Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
-
Upload
chepimanca -
Category
Documents
-
view
217 -
download
0
Transcript of Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
1/156
Moxie Marlinspike
Institute For Disruptive Studies
More Tricks For Defeating SSL In
Practice
Moxie Marlinspike
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
2/156
Moxie Marlinspike
Institute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
3/156
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
4/156
Moxie Marlinspike
Institute For Disruptive Studies
In the past, I've talked about
BasicConstraints...
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
5/156
Moxie Marlinspike
Institute For Disruptive Studies
Certificate Chaining
VeriSign
paypal.com
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
6/156
Moxie Marlinspike
Institute For Disruptive Studies
Certificate Chaining
VeriSign
IntermediateCA
paypal.com
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
7/156
Moxie Marlinspike
Institute For Disruptive Studies
Certificate Chaining
VeriSign
IntermediateCA
paypal.com
IntermediateCA
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
8/156
Moxie Marlinspike
Institute For Disruptive Studies
How do we verify these things?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
9/156
Moxie Marlinspike
Institute For Disruptive Studies
What they say:
Verify that the name of the leaf node is thesame as the site you're connecting to.
Verify that the leaf certificate has not expired.
Check the signature.
If the signing CA is in our list of trusted rootCAs, stop. Otherwise, move one up the chain
and repeat.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
10/156
Moxie Marlinspike
Institute For Disruptive Studies
Here Be Dragons
Very tempting to use asimple recursivefunction.
Everyone focuses on thesignature validation.
The result of a naveattempt at validation is a
chain that is complete,but nothing more.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
11/156
Moxie Marlinspike
Institute For Disruptive Studies
What if...VeriSign
IntermediateCA
thoughtcrime.org
IntermediateCA
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
12/156
Moxie Marlinspike
Institute For Disruptive Studies
What if...VeriSign
IntermediateCA
thoughtcrime.org
IntermediateCA
paypal.com
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
13/156
Moxie Marlinspike
Institute For Disruptive Studies
What they say:
Verify that the name of the leaf node is thesame as the site you're connecting to.
Verify that the leaf certificate has not expired.
Check the signature.
If the signing CA is in our list of trusted rootCAs, stop. Otherwise, move one up the chain
and repeat.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
14/156
Moxie Marlinspike
Institute For Disruptive Studies
Something must be wrong, but...
All the signatures are valid.
Nothing has expired.
The chain is in tact.
The root CA is embedded in the browser andtrusted.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
15/156
Moxie Marlinspike
Institute For Disruptive Studies
But we just created a valid certificate
for PayPal, and we're not PayPal?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
16/156
Moxie Marlinspike
Institute For Disruptive Studies
The missing piece...
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
17/156
Moxie Marlinspike
Institute For Disruptive Studies
...is a somewhat obscure field.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
18/156
Moxie Marlinspike
Institute For Disruptive Studies
Back In The Day
Most CAs didn't explicitly set basicConstraints:CA=False
Whether the field was there or not, most SSL
implementations didn't bother to check it. Anyonewith a valid leaf node certificate could
create and sign a leaf node certificate for anyotherdomain.
When presented with a complete chain, IE,Outlook, Konqueror, OpenSSL, and othersconsidered it valid...
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
19/156
Moxie Marlinspike
Institute For Disruptive Studies
And then in 2002...
Microsoft did something particularly annoying,so I blew this up by publishing it.
Microsoft claimed that it was impossible to
exploit. So I also published the tool that exploits it.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
20/156
Moxie Marlinspike
Institute For Disruptive Studies
sslsniff
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
21/156
Moxie Marlinspike
Institute For Disruptive Studies
sslsniff
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
22/156
Moxie Marlinspike
Institute For Disruptive Studies
sslsniff
sslsniff
Intercept a connection fromthe client side.
Generate a certificate for thesite it is connecting to.
Sign it with any random validleaf node certificate.
Pass that certificate chain tothe client.
Make a normal SSLconnection to the server.
