mitm attacks on https sessions
play

MitM attacks on HTTPS sessions Much of this material can also be - PowerPoint PPT Presentation

Mar 28, 2023 •579 likes •971 views

Software and Web Security 2 MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation by Moxie Marlinspike; see URL on course page sws2 1 MitM (Man-in-the-Middle) attacks MitM attack: attacker

  1. Software and Web Security 2 MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation by Moxie Marlinspike; see URL on course page sws2 1

  2. MitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring victim to his website and passing on traffic to another site • HTTPS (ie HTTP over TLS/SSL) should protect against this... • There are different ways in which this can go wrong – on the protocol/network level – security flaws in the browser or at the Certificate Authority (CA), • in the software or the human/organisation • One particular attack is SSL stripping, invented by Moxie Marlinspike, and implemented in sslstrip tool sws2 2

  3. (Aside: name confusion on SSL vs TLS) • Is it SSL, TLS, SSL/TLS, or TLS/SSL? • SSL (Secure Socket Layer) developed at Netscape. Version 1.0 never released. Version 2.0 had several security flaws • SSL 3.0 renamed to TLS, of which versions 1.0, 1.1, and 1.2 exist sws2 3

  4. Reminder: weaknesses/attacks on HTTPS already discussed in week 3 • Implementation flaws in various TLS implementations – such as HeartBleed, iOS goto bug, or FREAK • Software failing to do the right certificate checks • Certificate Authorities being hacked • Software in webbrower displaying URLs incorrectly – eg http://paypal.com%01%00@mafia.com • Human user of the web browser not checking things correctly – but punycode representation of URLs is a countermeasure against user being confusing by strange character sets sws2 4

  5. SSL stripping sws2 5

  6. Two variants of SSL stripping HTTPS HTTP bank.com HTTPS HTTPS bank.com sws2 6

  7. SSL stripping (1) HTTPS HTTP bank.com sws2 7

  8. SSL stripping (1) HTTP + HTTPS The idea: the attacker forces the browser to fall back to an HTTP session, and hope the user won’t notice the missing s HTTPS HTTP bank.com When can the attacker do this? If the user a) types in rabobank.nl, without https in front of it b) begins a HTTPS session by clicking on a link in a webpage that was retrieved with HTTP sws2 8

  9. MitM attack on start of HTTPS session (b) user MitM website some HTTP request change HTTPS links to HTTP links user clicks a change HTTP request replaced link back to HTTPS request change HTTPS links to HTTP links server thinks very careful user will there is nothing notice missing s in wrong! browser toolbar sws2 9

  10. MitM attack on starting of HTTPS session (a) user MitM website user types in request for rabobank.nl http://rabobank.nl redirect (302) to redirect (302) to http://rabobank.nl https://rabobank.nl change HTTPS to HTTP brower https://rabobank.nl follows redirect change HTTP request back to HTTPS request change HTTPS links to HTTP links server thinks careful user would there is nothing notice missing s in wrong! browser toolbar sws2 10

  11. SSL stripping (1) • The MitM attacker – strips S from HTTPS in links in traffic from server to user – puts this S back in traffic from the user to the server • The result bank.com HTTPS HTTP • The attacker can now intercept a username and password that the user sends (typically in a POST request) • After intercepting this information, the attacker could stop the MitM attack, so that a secure tunnel between user & server is established – and the user can then no longer see anything wrong! sws2 11

  12. Some problems & fixes • Secure cookies won’t be sent by the client’s browser over HTTP Solution: remove the secure bit from Set Cookie instructions when forwarding traffic from the server to user Similarly, the attacker can • strip content encodings (eg gzip) to simplify having to parse these • strip if-modified headers to prevent the web browser from reusing cached pages sws2 12

  13. Spotting this attack? A careful user can spot this attack • the URL misses the s in https • the little lock is missing in the browser corner Funny improvement: the attacker can add as flavicon sws2 13

  14. Improvement: adding flavicon user MitM website ... ... replace HTTPS links with HTTP links and add flavicon ... ... sws2 14

