Upload
leilani-tillman
View
34
Download
1
Embed Size (px)
DESCRIPTION
Why distributed security policy requires secure introduction. Joseph Bonneau Web 2.0 Security & Privacy San Francisco, CA May 24 2013. Talk Outline. Threat model Improved security policies S-links. Cryptographic attacks on HTTPS. RSA timing leaks CBC padding oracle attacks - PowerPoint PPT Presentation
Citation preview
Why distributed security policy requires secure
introduction
Joseph BonneauWeb 2.0 Security & Privacy
San Francisco, CAMay 24 2013
Cryptographic attacks on HTTPS
• RSA timing leaks
• CBC padding oracle attackso aka BEAST, Lucky13, etc.
• Compression leakso aka CRIME
• Downgrade to SSL v3
• RC4 statistical leakage
• Session resumption attacks
See Clark & van Oorschot [IEEE SP '13]
HTTPS vulnerabilities in practice
• Inconsistent and incomplete deploymento stripping attacks
• Failures by Certificate Authoritieso rogue certificates
Threat model
Malicious government
Control a CA:
RomeTrust
Control an ISP:
RomeCast
Limitations:
• Don't control all servers• Don't control browser
✕
HTTPS stripping
GET http://pfj.orgGET https://pfj.org
200 ... content200 ... content
GET http://pfj.org
301 Moved Permanently
https://pfj.org
Rogue certificates
GET https://pfj.org GET https://pfj.org
CN: pfj.orgIssuer: RomeTrustSPKI: K'
CN: pfj.orgIssuer: VerisignSPKI: K
Rogue certificates in the wild
• March 2011: Comodo registrar hackedo 9 certs: mail.google.com, login.live.com, www.google.com,
login.yahoo.com, login.skype.com, addons.mozilla.org
• July 2011: DigiNotar hackedo 531+ certs issued: *.google.com detected first
• ~2011: TürkTrust issues 2 intermediate CAso One returned, one used in 2012 to proxy traffic...
Proposals to deal with rogue certs
PreventiveDetective
Server changes
No server changesSSL Observatory Convergence
PerspectivesCert patrol
CertificateTransparency
DANEHPKPTACKSovereign Keys
HPKP-ROCAA
HSTS (Strict Transport Security)
• proposed 2008 [Jackson/Barth]
• final standard 2012
• support in Chrome, FF, Operao No support in IE, Safari ☹
• ~150 preloaded domains in Chromeo PayPal, Twitter, many Google subdomains
• ~15,000 domains setting or trying HSTS
• ~1,000 domains setting long-term HSTS
HPKP (aka PKP, key pinning)
• Evans, Palmer, Sleevi 2011o Standards track, IETF Web Security
• MUST include at least 2 pins
• Can request "report only" for errors
• Remaining issueso Domain bricking
• 5 early adopters!o No browser support
Certificate Transparency (CT)
• Laurie, Langley, Käsper 2013o IETF experimental draft
• Enter every issued cert in a global log
• CT log is weakly trustedo Publicly verifiableo Append-only
• Relied on for availability, fork consistency
• Certs include "Signed certificate timestamp"o This is all clients check!
• Mis-issued certs detectable by scans
Security = policy distribution
a.com
b.orgHSTS
d.tvCT
Romecast
c.netHPKP
Browsers must know what to expect prior to the initial connection
Browser preloads{ "pinsets": [ { "name": "tor", "static_spki_hashes": [ "RapidSSL", "DigiCertEVRoot", "Tor1", "Tor2", "Tor3" ]
},...{ "name": "torproject.org", "mode": "force-https",
"pins": "tor" },
transport_security_static.json (Chromium project)
Continuity-based policy
GET https://pfj.org
200 OK
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Public-Key-Pins: max-age=15768000;pin-sha1="4n972...baXc="; pin-sha256="LPJN...LmCQ="
Could also use a well-known URI, TLS extensions, x.509 extensions, etc.
DNS(SEC) based proposals
• Service Security Requirementso Schechter 2007o Expired RFC
• DANEo Hoffman, Schlyter 2012o Standards track RFC
• CAAo Hallam-Baker, Stradling 2013o Standards-track RFC
Channels to distribute security policy
• Browser preloadso HSTS, HPKP (already in Chrome)
• Continuityo HSTS, HPKP, TACK, etc.
• DNSSEC
• Third partieso Notaries, public logs, OCSP responders
☺
☠
?
Out-of-band lookup is a non-starter
Was this okay for pfj.org?
CN: pfj.orgIssuer: VerisignSPKI: K
GET https://pfj.org
∅ Attackers can always simulate outage!
Secure introduction
• Already exists for HSTS!
• Effects of an HTTPS link:o mandatoryo ephemeralo transparent to userso easy to deploy
• IDEA: for web navigation, a referring website can indicate security policy in-band in links
My proposal: s-links
<a link-security="expiry=1357849989;
pin-sha256=YWRm...cnF=;
pin-sha256=LPJN...mCQ=;"
href="https://pfj.org">secure link!</a>
secure link!
Linked web navigation model
users only reach new domains via hyperlinks, beginning with a set of domains with preloaded security policies.
Malicious s-links?
• Can only make security policy strictero Can never undermine ambient policy
• No persistent effectso No domain bricking
• UI ≈ 404 (not found)o Limit risk of "warning fatigue"
S-links and the same origin policy
secure.com pfj.org
pfj.org
s-link
cross-frame navigationscript injectioncookie theft
Upgrading security policy
• Need to re-check ALL cached resourceso HTTP cacheo HTML5 localStorage/WebCacheo TLS saved sessionso Cookieso etc.
• Need to do so atomically
• No issues for non-framed contento For example, script libraries
Big-picture questions
• Whom do we have to trust?
• Can we change who we have to trust?o Trust agility
• Can users tell whom they're trusting?o Trust affordance
5 predictions for the next 5 years
• Multiple security protocols deployedo At least HPKP & CT
• Multiple distribution channelso Preload/link/continuity paradigm will predominate
• Policy specification will standardize
• Preloads will expand, standardize
• Web hubs will develop into security notaries