Pass data between client andserver, decrypting and
encrypting on each end.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
23/156
sslsniff post-disclosure
You'd be surprised who still doesn't check basicconstraints.
Even when people got warning dialogs in browsers
that had been fixed, most of the time they'd just clickthrough them.
Still useful as a general MITM tool for SSL.
The folks who did the MD5 hash collision stuff used
sslsniff to hijack connections once they'd gotten a CA cert. There are other uses yet, to be disclosed another day
(and today!).
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
24/156
Moxie Marlinspike
Institute For Disruptive Studies
Lately, I've been talking about
SSL Stripping...
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
25/156
Moxie Marlinspike
Institute For Disruptive Studies
brief
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
26/156
Moxie Marlinspike
Institute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
27/156
Moxie Marlinspike
Institute For Disruptive Studies
SSL can be useful, but how it's deployed
matters
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
28/156
Moxie Marlinspike
Institute For Disruptive Studies
In the context of web browsing
SSL is almost never encountered directly.
Nobody types:
https://...
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
29/156
Moxie Marlinspike
Institute For Disruptive Studies
In the context of web browsing
It is either encountered as a result of:
A 302 redirect from an HTTP URL to an HTTPSURL.
An HTTPS link that a user clicks on from an HTTPpage.
(Think, My Cart, Checkout, Login, etc...)
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
30/156
Moxie Marlinspike
Institute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
31/156
Moxie Marlinspike
Institute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
32/156
Moxie Marlinspike
Institute For Disruptive Studies
We Can Attack SSL
Before We Even Get There
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
33/156
Moxie Marlinspike
Institute For Disruptive Studies
sslsniff
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
34/156
Moxie Marlinspike
Institute For Disruptive Studies
sslstrip
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
35/156
Moxie MarlinspikeInstitute For Disruptive Studies
sslstrip
sslstrip
Watch HTTP traffic go by. Switch to and keep a map of what you've changed. Switch Location: https:// to Location: http:// and keep a map of what you've changed.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
36/156
H D I L ?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
37/156
How Does It Look?
H D I L ?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
38/156
How Does It Look?
H D I L ?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
39/156
How Does It Look?
H D It L ?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
40/156
How Does It Look?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
41/156
Moxie MarlinspikeInstitute For Disruptive Studies
the evolution of positive/negative
feedback helps make this successful
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
42/156
The sites themselves confuse us
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
43/156
The sites themselves confuse us.
S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
44/156
Some sites provide no visible difference.
S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
45/156
Some sites provide no visible difference.
Secure Or Stripped?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
46/156
Secure Or Stripped?
O L T
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
47/156
Other Little Tricks:
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
48/156
Moxie MarlinspikeInstitute For Disruptive Studies
Where can we go from here?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
49/156
Moxie MarlinspikeInstitute For Disruptive Studies
Where do we needto go from here?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
50/156
Moxie MarlinspikeInstitute For Disruptive Studies
What's with certificates, anyways?
X509Certificate
Version
Serial Number
Issuer
Validity (not before X or after Y)
Subject
PublicKeySignatureAlgorithm
Signature
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
51/156
Moxie MarlinspikeInstitute For Disruptive Studies
What's with certificates, anyways?
X509Certificate
Version
Serial Number
Issuer
Validity (not before X or after Y)
Subject
PublicKeySignatureAlgorithm
Signature
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
52/156
Moxie MarlinspikeInstitute For Disruptive Studies
What's with certificates, anyways?
X509Certificate
Version
Serial Number
Issuer
Validity (not before X or after Y)
Subject
PublicKeySignatureAlgorithm
Signature
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
53/156
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
54/156
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
55/156
Moxie MarlinspikeInstitute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
56/156
Moxie MarlinspikeInstitute For Disruptive Studies
The Big Three
Secrecy
Authenticity Integrity
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
57/156
Moxie MarlinspikeInstitute For Disruptive Studies
SSL/TLS Handshake Beginnings
ClientHello
ServerHello, ServerCertificate
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
58/156
Moxie MarlinspikeInstitute For Disruptive Studies
SSL Handshake Beginnings
X509Certificate
Version
Serial Number
IssuerValidity
Subject
PublicKey
SignatureAlgorithm
Signature
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
59/156
Moxie MarlinspikeInstitute For Disruptive Studies
The Problems For Us Begin
ClientHello
ServerHello,
ServerCertificate?
