These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael...
Transcript of These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael...
![Page 1: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/1.jpg)
HSTS and HPKP in practice
Joseph Bonneau(based on research w/Michael Kranch)
IETF 92March 26 2015
These slides: https://goo.gl/tI6zOfResearch paper
![Page 2: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/2.jpg)
HTTPS: where web-sec meets TLS
HTTP (≈ web browsing)
over
Secure Sockets Layer (SSL)or
Transport Layer Security
![Page 3: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/3.jpg)
TLS in one slide
Great, here’s a session key for us to use: EncK{k}
Hello! Let’s do TLS 1.2 with AES, SHA256, and RSAMy public key is K
Hello citp.princeton.edu! I’d like a secure channelI can do TLS 1.2 or lower. I can use AES, RC4, SHA256, RSA, ECDSA...
Enck{GET citp.princeton.edu }
CN: citp.princeton.eduIssuer: PositiveSSLSPKI: K
![Page 4: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/4.jpg)
Cryptographic flaws in TLS
● RSA timing leaks● CBC padding oracle attacks
○ BEAST attack● Compression leaks
○ CRIME attack○ Lucky 13 attack
● RC4 statistical leakage● Downgrade to SSL v3● Session resumption attacks
See Clark & van Oorschot [IEEE SP '13]
![Page 5: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/5.jpg)
The goal of HTTPS is a padlock
Image credit:Will Bradley
![Page 6: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/6.jpg)
HTTPS attacks in practice
● Inconsistent and incomplete deployment○ stripping attacks
● Failures by Certificate Authorities○ rogue certificates
● Lack of forward secrecy○ Subpoena of private keys○ Compromise of keys
HTTPS-level
TLS-level
![Page 7: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/7.jpg)
This talk will survey HSTS & pinning
● Overview of 2 big problems & solutions○ HTTPS stripping, strict transport security○ Rogue certificates, pinning
● Deployment overview● Bugs!
○ Poorly configured HSTS○ Mixed-content issues○ Cookie leaking○ Insecure links
● Design lessons
![Page 8: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/8.jpg)
Problem 1: HTTPS stripping
![Page 9: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/9.jpg)
HTTPS stripping
GET http://pfj.org
301 moved permanently
https://pfj.org
![Page 10: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/10.jpg)
HTTPS stripping
GET https://pfj.org
200 ... content
![Page 11: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/11.jpg)
HTTPS stripping
GET http://pfj.org GET https://pfj.org
200 ... content200 ... content
![Page 12: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/12.jpg)
Will users detect HTTPS stripping?
<10% notice [Schechter et al. 2007] and others
![Page 13: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/13.jpg)
Solution #1: HSTS (Strict Transport Security)
● Mandatory HTTPS at "HSTS domains"○ Also: convert soft errors into hard errors
● preloaded by browsers
● continuity (explicit) via HTTP headers
● introduction via HTTPS links
![Page 14: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/14.jpg)
HSTS Preload{ "name": "www.paypal.com", "mode": "force-https" },{ "name": "www.elanex.biz", "mode": "force-https" },{ "name": "jottit.com", "include_subdomains": true, "mode": "force-https" },{ "name": "sunshinepress.org", "include_subdomains": true, "mode": "force-https" },{ "name": "www.noisebridge.net", "mode": "force-https" },...
transport_security_static.json (Chromium project)
Want more?
![Page 15: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/15.jpg)
Continuity: HSTS headers
GET https://pfj.org
200 OK
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
![Page 16: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/16.jpg)
End-to-end HSTS security
Preloadeddomains
HTTPS
HTTPS
HTTPS
HTTPS HTTP
HTTP
![Page 17: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/17.jpg)
Problem 2: Rogue certificates
![Page 18: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/18.jpg)
Rogue certificates
GET https://pfj.org GET https://pfj.org
CN: pfj.orgIssuer: RomeTrustSPKI: K'
CN: pfj.orgIssuer: VerisignSPKI: K
![Page 19: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/19.jpg)
Will users detect a rogue certificate?
