SSL, HSTS and other stuff with two eSSes
Versão 1.1 - 22/06/2011
Tiago Mendo -‐ ,[email protected] Security & IT
SAPO Websecurity Team
Summary
2
• History
– SSL
– TLS
– SSL vs TLS
• Protocol
– Objec9ves
– Applica9ons
• How it works -‐ the 2 minutes version
• How it works -‐ the 30 minutes version
– Cer9ficate valida9on
– Cer9ficate revoca9on check
– Cer9ficate chain of trust check
– Fetching content
– Redirec9ng from HTTP to HTTPS
– Full HTTPS browsing
– Mixed content browsing
• Recommenda9ons
• Conclusions
• Ques9ons
SAPO Websecurity Team
History > SSL
3
• SSL -‐ Secure Sockets Layer
• 1994 -‐ SSL 1.0 created by Netscape, never released
• 1995 -‐ SSL 2.0 released in Netscape Navigator 1.1. Mul9ple security flaws found
• 1996 -‐ SSL 3.0 released
SAPO Websecurity Team
History > TLS
4
• TLS -‐ Transport Layer Security
• 1999 -‐ TLS 1.0 defined in RFC 2246, using SSL 3.0 as basis
• 2006 -‐ TLS 1.1 defined in RFC 4346• 2008 -‐ TLS 1.2 defined in RFC 5246
SAPO Websecurity Team
History > SSL vs TLS
5
• SSL 3.0 and TLS 1.0 are equivalent in security, but incompa9ble• “Everybody knows SSL. TLS is more technically accurate but sounds like a cable TV network or a disease"
SSL TLS
1.0
2.0
3.0
(3.1) 1.0
(3.2) 1.1
(3.3) 1.2
SAPO Websecurity Team
Protocol > Objectives
6
• Why SSL?
SAPO Websecurity Team
Protocol > Objectives
6
• Why SSL?
• To protect the communica9ons between two hosts:– content confiden9ality– integrity– authen9city
SAPO Websecurity Team
Protocol > Objectives
6
• Why SSL?
• To protect the communica9ons between two hosts:– content confiden9ality– integrity– authen9city
• Host iden9ty is not protected (requires IPSEC)• Normally only the server is authen9cated
SAPO Websecurity Team
Protocol > Applications
7
Applica,on
Transport
Network
Data link
Physical
HTTP
TCP
IP
802.11 -‐ WLAN
Air
SAPO Websecurity Team
Protocol > Applications
7
Applica,on
Transport
Network
Data link
Physical
HTTP
TCP
IP
802.11 -‐ WLAN
Air
HTTP / SSL
TCP
IP
802.11 -‐ WLAN
Air
SAPO Websecurity Team
Protocol > Applications
7
Applica,on
Transport
Network
Data link
Physical
HTTP
TCP
IP
802.11 -‐ WLAN
Air
HTTP / SSL
TCP
IP
802.11 -‐ WLAN
Air
HTTP
SSL
TCP
IP
802.11 -‐ WLAN
Air
SAPO Websecurity Team
Protocol > Applications
7
• On top of any Transport layer (including UDP)• Used with any Applica9on layer protocol• HTTP, SMTP, XMPP, SIP, etc.• Used in OpenVPN
Applica,on
Transport
Network
Data link
Physical
HTTP
TCP
IP
802.11 -‐ WLAN
Air
HTTP / SSL
TCP
IP
802.11 -‐ WLAN
Air
HTTP
SSL
TCP
IP
802.11 -‐ WLAN
Air
SAPO Websecurity Team
How it works - the 2 minutes version
8
• Type hdps://www.facebook.com and hit enter
SAPO Websecurity Team
How it works > Traffic without SSL
9
SAPO Websecurity Team
How it works > Traffic with SSL
10
SAPO Websecurity Team
How it works - the 30 minutes version
11
• Type hdps://www.facebook.com and hit enter
• Browser connects to www.facebook.com:443• SSL handshake is ini9ated• Server sends its X.509 cer9ficate to the client• The client starts the valida9on process
SAPO Websecurity Team
How it works > Certificate validation
12
• CN matches URL• For each cert. in the chain– Has not expired–Was not revoked–Was emided by a trusted CA
SAPO Websecurity Team
How it works > Certificate validation
13
• CN matches URL• For each cert. in the chain– Has not expired–Was not revoked–Was emided by a trusted CA
SAPO Websecurity Team
