MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets...
Transcript of MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets...
![Page 1: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/1.jpg)
Software and Web Security 2
MitM attacks on HTTPS sessions
Much of this material can also be seen in
DEFCON 2009 presentation by Moxie Marlinspike;
see URL on course page
sws2 1
![Page 2: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/2.jpg)
MitM (Man-in-the-Middle) attacks
• MitM attack: attacker gets between the browser and the web server,
eg by
– setting up a wifi access point
– luring victim to his website and passing on traffic to another site
• HTTPS (ie HTTP over TLS/SSL) should protect against this...
• There are different ways in which this can go wrong
– on the protocol/network level
– security flaws in the browser or at the Certificate Authority (CA),
• in the software or the human/organisation
• One particular attack is SSL stripping, invented by Moxie Marlinspike, and implemented in sslstrip tool
sws2 2
![Page 3: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/3.jpg)
(Aside: name confusion on SSL vs TLS)
• Is it SSL, TLS, SSL/TLS, or TLS/SSL?
• SSL (Secure Socket Layer) developed at Netscape.
Version 1.0 never released.
Version 2.0 had several security flaws
• SSL 3.0 renamed to TLS, of which versions 1.0, 1.1, and 1.2 exist
sws2 3
![Page 4: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/4.jpg)
Reminder: weaknesses/attacks on HTTPS already
discussed in week 3
• Implementation flaws in various TLS implementations
– such as HeartBleed, iOS goto bug, or FREAK
• Software failing to do the right certificate checks
• Certificate Authorities being hacked
• Software in webbrower displaying URLs incorrectly
– eg http://paypal.com%01%[email protected]
• Human user of the web browser not checking things correctly
– but punycode representation of URLs is a countermeasure against user
being confusing by strange character sets
sws2 4
![Page 5: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/5.jpg)
SSL stripping
sws2 5
![Page 6: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/6.jpg)
Two variants of SSL stripping
sws2 6
bank.com
HTTPS HTTPS
bank.com
HTTP HTTPS
![Page 7: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/7.jpg)
SSL stripping (1)
sws2 7
bank.com
HTTP HTTPS
![Page 8: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/8.jpg)
SSL stripping (1) HTTP + HTTPS
The idea: the attacker forces the browser to fall back to an HTTP
session, and hope the user won’t notice the missing s
When can the attacker do this? If the user
a) types in rabobank.nl, without https in front of it
b) begins a HTTPS session by clicking on a link in a webpage that
was retrieved with HTTP
sws2 8
bank.com
HTTP HTTPS
![Page 9: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/9.jpg)
MitM attack on start of HTTPS session (b)
user MitM website
some HTTP request
sws2 9
change HTTPS links
to HTTP links
user clicks a
replaced linkchange HTTP request
back to HTTPS request
change HTTPS links
to HTTP links
very careful user will
notice missing s in
browser toolbar
server thinks
there is nothing
wrong!
![Page 10: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/10.jpg)
MitM attack on starting of HTTPS session (a)
user MitM website
sws2 10
change HTTP request
back to HTTPS request
careful user would
notice missing s in
browser toolbar
user types in
rabobank.nl request for
http://rabobank.nl
redirect (302) to
https://rabobank.nl
redirect (302) to
http://rabobank.nl change HTTPS
to HTTP
change HTTPS links
to HTTP links
brower
follows redirect https://rabobank.nl
server thinks
there is nothing
wrong!
![Page 11: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/11.jpg)
SSL stripping (1)
• The MitM attacker
– strips S from HTTPS in links in traffic from server to user
– puts this S back in traffic from the user to the server
• The result
• The attacker can now intercept a username and password that the
user sends (typically in a POST request)
• After intercepting this information, the attacker could stop the MitM
attack, so that a secure tunnel between user & server is established
– and the user can then no longer see anything wrong!
sws2 11
bank.com
HTTP HTTPS
![Page 12: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/12.jpg)
Some problems & fixes
• Secure cookies won’t be sent by the client’s browser over HTTP
Solution: remove the secure bit from Set Cookie instructions
when forwarding traffic from the server to user
Similarly, the attacker can
• strip content encodings (eg gzip) to simplify having to parse these
• strip if-modified headers to prevent the web browser from reusing
cached pages
sws2 12
![Page 13: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/13.jpg)
Spotting this attack?
