Post on 21-Dec-2015
HTTP over SSLHTTP over SSL
RFC 2818 RFC 2817RFC 2818 RFC 2817
IntroductionIntroductionPrototypical web security application:Prototypical web security application:
User browses site and places items in his User browses site and places items in his shopping cartshopping cart
Server hands of the user when he is ready to Server hands of the user when he is ready to check outcheck out
User submits his credit card numberUser submits his credit card numberUser receives confirmation of his operationUser receives confirmation of his operation
Basic TechnologiesBasic Technologies
HTTP (Hypertext Transfer Protocol)HTTP (Hypertext Transfer Protocol)First protocol to use SSLFirst protocol to use SSLRequest/Response structureRequest/Response structureMost browsers speak http protocolMost browsers speak http protocol
HTML (Hypertext Markup Language)HTML (Hypertext Markup Language)Offers the ability to structure the documentOffers the ability to structure the documentProvide links to move to another documentsProvide links to move to another documents
URL (Uniform Resource Locator)URL (Uniform Resource Locator)
HTTP requestHTTP request GET / HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.7 [en]
(X11; U; FreeBSD 3.4-STABLE i386) Host: www.rtfm.com Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 (blank line)
Request lineRequest lineConnection Connection headerheader
HTTP requestHTTP request 7 request methods: Get, Post, Head, …7 request methods: Get, Post, Head, …
Format of http request lineFormat of http request lineMethod Request-URI HTTP-versionMethod Request-URI HTTP-version
Post may have message body and Get notPost may have message body and Get notConnection header Connection header
Client wants server to keep the connection open, Client wants server to keep the connection open, after sending the requestafter sending the request
All information the client transmits is his All information the client transmits is his requestrequestEnsure that client’s request is encryptedEnsure that client’s request is encrypted
HTTP responseHTTP response HTTP/1.1 200 OK Date: Sat, 15 Jan 2000 05:15:54 GMT Server: Apache/1.3.1 (UNIX) Last-Modified: Tue, 22 Apr 2003 19:25:14 GMT Accept-Ranges: bytes Content-Length: 1650 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2
Final//EN"> <HTML> … </HTML>
Goals so FarGoals so Far
Confidentiality of the dataConfidentiality of the dataRequest/Response safe from attackersRequest/Response safe from attackersViewingViewingChangingChanging
User connected to the right serverUser connected to the right serverPrevent attacker from posing as a serverPrevent attacker from posing as a server
NotesNotes
Images on the pageImages on the pageEncrypt or not?Encrypt or not?Browser should clearly indicate if the security Browser should clearly indicate if the security
properties are different from that of the page it properties are different from that of the page it was embedded was embedded
In GET method values of the form (or In GET method values of the form (or parameters) attached to URIparameters) attached to URI
In POST parameters are sent in message In POST parameters are sent in message bodybody
URLS and URISURLS and URISURL URL
Provides single short string to identify network-Provides single short string to identify network-accessible resourceaccessible resource
<scheme>://<host>[:<port>]/<path>[?<query>]http://www.ebay.com/local/foo.html?item=3
URI (Uniform Resource Identifier)Short string that refers to given resourceA superset of URLsURL is URI that contains instruction how to
fetch this page (without “http”)www.example.comhttp request line contains a non-URL URI
Practical ConsiderationsPractical Considerations Firewalls and proxiesFirewalls and proxies
How to process encrypted traffic?How to process encrypted traffic?Primary issue for SSL/proxy interaction: traffic can Primary issue for SSL/proxy interaction: traffic can
pass through proxy without damagepass through proxy without damageFiltering of data, is it possible? Filtering of data, is it possible?
Virtual hostsVirtual hostsMany sites on the same machineMany sites on the same machineEach site has separate name (domain name)Each site has separate name (domain name)One web server receives requests for multiple One web server receives requests for multiple
virtual hostsvirtual hosts Connection behaviorConnection behavior
HTTP connection behaviorHTTP connection behavior HTTP 1.0HTTP 1.0
Close connection after each response Close connection after each response Images: require response/request pairImages: require response/request pair
HTTP 1.1 HTTP 1.1 Connection : Keep-Alive (persistent Connection : Keep-Alive (persistent
connection)connection)Some browsers still open number of Some browsers still open number of
connections to load page with images in connections to load page with images in parallelparallel
Large number of parallel connections is Large number of parallel connections is optimized by SSL session resumption.optimized by SSL session resumption.
