Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity...
Transcript of Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity...
![Page 1: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/1.jpg)
Lecture22 – CAsandHTTPSAttacks
StephenCheckowayUniversityofIllinois atIllinois
CS487– Fall 2017SlidesfromMillerandBailey’sECE422
![Page 2: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/2.jpg)
Certificates
•Makeuseoftrusted“CertificateAuthorities”(CA)
• “ThispublickeywithSHA-256hash(XXX)belongstothesite(name,e.g.,Amazon.com)”– Digitallysigned byacertificateauthority
• Yourbrowsers(e.g.,Firefox,Chrome)trustaspecificsetofCAsasrootCAs– ShippedwiththepublickeysoftherootCAs–Whydoweneedmorethan1?
![Page 3: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/3.jpg)
HowtheCAverifiesyouridentity
• Typically’DV’(domain verification)–ProvesyouareincontrolofDNSregistration–Justanemailbasedchallengetotheaddressinthedomainregistrationrecords•Orsomedefaultemailaddress,[email protected]•Minimallysecure[Why?]
–Alternatelyaweb-basedchallenge–Includechallengeresponseina<meta>tag
• Certhasanexpirationdate(e.g.,oneyearahead)[Why?]
![Page 4: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/4.jpg)
Howtoinvalidatecertificates?
• Expirationdateofcerts• Certificaterevocation• WhathappensifaCA’ssecretkeyisleaked?– CanwetrusttheoldcertsfromthatCA?
• Interestingfact:– GooglehasinstrumentedChromesuchthatwhenitobservesacertificateforGoogle.comthatitdoesn’trecognize,itpanics….(hashappenedseveraltimes)
![Page 5: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/5.jpg)
Self-signedCertificates
• Issuersignstheirowncertificate– Aloopintheownerandsigner
• AvoidCAfees,usefulfortesting–YoucanaddyourselfasaCAtoyourownbrowser
• Browsersdisplaywarningsthatusershavetooverride• Protectsonlyagainstpassiveattacker“optimisticencryption”
![Page 6: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/6.jpg)
![Page 7: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/7.jpg)
TLS Certificates• Atrustedauthorityvouchesthatacertainpublickeybelongstoaparticularsite
• Formatcalledx.509(complicated)• BrowsersshipwithCApublickeysforlargenumberoftrustedCAs[accreditationprocess]
• Importantfields:• CommonName(CN)[e.g.,*.google.com]ExpirationDate[e.g.2yearsfromnow]Subject'sPublicKeyIssuer-- e.g.,VerisignIssuer'ssignature
• CommonNamefield• Explicitname,e.g.ece.illinois.edu• Orwildcard,e.g.*.illinois.edu
![Page 8: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/8.jpg)
X509Certificates
Subject: C=US/O=GoogleInc/CN=www.google.comIssuer:C=US/O=GoogleInc/CN=GoogleInternetAuthoritySerialNumber:01:b1:04:17:be:22:48:b4:8e:1e:8b:a0:73:c9:ac:83ExpirationPeriod: Jul122010- Jul192012PublicKeyAlgorithm:rsaEncryptionPublicKey:43:1d:53:2e:09:ef:dc:50:54:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4:ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:39:23:46
SignatureAlgorithm: sha1WithRSAEncryption
Signature:39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4:ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:1e:5d:b5
![Page 9: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/9.jpg)
CertificateChains• CAcandelegateabilitytogeneratecertificatesforcertainnames:IntermediateCAs
• RootCAsigns"certificateissuingcertificate"fordelegatedauthority• Browserthattrustsrootcanexaminecertstoestablishvalidity-- "Chainoftrust”
• HowtofindoutaboutalltheCAs?• Morethan1000trustedpartiestoday,cansignforanydomain– hugeproblem!