![Page 20: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/20.jpg)
Rogue certificates in the wild
● March 2011: Comodo registrar hacked○ 9 certs: mail.google.com, login.live.com, www.google.com, login.
yahoo.com, login.skype.com, addons.mozilla.org
● July 2011: DigiNotar hacked○ 531+ certs issued: *.google.com detected first
● ~2011: TürkTrust issues 2 intermediate CAs○ One returned, one used in 2012 to proxy traffic...
☠
Survey: Niemann, Brendel 2014
![Page 21: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/21.jpg)
Compelled certificates
Soghoian, Stamm 2010
![Page 22: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/22.jpg)
Solution #2: Key pinning
pfj.orgSPKI: A
pfj.orgSPKI: B
Pinset: {A, Y}
pfj.orgSPKI: C
pfj.orgSPKI: A
DigiCertSPKI: X
ThawteSPKI: Y
RomeTrustSPKI: Z ∅
✓ ✓ ✕ ✕
![Page 23: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/23.jpg)
Preloads: HPKP{ "pinsets": [ { "name": "tor", "static_spki_hashes": [ "RapidSSL", "DigiCertEVRoot", "Tor1", "Tor2", "Tor3" ]
},...{ "name": "torproject.org", "mode": "force-https", "pins": "tor" },
transport_security_static.json (Chromium project)
![Page 24: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/24.jpg)
Continuity (explicit): HPKP headers
GET https://pfj.org
200 OK
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Public-Key-Pins: max-age=15768000;pin-sha1="4n972...baXc="; pin-sha256="LPJN...LmCQ="
![Page 25: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/25.jpg)
Initial connections in HPKP
GET https://foo.com GET https://foo.com
CN: pfj.orgIssuer: VerisignSPKI: K
CN: pfj.orgIssuer: RomeTrustSPKI: K'
Public-Key-Pins: max-age=15768000;pin-sha1=H(K); pin-sha256=H(X)
Public-Key-Pins: max-age=15768000;pin-sha1=H(K'); pin-sha256=H(X)
![Page 26: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/26.jpg)
Current deployment
![Page 27: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/27.jpg)
HSTS deployment so far
● proposed 2008 [Jackson/Barth W2SP paper]● RFC 6797 standardized 2012● support in Chrome, FF, Opera, Safari
○ No support in Internet Explorer ☹
As of November 2014:● ~12,500 domains setting or trying HSTS● 80% setting long-term HSTS
![Page 28: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/28.jpg)
HPKP (aka PKP, web pinning)
● Evans, Palmer, Sleevi 2011○ Proposed Standard, IETF Web Security working group
● Remaining issues○ Domain bricking○ Report-only mode
● ~20 early adopters!○ No browser support
![Page 29: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/29.jpg)
Growth of preloads in Chrome
![Page 30: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/30.jpg)
How do I get preloaded?
● 2012 to mid 2014:-via email, informal
● Now:hstspreload.appspot.com
![Page 31: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/31.jpg)
How do I get preloaded?
(not retroactive)
![Page 32: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/32.jpg)
Preloads growing in Chrome
![Page 33: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/33.jpg)
Policies vary considerably
![Page 34: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/34.jpg)
Many low-traffic sites preloaded
![Page 35: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/35.jpg)
Few domains pinned, many big pin sets
![Page 36: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/36.jpg)
List is often stale
● Of 742 non-Google HSTS domains○ 77 returned 404○ 23 permanently redirected to HTTP○ > 10% stale!○ Lavabit dead, still pinned
● Some stale Google domains too○ 4 permanent HTTP redirects
![Page 37: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/37.jpg)
Firefox policy
● Must be included in Chrome● Must respond over HTTPS● Must set a dynamic HSTS header
○ Must set an age > 18 weeks
![Page 38: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/38.jpg)
Few domains setting HSTS headers
● 1.1% of the top 1M domains (Alexa rank)○ 5.2% of those have max-age=0
● Many non-HSTS domains redirect to HTTPS○ 5.8% of the top 1M domains
● 34% of preloaded domains not setting headers○ 65% of preloaded Google domains
![Page 39: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/39.jpg)
Many domains set HSTS incorrectly
![Page 40: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/40.jpg)
Max-age values vary significantly
![Page 41: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/41.jpg)
Mixed content
![Page 42: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/42.jpg)
Classic mixed content
<script src=”http://content.net/script.js”>
GET https://pfj.org
GET http://content.net
attack.js
![Page 43: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/43.jpg)
Mixed content now (mostly) blocked
● Active content (blocked as of 2012)○ scripts○ stylesheets○ iframes○ Flash○ fonts
● Passive content (allowed)○ images○ video○ audio
![Page 44: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/44.jpg)
Mixed pinning content
<script src=”https://content.net/script.js”>
GET https://pfj.org
GET https://content.netCN: content.netIssuer: RomeTrustSPKI: K'
New issue:no browser protection!