Attacker
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
60/156
Moxie MarlinspikeInstitute For Disruptive Studies
Let's start by looking back once more.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
61/156
Moxie MarlinspikeInstitute For Disruptive Studies
In 2000, things were different.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
62/156
Moxie MarlinspikeInstitute For Disruptive Studies
Notaries!
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
63/156
Moxie MarlinspikeInstitute For Disruptive Studies
Identification!
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
64/156
Moxie MarlinspikeInstitute For Disruptive Studies
Phone Calls!
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
65/156
Moxie MarlinspikeInstitute For Disruptive Studies
Actual people involved...
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
66/156
Moxie MarlinspikeInstitute For Disruptive Studies
That is a bygone era
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
67/156
Moxie MarlinspikeInstitute For Disruptive Studies
These days it's all about:
online domain validation
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
68/156
Moxie MarlinspikeInstitute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
69/156
Moxie MarlinspikeInstitute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
70/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
71/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
72/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
73/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
74/156
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
75/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
WHOIS Lookup
Email [email protected]
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
76/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
77/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
CS
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
78/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
certificate.authorities.are.a.total.ripoff.bankofamerica.com
PKCS
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
79/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
certificate.authorities.are.a.total.ripoff.bankofamerica.com
S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
80/156
Moxie Marlinspike
Institute For Disruptive Studies
Subjects
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name
S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
81/156
Moxie Marlinspike
Institute For Disruptive Studies
Subjects
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name
The X.509 standard isa total nightmare.
Three revisions,
twenty years. Parts of the standard
have literally beenlost and then laterfound again.
S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
82/156
Moxie Marlinspike
Institute For Disruptive Studies
Subjects
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name
The original vision for theDN was that each DN wouldfit into some global DirectoryInformation Tree.
In practice, the standard isweak, everyone doeseverything differently, andthe global DIT nevermaterialized.
S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
83/156
Moxie Marlinspike
Institute For Disruptive Studies
Subjects
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name
There is nothing in any of thesestandards that would prevent mefrom including a 1 gigabit MPEGmovie of me playing with my catas one of the RDN components ofthe DN in my certificate.
-- Bob Jueneman on IETF-PKIX
S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
84/156
Moxie Marlinspike
Institute For Disruptive Studies
Subjects
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name www.bankofamerica.com
CN
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
85/156
Moxie Marlinspike
Institute For Disruptive Studies
CN
commonName ::=SEQUENCE { { 2 5 4 3 }, StringType( SIZE( 1...64 ) ) }
IA5String:
0x16 ID
0x05 Length (5 Chars)
0x76, 0x61, 0x6c, 0x75, 0x65 v, a, l, u, e
CN E
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
86/156
Moxie Marlinspike
Institute For Disruptive Studies
CN Encoding
Essentially, the CN field is represented as aPASCAL String.
This is different from how C strings arerepresented.
0xe w w w . p a y p a l . c o m
w w w . p a y p a l . c o m \0
PKCS # S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
87/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10 Subject
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name www.paypal.com
thoughtcrime.org
PKCS # S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
88/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10 Subject
www.thoughtcrime.org
Common Name
PKCS # S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
89/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10 Subject
verisign.eats.children.thoughtcrime.org
Common Name
PKCS # S
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
90/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10 Subject
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii.thoughtcrime.org
Common Name
PKCS # S t
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
91/156
Moxie Marlinspike
Institute For Disruptive Studies
PKCS #10 Subject
www.paypal.com\0.thoughtcrime.org
Common Name
PKCS #10 Certificate Signing
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
92/156
Moxie Marlinspike
Institute For Disruptive Studies
Request
CertificateRequest
Version
SubjectPublicKey
Attributes
www.paypal.com\0.thoughtcrime.org
PKCS #10 Certificate Signing
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
93/156
Moxie Marlinspike
Institute For Disruptive Studies
Request
CertificateRequest
Version
SubjectPublicKey
Attributes
www.paypal.com\0.thoughtcrime.org
WHOIS Lookup
And contact... me!