Security ConsiderationsSecurity Considerations Protocol SelectionProtocol Selection
Separate port strategy is the only workable (https 443)Separate port strategy is the only workable (https 443)
Client authenticationClient authentication In practice, most sites authenticate users with In practice, most sites authenticate users with
passwords or their credit cardpasswords or their credit card Web security solution should support certificates for Web security solution should support certificates for
clientsclients
Reference integrityReference integrity User connects to server that he intended toUser connects to server that he intended to Match URL reference to server’s hostname in certificateMatch URL reference to server’s hostname in certificate
Connection semanticsConnection semantics SSLhandshake is more expensive than TCPhandshakeSSLhandshake is more expensive than TCPhandshake
HTTPS overviewHTTPS overview
We examine simple request over httpsWe examine simple request over httpsCarefully examine technical points:Carefully examine technical points:
Connection closureConnection closureReference integrityReference integrity Interaction with network devices (proxies, Interaction with network devices (proxies,
virtual hosts)virtual hosts)HTTPS attacksHTTPS attacksAdvantages/ DisadvantagesAdvantages/ DisadvantagesSETSET
HistoryHistoryHTTP - first application layer secured with SSLHTTP - first application layer secured with SSLFirst implementation of HTTP over SSL was First implementation of HTTP over SSL was
issued in 1995 by Netscapeissued in 1995 by NetscapeNetscape was prevented from choosing shttpNetscape was prevented from choosing shttp
S-HTTP another protocol for securing messages S-HTTP another protocol for securing messages Treats each request – response pair as a single unitTreats each request – response pair as a single unitAllows protect different messages between server-client Allows protect different messages between server-client
differentlydifferently
Only in 2000 RFC 2818 was publishedOnly in 2000 RFC 2818 was publishedRFC 2818 describes HTTP over TLSRFC 2818 describes HTTP over TLS
HTTPS approachHTTPS approach Client helloClient hello
Server helloServer hello
Server CertificateServer Certificate
serverHelloDone serverHelloDone
ClientKeyExchange E(Kserv, PK)ClientKeyExchange E(Kserv, PK)
ChangeCipherSpec ChangeCipherSpec
FIN Handshake (MAC) FIN Handshake (MAC) ChangeCipherSpecChangeCipherSpec
FIN Handshake (MAC) FIN Handshake (MAC) Application_data http request Application_data http request
Application_data http responseApplication_data http response
Alert : close_notify Alert : close_notify Alert : close_notify Alert : close_notify
HandshakeHandshake
DataData
CloseClose
OverviewOverview
Client makes connection to the serverClient makes connection to the serverHandshakes SSLHandshakes SSLTransmits data over SSL channelTransmits data over SSL channel
IANA assigned port 443IANA assigned port 443Special configuration of the server needed Special configuration of the server needed
(mod_ssl), possible to configure another port(mod_ssl), possible to configure another portNo client data is sent until SSL connection No client data is sent until SSL connection
establishedestablishedLong web pages require spanning multiple Long web pages require spanning multiple
SSL recordsSSL records
HTTPS Records (same as SSL)HTTPS Records (same as SSL)
Content types:Content types: ChangeCipherSpecChangeCipherSpec HandshakeHandshake Application DataApplication Data Alert (signaling error and closure)Alert (signaling error and closure)
SSL version
Record Length
Content type
Encrypted Data and Mac
Record Header Data
Connection closureConnection closureWhen one side initiates closureWhen one side initiates closure
Must send close_notifyMust send close_notifyOptionally withholds its TCP FIN until Optionally withholds its TCP FIN until
close_notify received from other side.close_notify received from other side.If TCP FIN received without close_notify If TCP FIN received without close_notify
this may indicate possible attackthis may indicate possible attack
End-point AuthenticationEnd-point AuthenticationWhen user’s browser receives certificateWhen user’s browser receives certificate
CA is a known CACA is a known CABrowser compares:Browser compares:
Name of the site that it intended to connect Name of the site that it intended to connect withwith
Hostname in certificateHostname in certificate
Session ResumptionSession Resumption
Session resumptionSession resumptionMinimizes the number of SSL Minimizes the number of SSL
handshakes, within the same sessionhandshakes, within the same sessionsides speak with already established sides speak with already established
keyskeysIf the close was premature in no case If the close was premature in no case
SSL implementation should resume SSL implementation should resume sessionsession
Error HandlingError Handling
Servers logs errors. Later maybe Servers logs errors. Later maybe examined by administratorexamined by administrator
Clients receive via dialog boxesClients receive via dialog boxesSSL implementation should:SSL implementation should:Report legitimate errorsReport legitimate errorsNot overwhelm the user (hide unimportant)Not overwhelm the user (hide unimportant)
