Bug ID : 1408647Decryption, E_WHUT?! And why we should be afraid of it.

def-not-root@unimportant-machine:~$ whoami

Roy van DongenSecurity ResearcherExperience with IDP, NGFW, Decryption ;-(, Networking,…

def-not-root@unimportant-machine:~$ ./presentation –a intro

What is this talk about?

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) Just me myself and I

def-not-root@unimportant-machine:~$ ./presentation –a intro

• Intro) small introduction.• 1) How does the www work (simplified)• 2) What is SSL and how does it work?• 3) What is Decryption and how does it work?• 4) Why is Decryption bad, and what is actually happening?

• 5) Bug ID: 1408647????• 6) How can a certain government use decryption against you?

• 7) What can you do?

def-not-root@unimportant-machine:~$ ./presentation –a chapter1

How does a normal HTTP request look like ?

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/Transport_Layer_Security

Client_______________

| ___________ || | | || | | || | | || | | || |___ ___| ||_____|\_/|_____|

_|__|/ \|_|_/ ********** \

/ ************ \--------------------

Server,---------,

," ,"|," ," |

," ," |+---------+ || -==----'| || | ||`---= | ||==== ooo | ;|(((( [33]| ,"|(((( | ,"| |,"+---------+

Request HTTP Connection (http://www.reddit.com/r/Catloaf/)1.

2.Servers starts transfer of data ( Cat pictures!!11!!eleven!1!! )\ /\) ( ')( / )\(__)|

def-not-root@unimportant-machine:~$ ./presentation –a chapter1

These days when browsing the internet, we are tought to use mostlyHTTPS websites because «experts» tell us it is really secure!

How did this even start? Why do we need HTTPS? I’ve got nothing to hide…

1969DARPA creates first

ARPANET link

1977TCP/IP Standard

Agreed on

1981TCP/IP RFC’s published

1981CERN migrates to IPv4Protocol goes global

1989World Wide Web is born,

First HTTP standard

1995First Government

Authorised network wiretap

2000HTTPS RFC-2818

created

±2006NSA first uses BullrunTo decrypt SSL(HTTPS)

1950 Present Day

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://www.wikipedia.org

or do I?

def-not-root@unimportant-machine:~$ ./presentation –a chapter2

Title: What is SSL and how does it work?

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/Transport_Layer_Security

Client_______________

| ___________ || | | || | | || | | || | | || |___ ___| ||_____|\_/|_____|

_|__|/ \|_|_/ ********** \

/ ************ \--------------------

Server,---------,

," ,"|," ," |

," ," |+---------+ || -==----'| || | ||`---= | ||==== ooo | ;|(((( [33]| ,"|(((( | ,"| |,"+---------+

Request SSL Connection (https://www.reddit.com/r/Catloaf/)

Servers will now send its certificate

The client now validates the server certificate locally

Client generates and sends a session key to the server

Servers starts encrypted transfer of data ( Cat pictures!!11!!eleven!1!! )

1.

2.

3.

4.

5.

\ /\) ( ')( / )\(__)|

def-not-root@unimportant-machine:~$ ./presentation –a chapter2

Looks good doesn’t it?

Let me give you a hint…

Client_______________

| ___________ || | | || | | || | | || | | || |___ ___| ||_____|\_/|_____|

_|__|/ \|_|_/ ********** \

/ ************ \--------------------

Server,---------,

," ,"|," ," |

," ," |+---------+ || -==----'| || | ||`---= | ||==== ooo | ;|(((( [33]| ,"|(((( | ,"| |,"+---------+

The client now validates the server certificate locally3.

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/Transport_Layer_Security

Already got an idea what’s happening here?

def-not-root@unimportant-machine:~$ ./presentation –a chapter3

Title: What is Decryption and how does it work?

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://www.techopedia.com/definition/1773/decryption

Decryption is the process of transforming data thathas been rendered unreadable through encryptionback to its unencrypted form.

def-not-root@unimportant-machine:~$ ./presentation –a chapter3

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719

Client_______________

| ___________ || | | || | | || | | || | | || |___ ___| ||_____|\_/|_____|

_|__|/ \|_|_/ ********** \

/ ************ \--------------------

Server,---------,

," ,"|," ," |

," ," |+---------+ || -==----'| || | ||`---= | ||==== ooo | ;|(((( [33]| ,"|(((( | ,"| |,"+---------+

Client requests SSL Connection(https://www.reddit.com/r/Catloaf/)

Server will now send its certificate

The client now validates the server certificate locally

Client generates and sendsa session key to the server

Servers starts encrypted transfer of data ( Cat pictures!!11!!eleven!1!! )

1.

3.

9. 8.

2.

3th Party device requests SSL Connection(https://www.reddit.com/r/Catloaf/)

3th Party device signs anew certificate with hisown CA Certificate 4.

5.

Dunno? The NSA ?+----------+| ╔═══╗ || ║╔═╗║ || ╚╝╔╝║ || ──║╔╝ || ──╔╗ || ──╚╝ |+----------+

+----------+| ╔═══╗ || ║╔═╗║ || ╚╝╔╝║ || ──║╔╝ || ──╔╗ || ──╚╝ |+----------+

3th Party device generates and sendsa new session key to the server6. 7.

Precious cat pictures

\ /\) ( ')( / )\(__)|

-> ??? E_WHUT

def-not-root@unimportant-machine:~$ ./presentation –a chapter3

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) http://knowyourmeme.com/memes/did-you-just-assume-my-gender

Did you just assume my trust ?

The client now validates the server certificate locally5.

def-not-root@unimportant-machine:~$ ./presentation –a chapter4

It’s now about time we start talking about trust…

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/Chain_of_trust

-> reddit.com ?

def-not-root@unimportant-machine:~$ ./presentation –a chapter4

How does this work IRL?

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) Google Chrome on OSX

def-not-root@unimportant-machine:~$ ./presentation –a chapter4

This is where the pre-defined system roots kick in

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) Privately owned Windows, Linux and OSX System

def-not-root@unimportant-machine:~$ ./presentation –a chapter5

Titel: «Bug ID: 1408647\?\?\?\?»

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://bugzilla.mozilla.org/show_bug.cgi?id=1408647

def-not-root@unimportant-machine:~$ ./presentation –a chapter5

Proposal for: «Wet op de Inlichtingen en Veiligheidsdiensten 2017»

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://zoek.officielebekendmakingen.nl/stb-2017-317.html

def-not-root@unimportant-machine:~$ ./presentation –a chapter6

So when will this…

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) Google Chrome on OSX

become this ?

def-not-root@unimportant-machine:~$ ./presentation –a chapter7

Title: What can you do?

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning2) https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization

def-not-root@unimportant-machine:~$ ./presentation –a chapter7

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning2) https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization

DNS CAA

Public Key Pinning

Untrusted Certificates List ( OS Dependant )

def-not-root@unimportant-machine:~$ ./presentation –a outro

def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://pixelbar.nl2) https://stazidernederlanden.org