Our Original Scenario
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
94/156
Moxie Marlinspike
Institute For Disruptive Studies
Our Original Scenario
ClientHello
ServerHello,
ServerCertificate[www.paypal.com\0.thoughtcrime.org]
Attacker
Our Original Scenario
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
95/156
Moxie Marlinspike
Institute For Disruptive Studies
Our Original Scenario
X509Certificate
VersionSerial Number
Issuer
Validity
Subject
PublicKeySignatureAlgorithm
Signature
Our Original Scenario
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
96/156
Moxie Marlinspike
Institute For Disruptive Studies
Our Original Scenario
char *destination = getDomainWeAreConnectingTo();
char *commonName = getCommonNameFromCertificate();
bool everythingIsOk = (strcmp(destination, commonName) == 0);
In memory though
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
97/156
Moxie Marlinspike
Institute For Disruptive Studies
In memory, though...
w w w . p a y p a l . c o m \0
char *destination
w w w . p a y p a l . c o m \0 . t h o u g h t c r i m e . o r g \0.
char *commonName
In memory though
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
98/156
Moxie Marlinspike
Institute For Disruptive Studies
In memory, though...
w w w . p a y p a l . c o m \0
char *destination
w w w . p a y p a l . c o m \0 . t h o u g h t c r i m e . o r g \0.
char *commonName
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
99/156
Moxie Marlinspike
Institute For Disruptive Studies
In the eyes of most SSL
implementations, this certificate iscompletely validfor www.paypal.com
What are most SSL implementations?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
100/156
Moxie Marlinspike
Institute For Disruptive Studies
What are most SSL implementations?
Web Browsers Firefox, IE, Chrome, Lynx, Curl,
Mail Clients
Thunderbird, Outlook, Evolution Chat Clients
Pidgin, AIM, irssi, centericq
SSL VPNs AEP, Citrix, etc...
A First Cut: updated sslsniff
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
101/156
Moxie Marlinspike
Institute For Disruptive Studies
A First Cut: updated sslsniff
sslsniff
Iff null prefix attack certificateis available
How does it look?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
102/156
Moxie Marlinspike
Institute For Disruptive Studies
How does it look?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
103/156
Moxie Marlinspike
Institute For Disruptive Studies
How does it look?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
104/156
Moxie Marlinspike
Institute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
105/156
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
106/156
Moxie Marlinspike
Institute For Disruptive Studies
Disadvantages
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
107/156
Moxie Marlinspike
Institute For Disruptive Studies
1) Targeted attacks are kind of lame.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
108/156
Moxie Marlinspike
Institute For Disruptive Studies
Maybe there's another trick in here
somewhere...
