n
verificar frequ&#xEA;ncia dos pedidos OCSP\nusers regain privacy regarding OCSP site leaking\n
verificar frequ&#xEA;ncia dos pedidos OCSP\nComodo RA compromise: 15 de Mar&#xE7;o\nfake certs:\n- mail.google.com\n- www.google.com\n- login.yahoo.com\n- login.skype.com\n- addons.mozilla.org\n- login.live.com\n- global trustee\n
verificar frequ&#xEA;ncia dos pedidos OCSP\nComodo RA compromise: 15 de Mar&#xE7;o\nfake certs:\n- mail.google.com\n- www.google.com\n- login.yahoo.com\n- login.skype.com\n- addons.mozilla.org\n- login.live.com\n- global trustee\n
Update the OS, browser and browser plugins\n
\n
\n
\n
\n
\n
N&#xE3;o sabemos qual o device para enviar os certs certos, porque ainda n&#xE3;o houve HTTP nenhum (no user-agent)\n
\n
\n
\n
\n
CA&#x2019;s out of business? No, only CAs do real life verifications -> EV\nDNSSEC client ability:\n- clients need full DNSSEC chain\n\nDNSSEC signatures are short lived (1 week)\nDNSSEC stapling -> Chrome Dev (beta via cmd line flag)\n
CA&#x2019;s out of business? No, only CAs do real life verifications -> EV\nDNSSEC client ability:\n- clients need full DNSSEC chain\n\nDNSSEC signatures are short lived (1 week)\nDNSSEC stapling -> Chrome Dev (beta via cmd line flag)\n
\n
\n
\n
\n
Android requires jailbreaking\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
includeSudomains: if a subdomain is created it cannot function without the proper certificate\n
problem: visit after expiration date\n
\n
&#x201C;Chrome's HSTS database stores only the hashes of sites&#x201D; -> thus, is not possible to list them\n
viaverde.pt n&#xE3;o est&#xE1; com SSL, da&#xED; s&#xF3; o clientes.viaverde.pt. N&#xE3;o navegar para viaverde.pt\n
\n
\n
\n
\n
Safari only warns when posting from HTTP to HTTPS\n