1 / 0

SSL, HTTPS and the Lock Icon

SSL, HTTPS and the Lock Icon. Borrowed from Dan Boneh & others. Goals for this lecture. 2. Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating HTTPS into the browser Lots of user interface problems to watch for.

lela
Download Presentation

SSL, HTTPS and the Lock Icon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SSL, HTTPS and the Lock Icon

    Borrowed from Dan Boneh & others
  2. Goals for this lecture 2 Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating HTTPS into the browser Lots of user interface problems to watch for
  3. Threat Model: Network Attacker 3 Network Attacker: Controls network infrastructure: Routers, DNS Passive attacker: only eavesdrops on net traffic Active attacker: eavesdrops, injects, blocks, and modifies packets Examples: Wireless network at Internet Café Internet access at hotels (untrusted ISP)
  4. Reminder: Public-Key Encryption Public-key encryption: Alice Bob m Enc m Dec c c SKBob PKBob 4 Bob generates (SKBob, PKBob ) Alice: using PKBob encrypts messages and only Bob can decrypt
  5. Certificates BrowserAlice CA Server Bob choose (SK,PK) PK and proof “I am Bob” check proof SKCA PKCA PKCA issue Cert with SKCA : verify Cert Bob’s key is PK Bob’s key is PK Bob uses Cert for an extended period (e.g. one year) 5 How does Alice (browser) obtain PKBob?
  6. Certificates: example 6 Important fields:
  7. Certificates on the web 7 Subject’s CommonName can be: An explicit name, e.g. cs.stanford.edu , or A wildcard cert, e.g. *.stanford.eduor cs*.stanford.edu matching rules: “*” must occur in leftmost component, does not match “.” example: *.a.commatches x.a.com but not y.x.a.com (as in RFC 2818: “HTTPS over TLS”)
  8. Managing your certificates Firefox: Tools > Options > Advanced > Certificates
  9. Certificate Authorities Browsers acceptcertificates from alarge number of CAs Top level CAs ≈ 60 Intermediate CAs ≈ 1200 9