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
109/156
Moxie Marlinspike
Institute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
110/156
Moxie Marlinspike
Institute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
111/156
Moxie Marlinspike
Institute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
112/156
Moxie Marlinspike
Institute For Disruptive Studies
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
113/156
Moxie Marlinspike
Institute For Disruptive Studies
Universal Wildcard
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
114/156
Moxie Marlinspike
Institute For Disruptive Studies
Universal Wildcard
*\0.thoughtcrime.org
Universal Wildcard
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
115/156
Moxie Marlinspike
Institute For Disruptive Studies
Universal Wildcard
*~.thoughtcrime.org
Other Weird Stuff
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
116/156
Moxie Marlinspike
Institute For Disruptive Studies
Other Weird Stuff
(www.paypal.com|mail.google.com|www.etrade.com|www.bankofamerica.com|www.wachovia.com|www.pnc.com|www.wellsfargo.com)\0.thoughtcrime.org
And... your remote exploit. 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
145 register int t p2 p1 1
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
117/156
Moxie Marlinspike
Institute For Disruptive Studies
145 register int t,p2,p1 = 1;
146 int cp;
147
148 while(1) {
149 for(cp=1;exp[cp] != ')';cp++)
150 if(exp[cp] == '\\')
151 ++cp;
152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
153 if(exp[p1] == '\\') 154 e2[p2++] = exp[p1++];
155 e2[p2] = exp[p1];
156 }
157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {
159 PORT_Free(e2);
160 return MATCH;
161 }
162 ...
And... your remote exploit. 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
145 register int t p2 p1 1;
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
118/156
Moxie Marlinspike
Institute For Disruptive Studies
145 register int t,p2,p1 = 1;
146 int cp;
147
148 while(1) {
149 for(cp=1;exp[cp] != ')';cp++)
150 if(exp[cp] == '\\')
151 ++cp;
152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
153 if(exp[p1] == '\\') 154 e2[p2++] = exp[p1++];
155 e2[p2] = exp[p1];
156 }
157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {
159 PORT_Free(e2);
160 return MATCH;
161 }
162 ...
And... your remote exploit. 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
145 register int t p2 p1 1;
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
119/156
Moxie Marlinspike
Institute For Disruptive Studies
145 register int t,p2,p1 = 1;
146 int cp;
147
148 while(1) {
149 for(cp=1;exp[cp] != ')';cp++)
150 if(exp[cp] == '\\')
151 ++cp;
152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
153 if(exp[p1] == '\\') 154 e2[p2++] = exp[p1++];
155 e2[p2] = exp[p1];
156 }
157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {
159 PORT_Free(e2);
160 return MATCH;
161 }
162 ...
And... your remote exploit. 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
145 register int t p2 p1 1;
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
120/156
Moxie Marlinspike
Institute For Disruptive Studies
145 register int t,p2,p1 = 1;
146 int cp;
147
148 while(1) {
149 for(cp=1;exp[cp] != ')';cp++)
150 if(exp[cp] == '\\')
151 ++cp;
152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
153 if(exp[p1] == '\\') 154 e2[p2++] = exp[p1++];
155 e2[p2] = exp[p1];
156 }
157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {
159 PORT_Free(e2);
160 return MATCH;
161 }
162 ...
And... your remote exploit.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
121/156
Moxie Marlinspike
Institute For Disruptive Studies
(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
122/156
And... your remote exploit.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
123/156
Moxie Marlinspike
Institute For Disruptive Studies
(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com
And... your remote exploit.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
124/156
Moxie Marlinspike
Institute For Disruptive Studies
(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com
No signed signature required! Possible to sneak non-ASCII characters past the NSS filters. This yields something exploitable in Firefox, Thunderbird, Evolution, Pidgin, and AIM.
A Second Cut: sslsniff with
wildcard support
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
125/156
Moxie Marlinspike
Institute For Disruptive Studies
wildcard support
sslsniff
Perform MITM if null termination attack cert is available. Or perform MITM with universal wildcard cert if client is NSS.
A Second Cut: updated sslsniff
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
126/156
Moxie Marlinspike
Institute For Disruptive Studies
sslsniff
Watches network and fingerprints clients forlevel of vulnerability.
Every NSS client's communication isintercepted either with a specific nulltermination certificate, or with the universalwildcard certificate.
Every non-NSS client that is vulnerable isintercepted with a null termination certificate ifavailable for the destination host.
Non-vulnerable clients are left alone to avoiddetection.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
127/156
Moxie Marlinspike
Institute For Disruptive Studies
What do we have to worry about?