How it works > Certificate validation
14
• CN matches URL• For each cert. in the chain– Has not expired–Was not revoked–Was emided by a trusted CA
SAPO Websecurity Team
How it works > Certificate validation
15
• CN matches URL• For each cert. in the chain– Has not expired–Was not revoked–Was emided by a trusted CA
SAPO Websecurity Team
How it works > Certificate revocation check
16
• CRL -‐ Cer9ficate Revoca9on List
• The cer9ficate specifies a CRL URL• The CRL is a list of revoked serial numbers• Answer can be cached for a few months– period defined by the CA
• The CRL can be very large: enter OCSP– expired certs. are removed from the CRL
SAPO Websecurity Team
How it works > Certificate revocation check
17
• OCSP -‐ Online Cer9ficate Status Protocol
• The cer9ficate specifies a OCSP server• Browser asks the server if a specific cert. is s9ll valid
• Answer can be cached for a few days– period defined by the CA
• A cert. can specify both the CRL and OCSP
SAPO Websecurity Team
How it works > Certificate revocation check
18
• What can go wrong?
SAPO Websecurity Team
How it works > Certificate revocation check
18
• CRL and OCSP servers can be unreachable– Browsers will allow user to con9nue– You may or may not be warned about this
–Moxie Marlinspike found that OCSP “try again” message (error code 3) is not signed
– Adack: MiTM with a revoked cert. and reply 3 to the OCSP requests.
• What can go wrong?
SAPO Websecurity Team
How it works > Certificate revocation check
19
• How to mi9gate this problem?
SAPO Websecurity Team
How it works > Certificate revocation check
19
• OCSP Stapling -‐ Kerberos style 9cket– Cert. owner frequently asks the OCSP for a 9cket– Ticket says “I, CA guarantee with my signature that this cer9ficate is valid for a few hours”
– Site presents this 9cket to reques9ng browser
• Fallback to OCSP• Support: Chrome on Windows Vista or higher
• How to mi9gate this problem?
SAPO Websecurity Team
How it works > Certificate revocation check
20
• How to mi9gate this problem?
SAPO Websecurity Team
How it works > Certificate revocation check
20
• CRL and OCSP cache• How to mi9gate this problem?
SAPO Websecurity Team
How it works > Certificate revocation check
20
• CRL and OCSP cache• How to mi9gate this problem?
• Which introduces another problem– If a cert. is compromised, there may a significant window of vulnerability (months for a CRL)
– Remember the Comodo RA compromise?– 9 certs. were issued to 7 domains– certs. were revoked in 15 minutes– Browser vendors immediately issued browser updates
SAPO Websecurity Team
How it works > Certificate validation
21
• CN matches URL• For each cert. in the chain– Has not expired–Was not revoked–Was emi@ed by a trusted CA
SAPO Websecurity Team
How it works > Certificate chain of trust check
22
• The server sends the whole cer9ficate chain
• For each cert. in the chain verify– is properly signed by the CA cer9ficate immediately higher in the hierarchy
– last cer9ficate is explicitly trusted by the browser, so no signature verifica9on is done
SAPO Websecurity Team
How it works > Certificate chain of trust check
23
• What can go wrong?
SAPO Websecurity Team
How it works > Certificate chain of trust check
24
SAPO Websecurity Team
How it works > Certificate chain of trust check
25
• The browser does not know the root CA– can happen if you are using an old browser/device
• What can go wrong?