  10. SSL/TLS

  11. SSL/TLS: the cryptographic protocol in HTTPS Establish a session Agree on algorithms Share secrets Perform authentication Transfer application data Ensure privacy and integrity 11
  12. Handshake Negotiate Cipher-Suite Algorithms Symmetric cipher to use Key exchange method Message digest function Establish and share master secret Optionally authenticate server and/or client 12
  13. Brief overview of SSL/TLS server browser client-hello cert server-hello + server-cert (PK) SK key exchange (several options) rand. k client-key-exchange: E(PK, k) k Finished HTTP data encrypted, Symmetric cipher(k) Most common: server authentication only 13
  14. ClientHello ClientHello S C Client announces (in plaintext): Protocol version he is running Cryptographic algorithms he supports
  15. ClientHello (RFC) Highest version of the protocol supported by the client struct { ProtocolVersionclient_version; Random random; SessionIDsession_id; CipherSuitecipher_suites; CompressionMethodcompression_methods; } ClientHello Set of cryptographic algorithms supported by the client (e.g., RSA or Diffie-Hellman)
  16. Client Hello - Cipher Suites INITIAL (NULL) CIPHER SUITE SSL_NULL_WITH_NULL_NULL = { 0, 0 } SSL_RSA_WITH_NULL_MD5 = { 0, 1 } SSL_RSA_WITH_NULL_SHA = { 0, 2 } SSL_RSA_EXPORT_WITH_RC4_40_MD5 = { 0, 3 } SSL_RSA_WITH_RC4_128_MD5 = { 0, 4 } SSL_RSA_WITH_RC4_128_SHA = { 0, 5 } SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0, 6 } SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 } SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0, 8 } SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 } SSL_RSA_WITH_3DES_EDE_CBC_SHA = { 0, 10 } HASH ALGORITHM PUBLIC-KEY ALGORITHM SYMMETRIC ALGORITHM CIPHER SUITE CODES USED IN SSL MESSAGES 16
  17. ServerHello Versionc, suitec, Nc S C ServerHello Server responds (in plaintext) with: Highest protocol version supported by both client and server Strongest cryptographic suite selected from those offered by the client Server selects the protocol version and the crypto algorithms
  18. ServerKeyExchange Versionc, suitec, Nc S C Versions, suites, Ns, ServerKeyExchange Server sends his public-key certificate containing either his RSA, or his Diffie-Hellman public key (depending on chosen crypto suite)
  19. ClientKeyExchange Versionc, suitec, Nc S C Versions, suites, Ns, sigca(S,Ks), “ServerHelloDone” ClientKeyExchange Client generates some secret key material and sends it to the server encrypted with the server’s public key (if using RSA) Client selects what will become the secret session key
  20. What is Authenticated in SSL ? #1 20 Server’s PK provided as a Cert signed by CA Browser has CA’s public key Verified signature  Trust the server’s PK But does the server hold the matching SK ?
  21. What is Authenticated in SSL? #2 21 Browser’s secret random k encrypted by PK Server decrypts k Browser & server derive shared secret key All subsequent messages are encrypted With symmetric cipher, e.g. RC4 If browser decrypts successfully Server got the correct k Server had the SK matching the Cert Server is authenticated Client is NOT authenticated: usually has to login (through the encrypted channel)
  22. Version Rollback Attack Versionc=2.0, suitec, Nc S C Server is fooled into thinking he is communicating with a client who supports only SSL 2.0 Versions=2.0, suites, Ns, sigca(S,Ks), “ServerHelloDone” {Secretc}Ks C and S end up communicating using SSL 2.0 (weaker earlier version of the protocol that does not include “Finished” messages) Fixed in SSL v3.0
  23. “Chosen-Protocol” Attacks Why do people release new versions of security protocols? Because the old version got broken! New version must be backward-compatible Not everybody upgrades right away Attacker can fool someone into using the old, broken version and exploit known vulnerability Similar: fool victim into using weak crypto algorithms Defense is hard: must authenticate version early Many protocols had “version rollback” attacks SSL, SSH, GSM (cell phones)

  24. HTTPS in the Browser

  25. The lock icon: SSL indicator 25 Intended goal: Provide user with identity of page origin Indicate to user that page contents were not viewed or modified by a network attacker In reality: Origin ID is not always helpful example: Stanford HR is hosted at BenefitsCenter.com Many other problems (next few slides)
  26. When is the (basic) lock icon displayed 26 All elements on the page fetched using HTTPS (with some exceptions) For all elements: HTTPS cert issued by a CA trusted by browser HTTPS cert is valid (e.g. not expired) CommonName in cert matches domain in URL
  27. The lock UI: Extended Validation (EV) Certs Green background or text in browser URL Harder to obtain than regular certs requires human lawyer at CA to approve cert request Designed for banks and large e-commerce sites
  28. A general UI attack: picture-in-picture Trained users are more likely to fall victim to this [JSTB’07] 28
  29. HTTPS and login pages: the bad way Users often land on login page over HTTP: Type site’s HTTP URL into address bar, or Google links to the HTTP page View source: <form method="post" action="https://onlineservices.wachovia.com/..."
  30. HTTPS and login pages: guidelines General guideline: never show a login screen via http Response to http://login.site.com should be Redirect: https://login.site.com