![Page 10: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/10.jpg)
CertificateChains
Subject:C=US/…/O=GoogleInc/CN=*.google.comIssuer:C=US/…/CN=GoogleInternetAuthorityPublicKey:Signature: bf:dd:e8:46:b5:a8:5d:28:04:38:4f:ea:5d:49:ca
Subject:C=US/…/CN=GoogleInternetAuthorityIssuer: C=US/…/OU=EquifaxSecureCertificateAuthorityPublicKey:Signature:be:b1:82:19:b9:7c:5d:28:04:e9:1e:5d:39:cd
Subject:C=US/…/OU=EquifaxSecureCertificateAuthorityIssuer:C=US/…/OU=EquifaxSecureCertificateAuthorityPublicKey:Signature:39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:38:c9:d1
MozillaFirefoxBrowser
Iauthorizeandtrustthiscertificate;here
ismysignature
Iauthorizeandtrustthiscertificate;here
ismysignature
Trusteverythingsignedbythis
“root”certificate
![Page 11: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/11.jpg)
CertificateAuthorityEcosystem
EachbrowsertrustsasetofCAsCAscansigncertificatesfornewCAsCAscansigncertificatesforanywebsite
IfasingleCAiscompromised,thentheentiresystemiscompromised
WeultimatelyplaceourcompletetrustoftheInternetintheweakestCA
![Page 12: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/12.jpg)
ImmediateConcerns
• NobodyhasanyideawhoalltheseCAsare…
• 1,733umich-knownbrowsertrustedCAs
• HistoryofCAsbeinghacked(e.g.Diginotar)
• Oooops,Koreagaveeveryelementaryschool,library,andagencyaCAcertificate(1,324)– Luckilyinvalidduetoahigher-upconstraint
![Page 13: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/13.jpg)
GettingaCertificate
• Certificatesarefree(fromLetsEncrypt!)–Identityvalidatedbychallengetowebsite
• Certificatesarecheapelsewheretoo–Identityisvalidatedviae-mailtothedefaulte-mailaddresses
• SettingupSSLishard.Peopleareterribleatit.CertificateSigningRequests,eughIntegratinginawebserver
![Page 14: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/14.jpg)
TLS inthebrowser
• Lockicon– HTTPScertmustbeissuedbyaCAtrustedbybrowser (orchaintoonethatis)
– HTTPScertisvalid(e.g.,notexpiredorrevoked)– CommonName incertmatchesdomaininURL
• ExtendedValidation(EV)certificates– CAdoesextraworktoverifyidentity-- expensive,butNO moresecure
• Invalidcertificatewarnings
![Page 15: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/15.jpg)
AttackVectors
• AttacktheweakestCertificateAuthority
• Attackbrowserimplementations
• MagicallynoticeabuginakeygenerationlibrarythatleadsyoutodiscoveringalltheprivatekeysontheInternet
• Attackthecryptographicprimitives–Mathishard
![Page 16: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/16.jpg)
Googlenoevil
![Page 17: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/17.jpg)
Attackingsitedesign
• SSLstrip attack– Proxythroughthecontentw/oHTTPS
• Defense– DefaultHTTPSforallwebsites?– HSTS(hypertextstricttransportsecurity):headersays:alwaysexpectHTTPS,enforcedbybrowsers.
– HTTPSEverywhere:browserextension– EV:ExtendedValidation(comparedtoDV:DomainValidation)
![Page 18: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/18.jpg)
Attackingsitedesign
• MixedContentattack-- PageloadsoverHTTPSbutcontainscontentoverHTTP– e.g.JavaScript,Flash– ActiveattackercantamperwithHTTPcontenttohijacksession
• Defense:Browserwarnings:["Thispagecontainsinsecurecontent"],– butinconsistentandoftenignored
![Page 19: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/19.jpg)
UIinterfacebasedattacks
• Invalidcerts– Expired,CommonName!=URL,unknownCA(e.g.,self-signed)
• Defense: browserwarnings,anti-usabilitytobypass…• Picture-in-pictureattack:spooftheuserinterface– Attackerpagedrawsfakebrowserwindowwithlockicon
• Defense:individualizedimage
![Page 20: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/20.jpg)
AttackingthePKI:CAcompromiseExample:DigiNotar
![Page 21: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/21.jpg)
AttackingthePKI:CAcompromiseExample:DigiNotar
• DigiNotarwas aDutchCertificateAuthority
• OnJune10,2011,*.google.com certwasissuedtoanattackerandsubsequentlyusedtoorchestrateMITMattacksinIran
• Nobodynoticedtheattackuntilsomeonefoundthecertificateinthewild…andpostedtopastebin
![Page 22: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/22.jpg)
DigiNotarContd.
