1 / 28

Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem

Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem. Xiuli Fang. Article Source:.

hschafer
Download Presentation

Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem Xiuli Fang Article Source: Calzavara, S., Focardi, R., Nemec, M., Rabitti, A., & Squarcina, M. (2019). Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem. In Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem (p. 0). IEEE.Retrieved from: https://pdfs.semanticscholar.org/752c/c249cd9b80f5537ebda6723761ffb4b9811f.pdf

  2. CONTENTS Introduction Solution Criticism

  3. 1 • Introduction

  4. BACKGROUND • will replace HTTP • bases on the SSL/TLS protocol • is useful for web application security • could be unsecure because • the bad practice (the lack of adoption of HSTS) • flaws of low version TLS (1.0 or 1.2)

  5. Attacks against TLS • Protocol version downgrade • RSA decryption oracles • Advanced RSA padding oracles- DROWN and key reuse • CBC mode padding oracles • Heartbleed • …… TLS vulnerabilities could harm to the web applications security, so many studies focus on it.

  6. It is still unclear • which attacks are effective on web applications • what is the actual impact on web application security Reasons: Previous studies just focused on how much vulnerabilities in HTTPS implementation • Only focus on the server-side vulnerabilities • Only focus on the application layer attacks

  7. to quantitatively evaluate the insecurity of web applications due to TLS vulnerabilities

  8. 2 • Solution

  9. establish attack trees, automatedly collect and analyse the targeted websites • Main Idea

  10. Analysis Platform Attack Tree Experiment Experiment

  11. ATTACK TREE is used to describe TLS vulnerabilities 1 To categorize known attacks in terms of the security properties they break 2 Insecure Channels 3 Partially leaky channel selected secrets could be compromised (partially compromise confidentiality) Leaky channel all messages could be decrypted (fully compromise confidentiality) Tainted channel all messages could be decrypted and modified (fully compromise confidentiality and integrity)

  12. ATTACK TREE • How to build attack trees? Review known attacks against TLS Characterize attacks to identify conditions that break security properties of TLS protocol Map the conditions to the corresponding insecure channels

  13. ATTACK TREE For partially leaky channels For leaky channels For tainted channels

  14. ATTACK TREE LEGEND: An Example OR AND Goal Partial decryption of messages sent by Client 1. CBC padding oracle on the server 1. POODLE-TLS padding oracle 2. CBC padding oracle – OpenSSL AES-NI bug 2. A ciphersuite with AES in CBC mode is used 2. Any vulnerable CBC mode ciphersuite is used 1. Server is vulnerable to CVE-2016-2017 1. Server checks TLS padding as in SSLv3 1. AES in CBC mode is preferred in the highest supported TLS version 2. Downgrade is possible to a TLS version where AES in CBC mode is prefered 2. Any vulnerable CBC mode ciphersuite is used 1. Server checks TLS padding as in SSLv3 • The attack tree is a logical tree • The title is a main goal • Each line is a sub-goal, but the leave of attack tree is a condition of vulnerability • There is a logical relationship between lines • If the whole tree is evaluated to TRUE, which means the title is TRUE.

  15. Analysis Platform Attack Tree Experiment Experiment

  16. ANALYSIS PLATFORM • can auto collect data from websites • can check the conditions defined in the attack trees to identify which websites are insecure due to the TLS vulnerabilities • depends on existing analysis tool: testssl.sh, TLS-attacker, Nmap

  17. ANALYSIS STEP • Access the target websites • Collect the DOM of the page (cookies, sub-resources…) • Enumerate the sub-domains • Run existing tools to identify vulnerabilities on target websites and sub-domain hosts • Map the output to the conditions of the attack trees

  18. Analysis Platform Attack Tree Experiment Experiment

  19. EXPERIMENT Collecting data from the Alexa top 10,000 websites served over HTTPS. • The results show that exploitable TLS vulnerabilities in 5.5% hosts. • The results of three insecure channels It is still unclear that the actual impact on web applications.

  20. EXPERIMENT Selecting three security aspects to evaluate the actual impact on web applications Security Aspects Security Issues Conditions • Condition 1: …… • Definition 1: Compromisable Page • Condition 2: …… Page Integrity Definition 2: Compromisable Host • Condition 1: …… Definition 3: Blockable Request tainted channels Definition 4: Low Integrity Page …… • Definition 5: Low Confidentiality Password Authentication Credential Definition 6: Low Confidentiality Cookie Definition 7: Low Integrity Cookie partially leaky, leaky, tainted channels Web Tracking • Condition 1: …… Definition 8: Profiling • Condition 2: …… leaky and tainted channels

  21. Results The actual impact on each security aspect Page Integrity • 9.8% websites present low integrity pages that the attacker can tamper with, most of them are fully compromisable Authentication Credential • 10% of the detected login forms have confidentiality issues Web Tracking • 142 websites include content from vulnerable hosts of the popular tracker PubMatic • Up to 968 websites could be affected because their external resources they referenced may compromise

  22. FINDINGS Conclusion: • TLS flaws have a huge practical impact on otherwise secure websites that depend on or are related to the vulnerable hosts • Limited number TLS vulnerabilities were amplificated by the web ecosystem.

  23. 3 • Criticism

  24. ISSUES & IMPROVEMENT (1) Attack tree based on known attacks of previous studies Issues: • If new attacks occur, attack tree will miss some conditions of new attacks. This may lead to statistical limitations. Possible solution: • New conditions of attacks should be extended to attack tree

  25. ISSUES & IMPROVEMENT (2) Attack testing based on existing tools, such as testssl.sh, TLS-attacker Issues: • Bugs and issues of these tools may lead to inaccurate statistics. Possible solution: • Regularly upgrade these existing tools

  26. ISSUES & IMPROVEMENT (3) Analysis platform accessed websites by using Headless Chrome with Puppeteer Issues: • Using Puppeteer equals to using Chrome as web browser, but different browsers use different rules, which may lead to statistical biase. Possible solution: • Use the tool Selenium instead of Puppeteer • Selenium can work with Chrome, Firefox, Safari, Internet Explorer and Edge

  27. Image Credits • TLS 1.0 and 1.1 deprecation [Photograph] Retrieved from https://images.app.goo.gl/5S5mcN9FRfK683Vd6 • Majority of the world’s top million websites now use HTTPS [Photograph] Retrieved from https://images.app.goo.gl/5qegB9emW4BZhwh78 • Big data [Photograph] Retrieved from http://bigdata.idcquan.com/news/156838.shtml • DROWN attack [Photograph] Retrieved from https://en.wikipedia.org/wiki/DROWN_attack • Problem Key Means Difficulty Or Trouble [Photograph] Retrieved from https://www.storyblocks.com/stock-image/problem-key-means-difficulty-or-trouble-rv6vfjsm_zj6gn20ou • 8 books guaranteed to help you discover your motivation [Photograph] Retrieved from https://admissionsadvantage.net/2018/10/23/8-books-guaranteed-to-help-you-discover-your-motivation/ • Data Analytics and the Benefits of Ignoring Gut Instincts (Part 2) [Photograph] Retrieved from https://www.tibco.com/blog/2014/01/07/the-benefits-of-ignoring-gut-instincts-part-2/

  28. Q & A

More Related