  31. Problems with HTTPS and the Lock Icon

  32. 1. HTTP  HTTPS upgrade HTTP SSL webserver attacker 32 Common use pattern: browse site over HTTP; move to HTTPS for checkout connect to bank over HTTP; move to HTTPS for login Easy attack: prevent the upgrade (ssl_strip) [Moxie’08] <a href=https://…>  <a href=http://…> Location: https://...  Location: http://... (redirect) <form action=https://… >  <form action=http://…>
  33. Tricks and Details  33 Tricks: drop-in a clever fav icon (older browsers) Details: Erase existing session and force user to login: ssl_strip injects “Set-cookie” headers to delete existing session cookies in browser. Number of users who detected HTTP downgrade: 0
  34. 2. Semantic attacks on certs 34 International domains: xyz.cn Rendered using international character set Observation: Chinese character set contains charsthat look like “/” and “?” and “.” and “=” Attack: buy domain cert for *.badguy.cn setup domain called: www.bank.com/accounts/login.php?q=me.baguy.cn note: single cert *.badguy.cnworks for all sites Extended validation (EV) certs may help defeat this
  35. [Moxie’08]
  36. 3. Certificate Issuance Woes 36 Wrong issuance: 2011: Comodoand DigiNotar RAs hacked, issue certs for Gmail, Yahoo! Mail, … Rogue CA: 2009: Etisalat CA in UAE Signs software patch on behalf of RIM PacketForensics: HTTPS MiTMfor law enforcement (see also crypto.stanford.edu/ssl-mitm ) ⇒ enables eavesdropping w/o a warning in user’s browser
  37. Man in the middle attack using rogue certs GET https://bank.com BadguyCert BankCert attacker bank ClientHello ClientHello ServerCert (Bank) ServerCert (rogue) (cert for Bank by a valid CA) SSL key exchange SSL key exchange k2 k1 k1 k2 HTTP data enc with k1 HTTP data enc with k2 37 Attacker proxies data between user and bank. Sees all traffic and can modify data at will.
  38. What to do? (many good ideas) 38 HTTP public-key pinning, TACK Let a site declare CAs that can sign its cert on subsequent HTTPS, browser rejects certs for site issued by other CAs TOFU: Trust on First Use Certificate Transparency: [LL’12] idea: CA’s must advertise a log of all certs. they issued Browser will only use a cert if it is on the CA’s log Efficient implementation using Merkle hash trees Companies can scan logs to look for invalid issuance
  39. 4. Mixed Content: HTTP and HTTPS Page loads over HTTPS, but contains content over HTTP (e.g. <script src=“http://.../script.js> ) Active network attacker can hijack session Modifies script en-route to browser Another way to embed content: <script src=“//.../script.js> served over the same protocol as embedding page Can use for content served over HTTP or HTTPS 39
  40. Mixed Content: HTTP and HTTPS IE7: Chrome: No SSL lock in address bar: 40
  41. 5. Peeking through SSL BAM! Chen, Wang, Wang, Zhang, 2010 Network traffic reveals length of HTTPS packets TLS supports up to 256 bytes of padding AJAX-rich pages have lots and lots of interactions with the server These interactions expose specific internal state of the page
  42. Peeking through SSL: an example Vulnerabilities in an online tax application No easy fix. Can also be used to ID Tor traffic 42

  43. THE END

  44. 6. Origin Contamination: an example Solution: remove lock from top page after loading bottom page 44
  45. Integrating SSL/TLS with HTTP  HTTPS webproxy webserver corporate network webserver client-hello server-cert ??? certCNN certFOX Two complications Web proxies solution: browser sends CONNECT domain-name before client-hello (dropped by proxy) Virtual hosting: two sites hosted at same IP address. solution in TLS 1.1: SNI(RFC 4366) client_hello_extension: server_name=cnn.com implemented since FF2 and IE7 (vista)
  46. Why is HTTPS not used for all web traffic? Slows down web servers Breaks Internet caching ISPs cannot cache HTTPS traffic Results in increased traffic at web site Incompatible with virtual hosting (older browsers) May. 2013: IE6 ≈ 7% (ie6countdown.com)
  47. The lock UI: helps users authenticate site uninformative
  48. Problems with HTTPS and the Lock Icon 48 Upgrade from HTTP to HTTPS Semantic attacks on certs Forged certs Mixed content HTTP and HTTPS on the same page Origin contamination Weak HTTPS page contaminates stronger HTTPS page Does HTTPS hide web traffic?
  49. Defense: Strict Transport Security (HSTS) webserver Strict-Transport-Security max-age=31⋅106; 49 Header tells browser to always connect over HTTPS After first visit, subsequent visits are over HTTPS self signed cert results in an error STS flag deleted when user “clears private data” (chrome) Compromise: security vs. privacy
More Related