Virtual hostsVirtual hosts
SSL connection established before any SSL connection established before any data transmitteddata transmitted
Server should determine which Server should determine which certificate to be sent to the clientcertificate to be sent to the client
Server
www.first.com www.second.com
Client
Virtual Hosting solution 1Virtual Hosting solution 1
Single network interface has multiple ip Single network interface has multiple ip addressesaddresses
Each virtual host assign different ipEach virtual host assign different ip
Serverwww.first.com 10.2.2.2
www.second.com 10.2.2.3
Client may TCP connect with 10.2.2.2 and server Knows this way which certificate to fetch
- Server should manager multiple certificates + Each host may have different security level
Virtual Hosting Solution 2Virtual Hosting Solution 2 Allow one certificate to serve multiple hosts Netscape supports wildcarding,
RFC 2818 wildcarding : * (anything), ? (one char), [A-Z] any character between A and Z
Netscape uses more complicated wildcarding than RFC
Explorer allows also certificate to contain multiple domain names: www.my.com, www.your.com
+ certificate maybe issued to unrelated domains- if new virtual host added, certificate must be
totally reissued
Another approach: client should signal in ClientHello which server he wants to talk (proposed change in next TLS version
ProxiesProxiesProxy examines the client request to determine Proxy examines the client request to determine
which server to connectwhich server to connect In https request is passed encryptedIn https request is passed encryptedRFC 2817 new proxy method CONNECTRFC 2817 new proxy method CONNECT
CONNECT instructs proxy to initiate TCP CONNECT instructs proxy to initiate TCP connection to specified serverconnection to specified server
Proxy then passes data without examining itProxy then passes data without examining itClient transmits SSL data to proxy as it was the Client transmits SSL data to proxy as it was the
serverserverClient sends to proxy:Client sends to proxy:
CONNECT CONNECT www.my.com:443www.my.com:443 HTTP/1.1 HTTP/1.1
ProxiesProxies
Clients may punch a security hole using Clients may punch a security hole using CONNECT but sending open data.CONNECT but sending open data. Restrict client to port 443 Restrict client to port 443
ProxyClient ebay.com
Connect 443
HTTP 1.0 200
ClientHelloClientHello
Server certificate, Server Hello
. . .
Man-in-the-Middle ProxiesMan-in-the-Middle ProxiesProxy has certificate with “*” as hostnameProxy has certificate with “*” as hostname
ProxyClient ebay.com
Connect 443
HTTP 1.0 200
ClientHelloClientHello
Server certificateProxy certificate name= *
ClientKeysExchangeUsing proxy’s Key
ClientKeyExchangeUsing Server’s key
Get using client-Proxy key
Get using Proxy-Server Key
HTTP 1.0 OK using proxy-Server keyHTTP 1.0 OK using proxy-Client key
Man-in-the-Middle ProxiesMan-in-the-Middle ProxiesProxy has certificate with “*” as hostnameProxy has certificate with “*” as hostnameClient will accept its certificate no matter which Client will accept its certificate no matter which
host he wants to connecthost he wants to connectObviously no legitimate CA would issue such Obviously no legitimate CA would issue such
certificate, because such certificate allows its certificate, because such certificate allows its holder impersonate any serverholder impersonate any server
Such scenario is possible if:Such scenario is possible if:Hacker-administrator runs its own CAHacker-administrator runs its own CA Installs this CA into the browserInstalls this CA into the browserBrowsers that are not under control of such Browsers that are not under control of such
administrator won’t have this CA in their list and administrator won’t have this CA in their list and thus can’t be fooled by this dangerous certificatethus can’t be fooled by this dangerous certificate
Referrer AttackReferrer Attack Referrer header in request contains URL of the Referrer header in request contains URL of the
previous page previous page Referrer header contains URL that the user was viewing when he Referrer header contains URL that the user was viewing when he
clicked the link referenced the current pageclicked the link referenced the current page Forms with GET methodForms with GET method
arguments are concatenated to URL: arguments are concatenated to URL: www.ebay.com/confirm.htm?visa=123&item=7 www.ebay.com/confirm.htm?visa=123&item=7
When user click on the page resulting from the form When user click on the page resulting from the form submission, this string will appear in referrer header submission, this string will appear in referrer header in request to next pagein request to next page
Arguments will be passed in referrer header:Arguments will be passed in referrer header: If it is HTTP link arguments will be passed in clearIf it is HTTP link arguments will be passed in clear If the link is HTTPS but to another site this site will If the link is HTTPS but to another site this site will
received arguments intended for the previous sitereceived arguments intended for the previous site Solution: Post passes arguments in the body of Solution: Post passes arguments in the body of
request. request. Use only method POST in FORMSUse only method POST in FORMS