![Page 45: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/45.jpg)
Passive mixed content is common
● Every pinset affected ○ Over 66,000 passive resources○ 99% images
![Page 46: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/46.jpg)
Active mixed content also common!
● 5/10 pinsets, 24,477 resources○ Twitter, Dropbox, Cryptocat, Tor, DoubleClick
resource type #
script 15,540
stylesheet 7,195
xmlhttprequest 1,515
subdocument 170
font 49
![Page 47: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/47.jpg)
Causes of mixed content
● Twitter○ scripts from Akamai, Facebook
● Tor○ Videos-from www.youtube-nocookie.com
● DoubleClick○ various advertising scripts
● Unpinned subdomains○ syndication.twitter.com○ blog.cryptocat.com○ forum.dropbox.com
![Page 48: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/48.jpg)
Expanded-pinset mixed content
● Twitter○ scripts from twitterCDN (intentional)
● Various domains○ ssl.google-analytics.com
![Page 49: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/49.jpg)
Plain mixed content ☹
● 30,000 observations○ More than mixed pinning!
● Only one active○ doubleclick.net
![Page 50: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/50.jpg)
Interaction with cookies
![Page 51: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/51.jpg)
RFC2965: Same-origin policy for cookies
![Page 52: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/52.jpg)
RFC2965 in plain English
● If you supply a domain=parameter, it’s a wildcard
● If you omit the domain=parameter, it’s exact○ Except on Internet Explorer, because ?
![Page 53: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/53.jpg)
Cookie-stealing attack
HSTSSET-COOKIE: name=”auth”; value=”secret”, domain=”pfj.org”
GET https://pfj.org
<img src=”http://x.pfj.org”>
Cookie: auth=secret;
![Page 54: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/54.jpg)
Preventing cookie-stealing (HSTS)
● Set HSTS with includeSubdomains
● Mark cookies with secure attribute
![Page 55: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/55.jpg)
Cookie-stealing in the wild
● 10,174 cookies at 2,460 domains not covered by HSTS
● 10,174 (98%) not marked as secure
● Several from large domains○ PayPal, Lastpass, USAA
● Mostly tracking cookies and IDS○ No auth tokens identified
![Page 56: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/56.jpg)
Preventing cookie-stealing (Pinning)
● Set pins with includeSubdomains
● Mark cookies with SECURE attribute
No equivalent for pinning!
![Page 57: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/57.jpg)
Cookie-stealing from pinned domains
● Every pinned domain vulnerable!○ Excluding those setting includeSubdomains○ 75 total cookies visible
● Several login cookies vulnerable○ Facebook, Twitter○ Known vulnerability
![Page 58: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/58.jpg)
Google’s (now fixed) pinning hole
{ "name": "google.com", "include_subdomains": true, "pins": "google" }
// play.google.com doesn't have include_subdomains because of crbug.com/327834.{ "name": "play.google.com", "mode": "force-https", "pins": "google" }
![Page 59: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/59.jpg)
Insecure links also a problem
● Initial connections to HSTS not protected
![Page 60: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/60.jpg)
Takeaways: web security is hard!