What do we have to worry about?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
128/156
Moxie Marlinspike
Institute For Disruptive Studies
1) Certificate Revocation
t would be unfortunate if some bitter CertificateAuthority decided to revoke my universalwildcard certificates or any of my null-
termination certificates.2) Updates
It would be unfortunate if some bitter SSL
implementation decided to start paying attentionto how ASN.1 is formatted.
What do we have to worry about?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
129/156
Moxie Marlinspike
Institute For Disruptive Studies
1) Certificate Revocation
It would be unfortunate if some bitter CertificateAuthority decided to revoke our universalwildcard certificates or any of our null-
termination certificates.2) Updates
It would be unfortunate if some bitter SSL
implementation decided to start paying attentionto how ASN.1 is formatted.
What do we have to worry about?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
130/156
Moxie Marlinspike
Institute For Disruptive Studies
1) Certificate Revocation These days, it's all about Online Certificate Status
Protocol (OCSP).
Whenever a SSL stack sees a new certificate, it makes
a quick request to the OCSP URL that the signing CAembedded in it.
The SSL stack receives a signed response from theOCSP provider indicating whether the certificate has
been revoked or not.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
131/156
Moxie Marlinspike
Institute For Disruptive Studies
Defeating OCSP
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
132/156
Moxie Marlinspike
Institute For Disruptive Studies
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
Defeating OCSP
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
133/156
Moxie Marlinspike
Institute For Disruptive Studies
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING
}
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
Defeating OCSP
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
134/156
Moxie Marlinspike
Institute For Disruptive Studies
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING
}
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
Defeating OCSP
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
135/156
Moxie Marlinspike
Institute For Disruptive Studies
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING
}
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
Defeating OCSP
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
136/156
Moxie Marlinspike
Institute For Disruptive Studies
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING
}
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
137/156
Defeating OCSP
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
138/156
Moxie Marlinspike
Institute For Disruptive Studies
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
OCSPResponseStatus ::= ENUMERATED {
successful (0), --Response has valid confirmations
malformedRequest (1), --Illegal confirmation request
internalError (2), --Internal error in issuer
tryLater (3), --Try again later
--(4) is not used
sigRequired (5), --Must sign the request
unauthorized (6) --Request unauthorized
}
Defeating OCSP
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
139/156
Moxie Marlinspike
Institute For Disruptive Studies
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
OCSPResponseStatus ::= ENUMERATED {
successful (0), --Response has valid confirmations
malformedRequest (1), --Illegal confirmation request
internalError (2), --Internal error in issuer
tryLater (3), --Try again later
--(4) is not used
sigRequired (5), --Must sign the request
unauthorized (6) --Request unauthorized
}
Defeating OCSP
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
140/156
Moxie Marlinspike
Institute For Disruptive Studies
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus = 3,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
141/156
PROPOSED STANDARD
Network Working Group M. MyersRequest for Comments: 2560 VeriSignCategory: Standards Track R. Ankney
CertCo
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
142/156
Moxie Marlinspike
Institute For Disruptive Studies
A. MalpaniValiCert
S. Galperin
My CFOC. Adams
Entrust TechnologiesJune 1999
X.509 Internet Public Key Infrastructure
Online Certificate Status Protocol - OCSP
Status of this Memo
This document specifies an Internet standards track protocol for theInternet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
3
A Third Cut: ocsp-aware sslsniff
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
143/156
Moxie Marlinspike
Institute For Disruptive Studies
sslsniff
Watch network and fingerprints clients for level ofvulnerability.
Every NSS client's communication is intercepted either with a specific null termination certificate, orwith the universal wildcard certificate.
Every non-NSS client that is vulnerable is interceptedwith a null termination certificate if available for thedestination host.
Non-vulnerable clients are left alone to avoiddetection.
Optionally watch for OCSP requests corresponding tocertificates we're using, and tryLater them to defeatOCSP.
What do we have to worry about?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
144/156
Moxie Marlinspike
Institute For Disruptive Studies
2) Updates It used to be that people, you know, downloaded and
installed updates.