• DigiNotarlateradmittedthatdozensoffraudulentcertificateswerecreated
• Google,Microsoft,AppleandMozillaallrevokedtherootDiginotarcertificate
• DutchGovernmenttookoverDiginotar
• Diginotarwentbankruptanddied
![Page 23: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/23.jpg)
AttackingthePKI:Hashcollisions
• MD5/SHA1isknowntobebroken-- Cangeneratecollisions• In2008,researchersshowedthattheycouldcreatearogueCAcertificateusinganMD5collision
• Attack:MakecollidingmessagesA,B,withsameMD5hash:– A:Sitecertificate:"cn=attack.com,pubkey=....”– B:DelegatedCAcertificate:"pubkey=....isallowedtosigncertsfor*”– GetCAtosignA-- SignatureisSign(MD5(message))– SignaturealsovalidforB(samehash)– AttackerisnowaCA!–Makeacertforanysite,browserswillacceptit
![Page 24: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/24.jpg)
MD5consideredharmful
• MD5CAcertificatesstillexist,butCAshavestoppedsigningcertificateswiththem– 879,705certificatesstillhaveMD5signatures
•SHA-1shouldnotbeusedeither– 46,969,095outof146,442,087certseverseenbyCensys useSHA1WithRSA (32%)
![Page 25: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/25.jpg)
Attackingimplementations:NullTerminationAttack
• ASN.1utilizesPascal-stylestrings
• WebbrowsersutilizeuseC-stylestrings
• AnnouncedbyMoxieMarlinspikein2009
gmail.com\0.badguy.com
![Page 26: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/26.jpg)
NullTerminationAttack• www.attacker.com
– [CAsverifycertbylookingupwhoownsthelastpartofthedomainviaDNSrecord]– emails"[email protected]"-->"Clickheretovalidatecertrequest”
• x.509certsencodeCNfieldasaPascalstring(length+data)• BrowserscopyitintoaCstring(data+\0)• WhatifCAcontains"\0"?
– www.paypal.com\0.attacker.com?– CAcontacts"attacker.com"toverify(lastpartofdomainname)– BrowserscopytoCstring,terminatesat"\0"-- seeonlypaypal.com– AttackernowhasacertthatworksforPaypal!
![Page 27: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/27.jpg)
Otherimplementation-basedattacks
• Gotofail,Feb.2014(AppleSSLbug;skippedcertificatecheckforalmostayear!)
• Heartbleed,April2014(OpenSSLbug;leakeddata,possiblyincludingprivatekey!)
• MozillaBERserkvulnerability,Oct2014(Buginverifyingcertsignatures,allowedspoofingcerts,probablysincethebeginning….!)•Logjam,Oct2016(TLSvulnerabletoMan-in-themiddle“Downgrade”attack)
![Page 28: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/28.jpg)
WhocontrolstheTLSendpoint?
Cloudbleed - (theotherbignewslastweek)- oneofthemostpopular“contentdeliverynetworks”- actsastheSSLendpointformanyservers- abufferoverflow attackcausedittoleakHTTPSdata
ClientsideHTTPInterception -- MostantivirussoftwareinterceptsyourHTTPS[How?]- Introducesnewvulnerabilitiesbyimplementingpoorly
![Page 29: Lecture 22–CAs and HTTPS Attacks · •Certificates are free (from LetsEncrypt!) –Identity validated by challenge to website •Certificates are cheap elsewhere too –Identity](https://reader033.fdocuments.net/reader033/viewer/2022050607/5fae502b1c9f382a2d01df4c/html5/thumbnails/29.jpg)
Takeaways
• UseHTTPS!It’ssomuchbetterthannothing
• TLS keepsbreaking.Useit,butdon'trelyonitexclusively.