● Users don’t read specs
● Spec writers don’t know about real constraints
![Page 61: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/61.jpg)
Takeaways: standards not holistic
● Different formats for headers, preloads
● Preload format not standardized, changing
● DANE has a different format as well
![Page 62: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/62.jpg)
Better defaults may help
● Pinning, HSTS default should be includeSubdomains
● secure default should extend to cover pinning
● Cookies should require explicit wildcard notation!
![Page 64: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/64.jpg)
We need a coherent design
How do I get to the REALPeople’s Front of Judea?
● Do they support HTTPS?● Which public keys should I accept?● What protocol version do they support?
![Page 65: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/65.jpg)
Many ways to learn Transport Sec.Policy
● Preloads (hardcoded)○ Browser or extensions
● Authorities ○ DNS, CAs, Notaries, crowdsource
● Continuity ○ What they’ve done before (implicit)○ What they’ve promised to keep doing (explicit)
● Introduction ○ When following a hyperlink
How do I get to the REALPeople’s Front of Judea?
![Page 66: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/66.jpg)
Many proposals to upgrade HTTPS
PreventiveDetective
Server changes
No server changesSSL Observatory Convergence
PerspectivesCert patrol
Cert. Transparency
DANEHPKPTACKSovereign Keys
HPKP-ROCAA
Accountable keyinfrastructure
![Page 67: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/67.jpg)
Linked web navigation model
users only reach new domains via hyperlinks, beginning with a set of domains with preloaded security policies.
![Page 68: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/68.jpg)
Discovering TACK keys
GET https://pfj.org
TSigT(K) = ...expiration= ...
T'SigT'(K) = ...expiration= ...
CN: pfj.orgIssuer: VerisignSPKI: K
![Page 69: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/69.jpg)
TACK activation (rollover)
Served
Required
Observed
Max activation(30 days)
![Page 70: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/70.jpg)
Malicious s-links?
● Can only make security policy stricter○ Can never undermine ambient policy
● No persistent effects○ No domain bricking
● UI ≈ 404 (not found)○ Limit risk or "warning fatigue"
![Page 71: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/71.jpg)
Stale s-links
● Expiry is mandatory○ In absolute time, to require constant changes
● Links can always go stale○ Hopefully, existing user model is to blame introducer
![Page 72: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/72.jpg)
S-links and the same origin policy
secure.com pfj.org
foo.com
s-link
cross-frame navigationscript injectioncookie theft
![Page 73: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/73.jpg)
S-links and the same origin policy
secure.com pfj.org
pfj.org
s-link
HPKP
![Page 74: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/74.jpg)
Upgrading security policy
● Need to re-check ALL cached resources○ HTTP cache○ HTML5 localStorage/WebCache○ TLS saved sessions○ Cookies○ etc.
● Need to do so atomically
● No issues for non-framed content○ For example, script libraries
![Page 75: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/75.jpg)
Case study: crawlers and HTTPS
● Redirects
● <link rel="canonical" href="...
● HSTS headers?
![Page 76: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/76.jpg)
Secure introduction
● Already exists for HSTS!● Effects of an HTTPS link:
○ mandatory○ ephemeral○ transparent to users○ easy to deploy
● IDEA: for web navigation, linking website can indicate security policy in-band
![Page 78: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/78.jpg)
Why HTML?
● Extensible● Backwards compatible● Easy to deploy
Challenges:● Redirects● Copy/paste
![Page 79: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/79.jpg)
Major design constraint: compatibility
foo.com
bar.orgHSTSHPKP baz.net
CTEV
Browsers must know what to expect prior to the initial connection
![Page 80: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/80.jpg)
Introduction: HTTPS links
GET https://pfj.org
<script src="https:jpf.org/script.js" >
GET https://jpf.org
![Page 81: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/81.jpg)
Where did HSTS go right?
● Effective against HTTPS stripping
● Incrementally deployable● Relatively easy "off switch"
● Transparent to end users● High trust agility● High trust affordance
Security
Usability
Deployability
![Page 82: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/82.jpg)
Clean-slate designs
● QUIC○ Google
● MinimaLT○ Petullo, Zhang, Solworth, Bernstein, Lange 2014
![Page 83: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/83.jpg)
HTTPS bugsstatic OSStatusSSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen){ OSStatus err; ...
