luke valenta gabbi fisher lukevalenta gabbifish systems
play

Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems - PowerPoint PPT Presentation

Jun 30, 2023 •313 likes •701 views

Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems Engineer, Cloudflare Outline 1. HTTPS Interceptors and How to Find Them: Common sources of MITM (Monsters in the Middle). 2. A technique for

  2. Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems Engineer, Cloudflare

  3. Outline 1. “HTTPS Interceptors and How to Find Them”: Common sources of MITM (Monsters in the Middle). 2. A technique for detecting HTTPS interception 3. Building tools for detecting Internet-scale HTTPS detection: MITMEngine and MALCOLM

  4. HTTPS Without Interception Server has certificate for example.com Client Server TLS

  5. HTTPS Without Interception Server has CA cert for example.com Client MITM Server TLS TLS Middlebox knows nothing about what traffic it is proxying; it only sees encrypted data.

  6. Attempting HTTPS Interception Middlebox root cert issues Server has CA cert for cert for example.com example.com Client MITM Server TLS TLS ⚠ I don’t trust this certificate...

  7. How HTTPS Interception Works Interceptor installs new Middlebox root cert issues Server has CA cert for root cert cert for example.com example.com Client MITM Server TLS TLS Middlebox inspects HTTP traffic

  8. Types of HTTPS Interception Antivirus/Corporate/Government ● Detect malware ● Detect C&C traffic ● Detect exfiltration ● Anti-terrorism ● Censorship

  9. Types of HTTPS Interception Antivirus/Corporate/Government ● Detect malware ● Detect C&C traffic ● Detect exfiltration ● Anti-terrorism ● Censorship

  10. Types of HTTPS Interception Malware ● Inject ads ● Steal private data

  11. Types of HTTPS Interception Malware ● Inject ads ● Steal private data

  12. Types of HTTPS Interception Types of HTTPS Interception Leaky Proxies ● Product features ● Convenience

  13. Types of HTTPS Interception Types of HTTPS Interception Leaky Proxies ● Product features ● Convenience

  14. Types of HTTPS Interception Types of HTTPS Interception As easy as guessing “SennheiserCC!” ¯\_( ツ )_/¯ Leaky Proxies ● Product features ● Convenience

  15. Types of HTTPS Interception Types of HTTPS Interception Reverse Proxies ● Security ● Performance ● Reliability

  16. Types of HTTPS Interception Types of HTTPS Interception Reverse Proxies ● Security ● Performance ● Reliability

  17. Types of HTTPS Interception Types of HTTPS Interception Antivirus/Corporate/Government Malware ● Detect malware ● Inject ads ● Detect C&C traffic ● Steal private data ● Detect exfiltration ● Anti-terrorism ● Censorship Leaky Proxies Reverse Proxies ● Security ● Product features ● Performance ● Convenience ● Reliability

  18. Detecting HTTPS Interception [Durumeric et al., 2017] Client Middlebox Server TLS TLS Plaintext HTTP HTTP User-Agent: Chrome

  19. Detecting HTTPS Interception [Durumeric et al., 2017] Client Middlebox Server TLS TLS ? HTTP: Plaintext HTTP TLS: HTTP User-Agent: Chrome Server can detect mismatch between layers

  20. Identifying HTTP and TLS Clients HTTP Parse User Agent Header Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

  21. Identifying HTTP and TLS Clients HTTP Parse User Agent Header Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 TLS No identifying field is present in the protocol. Instead, use known techniques for fingerprinting browsers based on TLS Client Hello.

  22. TLS Client Hello Fingerprinting [Ristić; 2009] HTTP client fingerprinting using SSL handshake analysis. ● [Majkowski; 2012] SSL fingerprinting for p0f. ● [Brotherston; 2015] TLS Fingerprinting: Smarter Defending & Stealthier Attacking. ● [Anderson et al.; 2016] Classifying Encrypted Traffic with TLS-Aware Telemetry ● [Durumeric et al.; 2017] The Security Impact of HTTPS Interception. ● [Althouse, Atkinson, Atkins; 2017]. TLS Fingerprinting with JA3 and JA3S. ● [Anderson, McGrew; 2019]. TLS Fingerprinting in the Real World. ● [Frolov, Wustrow; 2019]. TLS Fingerprint. ●