A careful user can spot this attack
• the URL misses the s in https
• the little lock is missing in the browser corner
Funny improvement: the attacker can add as flavicon
sws2 13
![Page 14: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/14.jpg)
Improvement: adding flavicon
user MitM website
... ...
... ...
sws2 14
replace HTTPS links
with HTTP links
and add
flavicon
![Page 15: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/15.jpg)
The original secure site
sws2 15
![Page 16: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/16.jpg)
SSL stripped version
sws2 16
![Page 17: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/17.jpg)
The original secure site
sws2 17
![Page 18: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/18.jpg)
The SSL stripped version
sws2 18
![Page 19: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/19.jpg)
sws2 19
This window will pass
username/password
by https, but attacker
can strip this, and
reestablish the TLS
session directly
afterwards.
Can the user still spot this?
![Page 20: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/20.jpg)
Moral
Moral of the last examples:
• Never use https for a frame inside a http page
• Never issues https requests from an http page
sws2 20
![Page 21: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/21.jpg)
This still happens...
sws2 21
![Page 22: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/22.jpg)
(old) news
• http://kassa.vara.nl/tv/afspeelpagina/fragment/schokkend-nieuws-gevaarlijk-lek-in-
internetbankieren-ontdekt/speel/1/
• http://webwereld.nl/beveiliging/82658-geld-stelen-via-hotspots-kon-door-lek-in-
internetbankieren
sws2 22
![Page 23: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/23.jpg)
SSL stripping (improved)
Can we improve things? Ideally we want to get
so the user cannot notice he is not having a TLS session?
For this, we have to to trick the browser into setting up a TLS tunnel to
the attacker, believing it to be bank.com
sws2 23
bank.com
HTTPS HTTPS
![Page 24: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/24.jpg)
SSL stripping (2): HTTPS+HTTPS
Different ways for attacker to set up TLS tunnel to himself from victim
1. Use a self-signed certificate for bank.com
– but warnings will scare most users away
2. Attacker can buy domain name that looks like bank.com with
international characters
– browser using puny-code may reveal this to user
3. Attacker can redirect to mafia.com, for which he has a certificate
a) and hope the user does not notice the mafia.com in address bar
b) better, use characters that look like / and ? to make URL that
looks like the bank’s, eg
https://bank.com/Somelongname?.mafia.com
• browser that highlights domain part of URL may warn user
sws2 24
![Page 25: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/25.jpg)
SSL stripping (2): HTTPS+HTTPS
Different ways for attacker to set up TLS tunnel to himself from victim
4. older TLS implementations in browsers had a bug that allowed
attackers to create certificate for any site
by extending the certificate chain,
– incorrectly but without the browser noticing
sws2 25
![Page 26: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/26.jpg)
Certificates are chained
sws2 26
CA
Certificate
Intermediate
Certificate
Web site
Certificate
used to sign
used to sign
For example, a certificate for
DigiNotar, or VeriSign
For example, a certificate
for science.ru.nl
![Page 27: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/27.jpg)
Certificates are chained
sws2 27
CA
Certificate
Intermediate
Certificate
Web site
Certificate
used to sign
used to sign
aka root certificate
aka leaf certificate
![Page 28: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/28.jpg)
How would you implement checking these chains?