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; ...
fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err;}
![Page 84: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/84.jpg)
HTTPS bugs
curl_setopt($curlHandle, CURLOPT_SSL_VERIFYHOST, true);
PHP Manual Entry for CURLOPT_SSL_VERIFYHOST:
1 to check the existence of a common name in the SSL peer certificate. 2 to check the existence of a common name and also verify that it matches the hostname provided. In production environments the value of this option should be kept at 2 (default value).
from Georgiev et al. 2012 “The Most Dangerous Code in the World”
![Page 85: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/85.jpg)
Core problems
● Flexibility at a protocol level○ Ciphersuites○ Choice of CA for domains○ Choice of public key for each domain○ Protocol version○ Choice to deploy HTTPS at all!
● Inflexibility of implementations○ Browsers must support every server○ Middleware boxes block attempted improvements
![Page 86: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/86.jpg)
Key players
● Certification Authorities (CAs)○ Incentives vary, but mostly survival dominates
● Browser vendors○ Security, but with zero false positives
● Webmasters○ Mostly, low latency and no bricking
![Page 87: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/87.jpg)
Threat model
Malicious government
Control a CA:
RomeTrust
Control an ISP:
RomeCast
Limitations:
● Don't control all servers● Don't control browser
![Page 88: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/88.jpg)
Transport security policy
How do I get to the REALPeople’s Front of Judea?
● Do they support HTTPS?● What is their public key?● What protocol version do they support?
![Page 89: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/89.jpg)
Transport security policy
How do I get to the REALPeople’s Front of Judea?
● Do they support HTTPS?● Which public keys should I accept?● What protocol version do they support?
![Page 90: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/90.jpg)
Ways to learn Transport Security Policy
● Preloads (hardcoded)○ Browser or extensions
● Authorities ○ DNS, CAs, Notaries, crowdsource
● Continuity ○ What they’ve done before (implicit)○ What they’ve promised to keep doing (explicit)
● Introduction ○ When following a hyperlink
How do I get to the REALPeople’s Front of Judea?
![Page 91: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/91.jpg)
Authority: DNSSEC
● DANE○ Hoffman, Schlyter 2012○ Standards track RFC
● CAA○ Hallam-Baker, Stradling 2013○ Standards-track RFC
![Page 92: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/92.jpg)
Authority: Network PerspectivesGET https://foo.com
CN: pfj.orgIssuer: RomeTrustSPKI: K'
Have you seenthis cert for pfj.orgfrom RomeTrust?
networknotary
![Page 93: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/93.jpg)
Authority: ConvergenceGET https://foo.com
CN: pfj.orgIssuer: RomeTrustSPKI: K'
Have any of you seenthis cert for pfj.orgfrom RomeTrust?
![Page 94: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/94.jpg)
Why out-of-band Authorities fail
Was this okay for pfj.org?
CN: pfj.orgIssuer: VerisignSPKI: K
GET https://pfj.org
∅ Attackers can always simulate outage!
![Page 95: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/95.jpg)
Continuity (implicit)GET https://foo.com
CN: pfj.orgIssuer: RomeTrustSPKI: K'
Have I seenthis cert for pfj.org from RomeTrust?
![Page 96: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/96.jpg)
Continuity (explicit): TACK
Issuer: DigiCertpfj.orgSPKI: ASigX(A) = ...
DigiCertSPKI: X
... TACK-signing key TSigT(A) = ...expiration= ...
![Page 97: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/97.jpg)
TACK activation (simple case)
Served
Required
Observed
Max activation(30 days)
Blocked
![Page 98: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/98.jpg)
TACK
● Marlinspike, Perring 2012○ Internet draft, TLS working group
● Compared to HPKP○ Lower level○ More flexible○ More complex○ Safer against domain bricking
● Rough equivalent: domain-bound CA○ With HPKP pins
![Page 99: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/99.jpg)
Introduction: S-links
<a link-security="expiry=1357849989; pin-sha256=YWRm...cnF=; pin-sha256=LPJN...mCQ=;" href="https://pfj.org">secure link!</a>
secure link!