  23. TLS Handshake (RFC 5246)

  24. TLS Handshake (RFC 5246)

  25. TLS Handshake (RFC 5246) TLS libraries tend to keep these fields the same!

  26. TLS Fingerprinting based on Client Hello [...] [...] [...]

  27. HTTPS Interception Detection Process

  28. HTTPS Interception Detection Process 1. Build database of HTTP and TLS browser fingerprints

  29. HTTPS Interception Detection Process 1. Build database of HTTP and 2. Check HTTP and TLS fingerprints of TLS browser fingerprints incoming requests against database

  30. MITMEngine: HTTPS Interception Detection Library Open sourced at https://github.com/cloudflare/mitmengine. PRs welcome! Goal #1: Maintainability ● Fingerprints quickly go stale with browser updates ○ Time-consuming to generate new fingerprints manually ○ Goal is to automatically generate ground truth fingerprints from Cloudflare’s network ○ Goal #2: Flexibility ● Currently support a flexible fingerprint format to model a variety of browser behavior ○ Plan to add support for other TLS fingerprint formats (JA3, tlsfingerprint.io) ○ Goal #3: Performance ● The system should be fast enough to deploy at scale ○ Currently deployed on a 5% sample of Cloudflare TLS requests ○

  31. MALCOLM: HTTPS Interception on Cloudflare’s Network Public dashboard located at https://malcolm.cloudflare.com. Provides insight into HTTPS ● Interception observed by Cloudflare Powered by MITMEngine ● Allows for filtering by OS, browser, ● HTTPS interception tool, etc.

  32. MALCOLM: HTTPS Interception Analytics

  33. MALCOLM: HTTPS Interception Analytics

  34. Takeaways / Sound Bytes TLS-terminating middleboxes pose serious threats to network security Heuristics based on HTTP and TLS fingerprints can be effective at detecting HTTPS interception Our new open source tool and public dashboard provide insight into the state of HTTPS interception on the Internet https://github.com/cloudflare/mitmengine ● https://malcolm.cloudflare.com ●

  35. Thank you! @gabbifish @lukevalenta

  36. References [Ristić; 2009] HTTP client fingerprinting using SSL handshake analysis. ● https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html [Majkowski; 2012] SSL fingerprinting for p0f. https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f ● [Brotherston; 2015] TLS Fingerprinting: Smarter Defending & Stealthier Attacking. ● https://blog.squarelemon.com/tls-fingerprinting/ [Anderson et al.; 2016] Classifying Encrypted Traffic with TLS-Aware Telemetry. ● https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=449962 [Durumeric et al.; 2017] The Security Impact of HTTPS Interception. ● https://jhalderm.com/pub/papers/interception-ndss17.pdf [Althouse, Atkinson, Atkins; 2017]. TLS Fingerprinting with JA3 and JA3S. ● https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 [Frolov, Wustrow; 2019]. TLS Fingerprint. Tlsfingerprint.io ● [Anderson, McGrew; 2019]. TLS Fingerprinting in the Real World. ● https://blogs.cisco.com/security/tls-fingerprinting-in-the-real-world [Raman et al.; 2019] Kazakhstan’s HTTPS Interception. https://censoredplanet.org/kazakhstan ●

  37. Questions and Answers Q: Can’t middleware simply mimic browsers? A: The signatures of popular browsers are constanting changing, and mimicking the signatures would require the middleware to actually support all of the protocols and features of the browser (which would be great!). Q: Does this work for TLS 1.3? A: TLS 1.3 client hellos can be fingerprinted just the same as TLS 1.2 client hellos, since the record and handshake formats are kept the same.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

In search of CurveSwap: Measuring elliptic curve implementations in the wild Luke Valenta ,

In search of CurveSwap: Measuring elliptic curve implementations in the wild Luke Valenta ,

In search of CurveSwap: Measuring elliptic curve implementations in the wild Luke Valenta , Nick Sullivan , Antonio Sanso , Nadia Heninger University of Pennsylvania, Cloudflare, Adobe April 26th, 2018 1 / 19

1.28k views • 55 slides
Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian , Antonio Sanso , Shaanan Cohney , Joshua Fried , Marcella Hastings , J. Alex Halderman , Nadia Heninger University of

461 views • 42 slides
Introduction to Database Systems Module 1, Lecture 1 M. Valenta - KSI CTU FIT in Prague

Introduction to Database Systems Module 1, Lecture 1 M. Valenta - KSI CTU FIT in Prague

Introduction to Database Systems Module 1, Lecture 1 M. Valenta - KSI CTU FIT in Prague Michal.Valenta @fit.cvut.cz Based on slides: R. Ramakrishnan ( raghu@cs.wisc.edu) Materials Web site: https://edux.fit.cvut.cz/courses/BIE-DBS/ there:

945 views • 14 slides
Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri, Nadia Heninger University of Pennsylvania seclab.upenn.edu/projects/faas Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq

401 views • 39 slides
Automated logging of drill core M.Klawitter 1 , R.Valenta 1 , N.Spanswick 2 , I.Fahey 2 1

Automated logging of drill core M.Klawitter 1 , R.Valenta 1 , N.Spanswick 2 , I.Fahey 2 1

Automated logging of drill core M.Klawitter 1 , R.Valenta 1 , N.Spanswick 2 , I.Fahey 2 1 University of Queensland, Sustainable Minerals Institute, Brisbane, QLD 4072 2 Glencore plc, George Fisher Mine, Mount Isa Qld 4825 CRICOS code 00025B

193 views • 16 slides
Countering quantum FUD Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke

Countering quantum FUD Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke

Countering quantum FUD Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke Valenta Countering quantum FUD Daniel J. Bernstein, Nadia Heninger, Paul Lou, Luke Valenta All crypto is broken? FUD : Nobody knows exactly when

509 views • 13 slides
Post-quantum RSA (pqRSA) Daniel J. Bernstein Joint work with: Josh Fried Nadia Heninger Paul

Post-quantum RSA (pqRSA) Daniel J. Bernstein Joint work with: Josh Fried Nadia Heninger Paul

Post-quantum RSA (pqRSA) Daniel J. Bernstein Joint work with: Josh Fried Nadia Heninger Paul Lou Luke Valenta Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta Parameters Scaled-down targets for

404 views • 29 slides
Luk Luke 15: e 15: 1-10 10 Luk Luke 15:1 e 15:1 Now all the tax collectors and sinners

Luk Luke 15: e 15: 1-10 10 Luk Luke 15:1 e 15:1 Now all the tax collectors and sinners

Luk Luke 15: e 15: 1-10 10 Luk Luke 15:1 e 15:1 Now all the tax collectors and sinners were coming near to listen to him. Luk Luke 15:2 e 15:2 And the Pharisees and the scribes were grumbling and saying, This fellow welcomes

1.01k views • 74 slides
BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit

BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit

BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit Super Happy Dev House 45 1 Inspired by Matt Mights (@mattmight) collection of Bash and Perl: 3 shell scripts to improve your writing, or My

306 views • 6 slides
MERRY FISHER 1095 New 2018 PROVISIONAL DOCUMENT MERRY FISHER 1095 : THE JOY OF CRUISING 2 In

MERRY FISHER 1095 New 2018 PROVISIONAL DOCUMENT MERRY FISHER 1095 : THE JOY OF CRUISING 2 In

1 MERRY FISHER 1095 New 2018 PROVISIONAL DOCUMENT MERRY FISHER 1095 : THE JOY OF CRUISING 2 In the pure tradition of the Merry Fisher line, the Merry Fisher 1095 is a weekender and an ideal family cruiser. The new Merry Fisher 1095 takes full

227 views • 22 slides
Luke 23 Luke as painter St Luke drawing the Listening to Lukes story of the cross Virgin by

Luke 23 Luke as painter St Luke drawing the Listening to Lukes story of the cross Virgin by

Luke 23 Luke as painter St Luke drawing the Listening to Lukes story of the cross Virgin by Rogier van der Weyden Steve Walton painted c.14351440 Trinity College, Bristol 1 2 Luke 23 Lukes theology of the cross central

641 views • 7 slides
Forgiveness and Three Parables of Lost Things Luke 15: 1 32 Luke 15:1, Then all the

Forgiveness and Three Parables of Lost Things Luke 15: 1 32 Luke 15:1, Then all the

Forgiveness and Three Parables of Lost Things Luke 15: 1 32 Luke 15:1, Then all the tax collectors and the sinners drew near to Him to hear Him. Luke 15:2, And the Pharisees and scribes complained, saying, This Man receives

630 views • 39 slides
Lu Luke 3: 3:15 15-17, 17, 21 21-22 22 Luke ke 3: 3:15 15 As the people were filled

Lu Luke 3: 3:15 15-17, 17, 21 21-22 22 Luke ke 3: 3:15 15 As the people were filled

Lu Luke 3: 3:15 15-17, 17, 21 21-22 22 Luke ke 3: 3:15 15 As the people were filled with expectation, and all were questioning in their hearts concerning John, whether he might be the Messiah, Luke ke 3: 3:16 16 John answered