SAPO Websecurity Team
How it works > Certificate chain of trust check
25
• The browser does not know the root CA– can happen if you are using an old browser/device
• What can go wrong?
• How to mi9gate this problem? • Mul9-‐roo9ng CAs– Server sends a longer chain with more CA cer9ficates higher in the hierarchy
– Both CAs trusted by Firefox
SAPO Websecurity Team
How it works > Certificate chain of trust check
26
• What can go wrong?
SAPO Websecurity Team
How it works > Certificate chain of trust check
26
• You do not trust what your browser trusts– Firefox ships with 76 CAs• Chunghwa Telecom Co., Ltd• Türkiye Bilimsel ve Teknolojik AraşUrma Kurumu -‐ TÜBİTAK
– Are all of them secure and properly managed?
• What can go wrong?
SAPO Websecurity Team
How it works > Certificate chain of trust check
26
• You do not trust what your browser trusts– Firefox ships with 76 CAs• Chunghwa Telecom Co., Ltd• Türkiye Bilimsel ve Teknolojik AraşUrma Kurumu -‐ TÜBİTAK
– Are all of them secure and properly managed?
• What can go wrong?
– “I have not been able to find the current owner of this root. Both RSA and VeriSign have stated in email that they do not own this root.” said one of the maintainers of Mozilla CA list (early 2010)
SAPO Websecurity Team
How it works > Certificate chain of trust check
27
• You do not trust what your browser trusts– Recent request to add a CA to Firefox• “This is a request to add the CA root cerAficate for Honest Achmed's Used Cars and CerAficates.”• “Achmed's uncles all vouch for the fact that he's honest.”• “The purpose of this cerAficate is to allow Honest Achmed to sell bucketloads of other cerAficates and make a lot of money.”
– It was not granted. This 9me.
• What can go wrong?
SAPO Websecurity Team
How it works > Certificate chain of trust check
28
• How to mi9gate this problem? • Remove trust or delete CAs– they might come back aler solware updates– how do you evaluate if a CA can be trusted?– can you do this in your smartphone?
SAPO Websecurity Team
How it works > Fetching content
29
• At this point the browser trusts the site cer9ficate
• No HTTP request was made yet!
• First HTTP request is made only now
GET / HTTP/1.1Host: www.facebook.com
SAPO Websecurity Team
How it works > Fetching content
30
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
31
• Lets go back a lidle• Imagine you type hdp://www.facebook.com instead of hdps...
• Hit enter!
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
31
• Lets go back a lidle• Imagine you type hdp://www.facebook.com instead of hdps...
• Hit enter!
• Browser connects to www.facebook.com:80
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
32
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
33
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
34
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
35
• What can go wrong?
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
35
• Moxie Marlinskipe and his sslstrip tool
• What can go wrong?
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
35
• Moxie Marlinskipe and his sslstrip tool
• What can go wrong?
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
36
• sslstrip func9oning–MiTM tool– maps HTTPS links to HTTP– maps redirects to HTTPS back to HTTP– maps HTTPS links to homograph-‐similar HTTPS links
– can supply a lock favicon– logging!
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
37
• sslstrip func9oning
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
38
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
39
• You type hdp://www.facebook.com and get redirected to hdps://www.facebook.com
GET / HTTP/1.1
Host: www.facebook.com
HTTP/1.1 302 Found
Location: https://www.facebook.com/
• These requests are not protected with SSL!
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
40
• How to mi9gate this problem?
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
40
• Make site available only in HTTPS– Does not work: most users type HTTP and redirects are dangerous
• How to mi9gate this problem?
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
40
• Make site available only in HTTPS– Does not work: most users type HTTP and redirects are dangerous
• How to mi9gate this problem?