![Page 100: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/100.jpg)
S-links directives
● Key pins● CT mandatory● EV mandatory● Minimum TLS version● ...
● Expiry
![Page 101: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/101.jpg)
Who might set s-links?
● Search engines● Social media sites● Link aggregators
![Page 102: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/102.jpg)
Detective/forensic approaches
![Page 103: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/103.jpg)
Oh my god, it's full of certs...
USERTRUST(Comodo)
GTE
DFNVerein
![Page 104: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/104.jpg)
Certificate Transparency (CT)
● Laurie, Langley, Käsper 2013○ IETF experimental draft
● Enter every issued cert in a global log● CT log is weakly trusted
○ Publicly verifiable○ Append-only
● Relied on for availability, fork consistency● Certs include "Signed certificate timestamp"
○ This is all clients check!● Mis-issued certs detectable by scans
![Page 105: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/105.jpg)
Certificate Transparency logging
pfj.org CA
CT log
`
I'd like a cert for key K please
I'm ready to issue the following certificate:
CN: pfj.orgIssuer: VerisignSPKI: KSCT
CN: pfj.orgIssuer: VerisignSPKI: K SCT
Got it, here's my commitment to log it soon
![Page 106: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/106.jpg)
MITM attacks under CTGET https://pfj.org GET https://pfj.org
CN: pfj.orgIssuer: VerisignSPKI: K
CN: pfj.orgIssuer: RomeTrustSPKI: K' SCT = XSCT = Y
`
Something's not right..
![Page 107: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/107.jpg)
CT downgrade attacksGET https://pfj.org GET https://pfj.org
CN: pfj.orgIssuer: VerisignSPKI: K
CN: pfj.orgIssuer: RomeTrustSPKI: K' SCT = X
![Page 108: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/108.jpg)
Enhanced Certificate Transparency
● Ryan 2014
● Idea: log maintains a second tree○ Certs in lexicographic order by domain○ Order by insertion date
● Can query for most recent cert● Revocation highly efficient
![Page 109: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/109.jpg)
● Eckersley 2011● Elements of:
○ Certificate Transparency○ TACK○ Tor hidden services
Sovereign Keys
![Page 110: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/110.jpg)
● Kim, Huang, Perrig, Jackson, Gligor, 2011● Transparency plus a whole lot more
Accountable Key Infrastructure
![Page 111: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/111.jpg)
Proposals to deal with rogue certs
PreventiveDetective
Server changes
No server changesSSL Observatory Convergence
PerspectivesCert patrol
Cert. TransparencyDANEHPKPTACKSovereign Keys
HPKP-ROCAA
Accountable keys
![Page 112: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/112.jpg)
5 predictions for the next 5 years● CAs will not go away
● Multiple security protocols deployed○ At least HPKP & CT
● Preload/link/continuity paradigm will solidify○ Policy specifications may merge
● Web hubs will develop into security notaries
● Perfect Forward Secrecy hits mainstream
![Page 113: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/113.jpg)
Big-picture questions
● Whom do we have to trust?
● Can we change who we have to trust?○ Trust agility
● Can users tell whom they're trusting?○ Trust affordance
![Page 114: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/114.jpg)
Certificate Transparency questions
● How many logs will be run?○ Can we kill logs?
● Security with <100% CA adoption?
![Page 115: These slides: HSTS and HPKP in ... and HPKP in practice Joseph Bonneau (based on research w/Michael Kranch) IETF 92 March 26 2015 These slides: Research paper ... TLS in one slide](https://reader036.fdocuments.net/reader036/viewer/2022062504/5af0cdfb7f8b9a572b8fe449/html5/thumbnails/115.jpg)
The end-to-end picture
Preloadeddomains
HPKP
HPKPHPKP
s-link
s-link
s-link
s-link HTTP
HTTP