Eg in a web-browser or TLS/SSL library
1. Check that the leaf node as the name of the site you are
connecting to
2. Check that the leaf node hasn’t expired
3. Check the signature
4. If the signing certificate is in the list of root CAs, then stop.
5. Otherwise, go up the chain, and start again with 2
CA = Certificate Authority
sws2 28
![Page 29: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/29.jpg)
Oops...
sws2 29
CA
Certificate
Intermediate
Certificate
Web site
Certificate
used to sign
used to sign
For example, a certificate for
DigiNotar, or VeriSign
For example, a certificate
for science.ru.nl
Certificate for
paypal.comused to sign
![Page 30: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/30.jpg)
sws2 30
ie. this certificate is not
meant to be used to
check other certificates
![Page 31: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/31.jpg)
Problems checking certificate chains (historic)
Two problems with certificate chains
1. Some CAs did not set CA=FALSE in Basic Constraints
2. Some browsers did not not check it, and allowed leaf certificates to
be used to sign other certificates
Such bugs should now all be gone...
But: history repeats itself...
sws2 31
![Page 32: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/32.jpg)
Countermeasures to SSL stripping
• HSTS (HTTP Strict Transport Security)
Server declares “I only talk HTTPS”
HTTP(S) Response Header:
Strict-Transport-Security: max-age=15768000;
includeSubDomain
• This would stop the browser from ever issuing an HTTP request to
that domain.
• use HTTPS Everywhere browser plugin
• Giving that CAs may not be trustworthy anyway, Chrome will now check for
suspicious certificates issued for google.com
sws2 32
![Page 33: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/33.jpg)
Just when you think it’s all over…
Newer attacks on software handling X509 certificates:
When talking to a CA to request certificates, an attacker may try
• including a null character in the Common Name for which he request
a certificate, eg.
paypal.com[null]mafia.com
– Different libraries interpret this differently!
Which does the CA use and which does the browser use?
• create confusing certificates with multiple Common Names, eg.
paypal.com,mafia.com
– Internet Explorer will respect all names in the list, Firefox will only
respect the last one, and how has the CA interpreted this?
• a SQL injection attack in the Certificate Signing Request to the CA
• …
sws2 33
![Page 34: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/34.jpg)
Other attacks on sessions (out of scope for this course)
• Cryptographic attacks on TLS
– Inherent cryptographic weakness in TLS/SSL is that encryption
and MAC-ing are done the wrong way around
• you should first encrypt, and then MAC
– Some cryptographic primitives used may be weak
• eg using MD5 as hash function in certificates
• attacks on DNS
– eg DNS cache poisoning
– will be discussed in the Networking Security course next
semester
sws2 34
![Page 35: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/35.jpg)
Advanced cookie stealing: without breaking HTTPS tunnel
Even without breaking the HTTPS tunnel, an attacker may be able to
steal cookies
namely if bank.com fails to set the secure flag for its cookie.
(Recall: the secure flag means the cookie is only sent over HTTPS)
sws2 35
bank.com
HTTPS
![Page 36: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/36.jpg)
Alternative MitM attack: stealing HTTPS cookies
Attack steps
1. user logs on to HTTPS://bank.com
2. server sets session ID for bank.com in cookie
– which is encrypted in HTTPS-traffic
3. user ask for an unencrypted HTTP request (eg for http://nu.nl)
4. MitM attacker replies with a redirect to http://bank.com
5. Browser follows redirect and sends the bank’s cookie over HTTP
6. Bingo! Attacker has the cookie
sws2 36
bank.com
HTTPSHTTP
![Page 37: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/37.jpg)
Still, using TLS is a hurdle to an attacker
sws2 37
![Page 38: MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring](https://reader035.fdocuments.in/reader035/viewer/2022062317/5f0ba55c7e708231d431869a/html5/thumbnails/38.jpg)
To watch
• For another explanation of SSL stripping, see the video of Moxie
Marlinspike’s presentation at DEFCON
This also presents
– an improvement, where session cookies that already exists
when the MitM attack starts are invalidated to force users to re-
enter username & password
– experimental results of running SSL-stripping at a Tor exit node
sws2 38