572 views • 29 slides
Luke 24:13-35 Luke 24:13-35 New International Version Now that same day two of them were going

Luke 24:13-35 Luke 24:13-35 New International Version Now that same day two of them were going

Luke 24:13-35 Luke 24:13-35 New International Version Now that same day two of them were going to a village called Emmaus, about seven miles from Jerusalem. 14 They were talking with each other about everything that had happened. 15 As they

546 views • 20 slides
F. Instructions for the disciples on hypocrisy Luke 12:1 12 1. Luke 12:1a Evidently,

F. Instructions for the disciples on hypocrisy Luke 12:1 12 1. Luke 12:1a Evidently,

F. Instructions for the disciples on hypocrisy Luke 12:1 12 1. Luke 12:1a Evidently, these confrontations between Jesus and the Pharisees captivated the interest of thousands. 2. Luke 12:1b Hypocrisy develops slowly and gradually but

270 views • 23 slides
Campaigning in Britain Justin Fisher (Brunel University) PARTY SYSTEMS IN THE UK Calculation of

Campaigning in Britain Justin Fisher (Brunel University) PARTY SYSTEMS IN THE UK Calculation of

Party Systems, Voters and Campaigning in Britain Justin Fisher (Brunel University) PARTY SYSTEMS IN THE UK Calculation of ENEP 1 p i 2 ENEP 2010 1 (.36 + .29 + .23 + .12) 2 = 3.55 BACK TO TWO DOMINANT PARTIES? IMPACT OF DEVOLUTION

816 views • 39 slides
dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team

dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team

dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team Motivation & System Overview Why not just use CWSandbox, Anubis, Normans , JoeBox , Malware are Analys lysis is Sandbox Solutions

604 views • 24 slides
Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of programs run inside a sandbox is entirely isolated from resources outside the sandbox's authority. However, due to practical requirements, sandboxing

1.9k views • 164 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Botnets: The Web Killer Chris Lee Computer Network Security March 7th, 2008 Online Crime

Botnets: The Web Killer Chris Lee Computer Network Security March 7th, 2008 Online Crime

Botnets: The Web Killer Chris Lee Computer Network Security March 7th, 2008 Online Crime Motives Tactics Money Spam Thuggery DDoS Espionage Targeted attacks Money Proxies Phishing

295 views • 13 slides
Spam Prevention using Spam Prevention using Access Code (AC) Access Code (AC) Akhtar H Khalil,

Spam Prevention using Spam Prevention using Access Code (AC) Access Code (AC) Akhtar H Khalil,

Spam Prevention using Spam Prevention using Access Code (AC) Access Code (AC) Akhtar H Khalil, David J. Parish Akhtar H Khalil, David J. Parish a.h.khalil@lboro.ac.uk , , d.j.parish@lboro.ac.uk d.j.parish@lboro.ac.uk a.h.khalil@lboro.ac.uk

630 views • 18 slides
Database Security Catalin Bidian University of Toronto November 10, 2010 November 10, 2010

Database Security Catalin Bidian University of Toronto November 10, 2010 November 10, 2010

CCT395, Week 10 Database Security Catalin Bidian University of Toronto November 10, 2010 November 10, 2010 CCT395F 1 Database Security Main Objectives 1. Confidentiality (aka Secrecy): a. Data must be kept private b. Information

460 views • 45 slides
Trends in Malware DRAFT OUTLINE Wednesday, October 10, 12 Presentation Synopsis Security is

Trends in Malware DRAFT OUTLINE Wednesday, October 10, 12 Presentation Synopsis Security is

Trends in Malware DRAFT OUTLINE Wednesday, October 10, 12 Presentation Synopsis Security is often a game of cat and mouse as security professionals and attackers each vie to stay one step ahead of the other. In this race for dominance,

316 views • 17 slides
RansomwareDefense Follow us on Twitter : @AlphaKOR Visit our Blog: www.AlphaKOR.com/blog The

RansomwareDefense Follow us on Twitter : @AlphaKOR Visit our Blog: www.AlphaKOR.com/blog The

Header of slide goeshere AlphaKOR RansomwareDefense Follow us on Twitter : @AlphaKOR Visit our Blog: www.AlphaKOR.com/blog The Facts of the Presentation The 2019 AlphaKOR Ransomware Report is comprised of statistics pulled from a survey of

513 views • 23 slides

More recommend