Substitution AttackSubstitution Attack The reference to The reference to https://amazone.comhttps://amazone.com replaced with replaced with
the reference to the reference to https://evil.comhttps://evil.com In html:In html:
<html>…<html>…
<a href=https://evil.com> <a href=https://evil.com>
Click here to go to https://amazone.com Click here to go to https://amazone.com
</a>…</a>…
</html></html>
User clicks the link , request was sent for https://evil.comUser clicks the link , request was sent for https://evil.com
Attacker has certificate for https://evil.comAttacker has certificate for https://evil.com
Certificate matches the requested hostCertificate matches the requested host
Client’s integrity check will be bypassedClient’s integrity check will be bypassed
Substitution AttackSubstitution Attack Possible if attacker may replace the pagePossible if attacker may replace the page User may examine the URL with “view source”User may examine the URL with “view source” The attacker may act more tricky:The attacker may act more tricky:<html>…<html>… <a href=https://amaz0ne.com> <a href=https://amaz0ne.com> Click here to go to https://amazone.com Click here to go to https://amazone.com </a>…</a>…</html></html> Attacker may obtain certificate to the site Attacker may obtain certificate to the site
https://amaz0ne.com that has name very similar to https://amaz0ne.com that has name very similar to the original sitethe original site
Hard for user to notice the differenceHard for user to notice the difference
Multiple clientsMultiple clients
Session caching is important when Session caching is important when processing multiple clients.processing multiple clients.Many pages require multiple SSL connectionsMany pages require multiple SSL connectionsCache should be synchronized or lockedCache should be synchronized or lockedServers must share data between processes Servers must share data between processes
if server uses multi-process model.if server uses multi-process model.
SummarySummary
SSL was designed for HTTP and it works SSL was designed for HTTP and it works relatively wellrelatively well
HTTPS relatively simply to implementHTTPS relatively simply to implementHTTPS uses hostname for reference integrity HTTPS uses hostname for reference integrity Using HTTPS brakes proxiesUsing HTTPS brakes proxies
No cachingNo cachingSpecial method CONNECT required to work with Special method CONNECT required to work with
HTTPSHTTPS
Limitations of SSLLimitations of SSL
Bob makes purchase from AliceBob makes purchase from AliceMerchant authorizationMerchant authorization
Is Alice authorized to accept credit card Is Alice authorized to accept credit card payments?payments?
Is Alice a reliable merchant?Is Alice a reliable merchant?Customer authorizationCustomer authorization
Maybe Bob uses stolen credit card?Maybe Bob uses stolen credit card? Law dictates: merchant is liable for fraud SSL transaction Law dictates: merchant is liable for fraud SSL transaction
(unless he can prove that customer ordered and received (unless he can prove that customer ordered and received the goods)the goods)
SET (Secure Electronic Transactions)SET (Secure Electronic Transactions)
Designed to encrypt specific payment related Designed to encrypt specific payment related messages onlymessages only
Involves merchant, bank, customerInvolves merchant, bank, customer Customer and Merchant certificates issued by Customer and Merchant certificates issued by
their banks thereby assuring that these players their banks thereby assuring that these players are permitted to operate payment cardsare permitted to operate payment cards
Customers payment card number is passed to Customers payment card number is passed to merchant’s bank without the merchant seeing merchant’s bank without the merchant seeing the number in plain textthe number in plain text
Set uses three software componentsSet uses three software components
Merchant serverMerchant serverProcesses transactionsProcesses transactionsCommunicates with merchant’s bankCommunicates with merchant’s bank
Acquirer gatewayAcquirer gatewaySoftware component at merchant’s bankSoftware component at merchant’s bankProcesses transactions Processes transactions
Browser walletBrowser walletApplication that integrated with the browserApplication that integrated with the browserProvides customer with storage and management Provides customer with storage and management
of payment cardsof payment cards
Key Features of SETKey Features of SETConfidentiality of informationConfidentiality of information
Payment information is sent encrypted over networkPayment information is sent encrypted over networkPrevents merchant learning card number of the Prevents merchant learning card number of the
customercustomer Integrity of dataIntegrity of data
Payment information sent includes all details of the Payment information sent includes all details of the transaction, signed with RSA digital signaturetransaction, signed with RSA digital signature
Cardholder account authenticationCardholder account authenticationEnables to verify that cardholder is legitimate user Enables to verify that cardholder is legitimate user
of his cardof his cardMerchant authenticationMerchant authentication
Merchant is reliableMerchant is reliable