Upload
garret-sears
View
226
Download
3
Tags:
Embed Size (px)
Citation preview
More Trick For Defeating SSL
DEFCON 17Moxie Marlinspike
1. Introduction 2. Background Knowledge
SSL/TLS protocol 3. sslstrip 4. sslsniff
A. Basic Constraints vulnerability B. Null-Prefix Attack C. bypassing OCSP
5. Conclusion
Outline
Demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach.
Introduction
Background KnowledgeSSL/TLS Protocol
abbreviation for Transport Layer Security and it’s successor Secure Socket Layer
Provide communication security over the Internet.
Even when the network is being MITM attack.
SSL/TLS Introduction
Network Stack
Handshake Process
Handshake Process
SSLstrip
demonstration of the HTTPS stripping attacks It will transparently hijack HTTP traffic on a
network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links
SSLstrip Introduction[1]
Bridge www.facebook.com bridge https://www.facebook.com?
302 redirect Hyper link
How it work
302 Redirect
Detail – Normal Scenario
User type:example.com
http://example.com
https://abc.example.com
Server reply302 redirect tohttps://abc.example.com
SSL/TLS handshake
Serve reply200 ok
User BrowserServer
Detail – Normal Scenario
Detail – Attack Scenario
User/browser Attacker Server
http://example.com http://example.com
Server reply302 redirect tohttps://abc.example.com
Strip https to http
http://abc.example.com
Server reply302 redirect tohttp://abc.example.com
http://abc.example.com
Record url
url match https://abc.example.com
SSL/TLS handshake
Application DataStripped Application Data
Strip https to http
Result(without strip)
Result(with strip)
the browser query https://abc.example.com directly. Bookmark User typing
Other protocol smtps Ftps Sftp….
What can’t sslstirp do
SSLsniff -Basic Constraints vulnerability
Certificate Chaining
Certificate Chaining
Verify that the name of the leaf node is the same as the site you're connecting to.
Verify that the leaf certificate has not expired.
Check the signature If the signing CA is in our list of trusted root
CAs, stop. Otherwise, move one up the chain and repeat.
How we verify
Verify that the name of the leaf node is the same as the site you're connecting to.
Verify that the leaf certificate has not expired.
Check the signature If the signing CA is in our list of trusted root
CAs, stop. Otherwise, move one up the chain and repeat.
What they say
All the signatures are valid. Nothing has expired. The chain is in tact. The root CA is embedded in the browser and
trusted.
Something must be wrong, but...
But we just created a valid certificate for PayPal, and we're not PayPal?
The missing piece
Most CAs didn't explicitly set basicConstraints: CA=False
Whether the field was there or not, most SSL implementations didn't bother to check it.
Anyone with a valid leaf node certificate could create and sign a leaf node certificate for any other domain.
When presented with a complete chain, IE, Outlook, Konqueror, OpenSSL, and others considered it valid...
Back in the day
Microsoft claimed that it was impossible to exploit.
So The Author published the tool that exploits it.
And then in 2002...
SSLsniff detail
User/browser Attacker
https://abc.example.com
SSL/TLS handshake
Application Data
https://abc.example.com
1. Generate a certificate for the site it is connected to2. Sign it with any random valid leaf node certificate.3. Pass that certificate chain to the client.
SSL/TLS handshake
Application Data
1. Get the Data from server2. Encrypt it with our private key3. Send to user
SSLsniff –Null Prefix Attack
Author’s PPT
X509 Certificate Version Serial Number Issuer Validity Subject PublicKey
Signature Algorithm Signature
What's with certificates, anyways?
Identify some subjectsGet the public key
Issue by some Issuer
Issuer Signature
Secrecy - Encryption algorithm Authenticity - Digital Signature Integrity - Checksum
The Big Three
SSL Handshake Beginnings