As software gets more complicated, it is inevitably
shipped with more bugs, and attackers are situated toexploit them on a larger scale.
So some have felt the need to deploy self-updatingsoftware in order to fix problems rapidly.
What do we have to worry about?
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
145/156
Moxie Marlinspike
Institute For Disruptive Studies
2) Updates This is bad news for us, because by standing here and
talking to you about this stuff, it probably means thatSSL implementations are going to fix these problems.
But their update mechanisms in themselves seem likekind of a dangerous idea, right?
Maybe there's something we can do about our problem.
Firefox/Thunderbird: A Case Study
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
146/156
Moxie Marlinspike
Institute For Disruptive Studies
When you install Firefox, it comes with a feature called
automatic update service, which happens to be enabledby default.
Here be dragons.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
147/156
Firefox/Thunderbird: A Case Study
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
148/156
Moxie Marlinspike
Institute For Disruptive Studies
Firefox and Thunderbird depend on their TLS connection to the
update server to defend them against all possible attacks. Code is returned from the update server either as a binary diff
against the distribution binary the client is running, or as acomplete image of the binary.
By default, minor updates are downloaded and installedsilently only prompting the user to restart their browser onceeverything is done.
The update server is the one who reports the version numberof the update, so it is effectively up to the server whether theimage it provides is installed silently or not.
Firefox/Thunderbird: A Case Study
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
149/156
Moxie Marlinspike
Institute For Disruptive Studies
As vendors start to release patches for this vulnerability, the update
mechanisms themselves will be vulnerable. All we need is a universal wildcard cert, or alternately a null-termination
prefix cert for aus2.mozilla.org, and we can take control of the updatemechanism to deliver payloads of our choice.
This could be anything:
A rootkit that logs keystrokes.
Something that sends all traffic/email through a server of ourchoosing.
A completely legitimate image that just happens to include our
own CA certs. Or, just to be confusing, a totally different web browser (Thank
you for updating to Galeon 0.0.3!) or even a completely differenttype of application notepad.exe comes to mind.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
150/156
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
151/156
Postscript:
Stripping NULL is no solution
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
152/156
Moxie Marlinspike
Institute For Disruptive Studies
Some SSL/TLS implementations (Safari,Opera) appear to strip '\0' from commonNamestrings before comparing.
Thus:
www.paypal.com\0.thoughtcrime.org
Becomes:
www.paypal.com.thoughtcrime.org
Postscript:
Stripping NULL is no solution
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
153/156
Moxie Marlinspike
Institute For Disruptive Studies
These implementations are vulnerable to avariation of our attack.
The key is that some Certificate Authorities arevulnerable to this attack internally.
When presented withwww.paypal.com\0.thoughtcrime.org, some CAsinternally validate it as www.paypal.com
But the whole string(www.paypal.com\0.thoughtcrime.org) is what endsup in the subject of the cert they later issue.
Postscript:
Stripping NULL is no solution
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
154/156
Moxie Marlinspike
Institute For Disruptive Studies
So if we register a domain like sitekey.ba We can get a certificate for
sitekey.ba\0nkofamerica.com
The CAs that are internally vulnerable to thisattack will validate that certificate againstsitekey.ba, which we own.
When the cert is later presented to a SSL
implementation that strips \0, the certificate'scommon name becomes:sitekey.bankofamerica.com
Conclusion
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
155/156
Moxie Marlinspike
Institute For Disruptive Studies
We have a MITM attack that will intercept communication foralmost all SSL/TLS implementations.
In the case of NSS (Firefox, Thunderbird, Evolution, AIM,Pidgin) we only need a single certificate.
We've defeated the OCSP protocol as implemented.
We've hijacked the Mozilla auto-updates for both applicationsand extensions.
We've got an exploitable overflow.
In short, we've got your passwords, your communication, andcontrol over the software that runs on your computer.
-
8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice
156/156
sslsniff and sslstrip:
http://www.thoughtcrime.org