• Use HSTS: HTTP Strict Transport Security– Formerly STS– Server defined policy that browsers must honor– Server sends HTTP header with policy
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
41
Strict-Transport-Security: max-age=15768000;includeSubdomains
• This header says two things:– “Browser, convert all requests to my domain to HTTPS”
– “Browser, if there is any security issue with the connec9on do not allow progress”
• Consequences:– the user types hdp://www.facebook.com and the browser requests hdps://www.facebook.com
– any HTTP link in the response turns to HTTPS
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
42
• S9ll, there is a problem:
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
42
• We have never visited the site or policy expired– browser does not know the site HSTS policy– if the user types hdp://www.facebook.com the request is done using HTTP
– TOFU: Trust On First Use• Recommenda9ons– first visit using a safe wired network– manually instruct the browser to use HSTS
• S9ll, there is a problem:
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
43
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
43
• Server support: all, just send the header• Browser support– Chrome 4.0.211.0 (with preloaded domain list)– Firefox 4
• Plugins– Safari SSL Everywhere– Firefox EFF HTTPS Everywhere– Firefox ForceTLS (simple list edi9ng)
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
44
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
44
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
45
SAPO Websecurity Team
How it works > Redirecting from HTTP to HTTPS
45
SAPO Websecurity Team
How it works > Full HTTPS browsing
46
• At this point we have all the contents of the site served over HTTPS.
• How can we be sure?
• No9ce the green hdps text
SAPO Websecurity Team
How it works > Mixed content browsing
47
• How about this situa9on?
• No9ce the red strikethrough hdps text
SAPO Websecurity Team
How it works > Mixed content browsing
48
• Chrome console output:
SAPO Websecurity Team
How it works > Mixed content browsing
49
• What is the problem?
SAPO Websecurity Team
How it works > Mixed content browsing
49
• Sensi9ve informa9on can be captured– images: your last night weird photos– javascript: can be replaced with malicious code– cookies: sent in every request!– full browsing informa9on
• Browser warnings– can affect site reputa9on– most users ignore this
• What is the problem?
SAPO Websecurity Team
How it works > Mixed content browsing
50
SAPO Websecurity Team
How it works > Mixed content browsing
50
SAPO Websecurity Team
How it works > Mixed content browsing
51
• How to mi9gate this problem?
SAPO Websecurity Team
How it works > Mixed content browsing
51
• HSTS– you have to specify all domains used by the site– some links might not work over HTTPS– not a solu9on for all sites
• How to mi9gate this problem?
SAPO Websecurity Team
How it works > Mixed content browsing
51
• HSTS– you have to specify all domains used by the site– some links might not work over HTTPS– not a solu9on for all sites
• How to mi9gate this problem?
• Use only HTTPS links :)– use a proxy: make your server fetch the HTTP content and serve it over HTTPS
– do not forget the favicon
SAPO Websecurity Team
How it works > Mixed content browsing
52
• How to minimize this problem?
SAPO Websecurity Team
How it works > Mixed content browsing
52
• Secure Cookies– the server can set the secure flag for the cookie– a secure cookie is only sent over HTTPS– beware: this does not prevent the mixed content warning, it ONLY prevents cookies from being sent over HTTP
• How to minimize this problem?
SAPO Websecurity Team
Recommendations
53
• A few more recommenda9ons
SAPO Websecurity Team
Recommendations
53
• Make a bookmark with the HTTPS link for the site (specially homebanking sites)– avoids requests using HTTP– avoids adacks caused by typos
• Use a plugin that warns you if the cer9ficate has changed– Perspec9ves (www.networknotary.org)– Cer9ficate Patrol
• A few more recommenda9ons
SAPO Websecurity Team
Conclusions
54
• Conclusions– SSL 3.0 and TLS 1.0+ are the way to go– Use HSTS and manually add your important sites– Update your browser olen or automa9cally– Do not visit sites which the first page is HTTP using public wireless networks
– Do not create sites with mixed HTTP(S) content– If your site is HTTPS only, use secure cookies
SAPO Websecurity Team
Questions
55
Any ques9ons?