  15. The original secure site sws2 15

  16. SSL stripped version sws2 16

  17. The original secure site sws2 17

  18. The SSL stripped version sws2 18

  19. This window will pass username/password by https, but attacker can strip this, and reestablish the TLS session directly afterwards. Can the user still spot this? sws2 19

  20. Moral Moral of the last examples: • Never use https for a frame inside a http page • Never issues https requests from an http page sws2 20

  21. This still happens... sws2 21

  22. (old) news • http://kassa.vara.nl/tv/afspeelpagina/fragment/schokkend-nieuws-gevaarlijk-lek-in- internetbankieren-ontdekt/speel/1/ • http://webwereld.nl/beveiliging/82658-geld-stelen-via-hotspots-kon-door-lek-in- internetbankieren sws2 22

  23. SSL stripping (improved) Can we improve things? Ideally we want to get HTTPS HTTPS bank.com so the user cannot notice he is not having a TLS session? For this, we have to to trick the browser into setting up a TLS tunnel to the attacker, believing it to be bank.com sws2 23

  24. SSL stripping (2): HTTPS+HTTPS Different ways for attacker to set up TLS tunnel to himself from victim 1. Use a self-signed certificate for bank.com – but warnings will scare most users away  2. Attacker can buy domain name that looks like bank.com with international characters – browser using puny-code may reveal this to user  3. Attacker can redirect to mafia.com, for which he has a certificate a) and hope the user does not notice the mafia.com in address bar b) better, use characters that look like / and ? to make URL that looks like the bank’s, eg https://bank.com/Somelongname?.mafia.com • browser that highlights domain part of URL may warn user  sws2 24

  25. SSL stripping (2): HTTPS+HTTPS Different ways for attacker to set up TLS tunnel to himself from victim 4. older TLS implementations in browsers had a bug that allowed attackers to create certificate for any site by extending the certificate chain, – incorrectly but without the browser noticing sws2 25

  26. Certificates are chained For example, a certificate for CA DigiNotar, or VeriSign Certificate Intermediate Certificate used to sign For example, a certificate for science.ru.nl Web site Certificate used to sign sws2 26

  27. Certificates are chained CA aka root certificate Certificate Intermediate Certificate used to sign Web site aka leaf certificate Certificate used to sign sws2 27

  28. How would you implement checking these chains? Eg in a web-browser or TLS/SSL library 1. Check that the leaf node as the name of the site you are connecting to Check that the leaf node hasn’t expired 2. 3. Check the signature 4. If the signing certificate is in the list of root CAs, then stop. 5. Otherwise, go up the chain, and start again with 2 CA = Certificate Authority sws2 28

  29. Oops... For example, a certificate for CA DigiNotar, or VeriSign Certificate Intermediate Certificate used to sign For example, a certificate for science.ru.nl Web site Certificate used to sign Certificate for used to sign paypal.com sws2 29

  30. ie. this certificate is not meant to be used to check other certificates sws2 30

  31. Problems checking certificate chains (historic) Two problems with certificate chains 1. Some CAs did not set CA=FALSE in Basic Constraints 2. Some browsers did not not check it, and allowed leaf certificates to be used to sign other certificates Such bugs should now all be gone... But : history repeats itself... sws2 31

  32. Countermeasures to SSL stripping • HSTS (HTTP Strict Transport Security) Server declares “I only talk HTTPS” HTTP(S) Response Header: Strict-Transport-Security: max-age=15768000; includeSubDomain • This would stop the browser from ever issuing an HTTP request to that domain. • use HTTPS Everywhere browser plugin • Giving that CAs may not be trustworthy anyway, Chrome will now check for suspicious certificates issued for google.com sws2 32

  33. Just when you think it’s all over… Newer attacks on software handling X509 certificates: When talking to a CA to request certificates, an attacker may try • including a null character in the Common Name for which he request a certificate, eg. paypal.com[null]mafia.com – Different libraries interpret this differently! Which does the CA use and which does the browser use? • create confusing certificates with multiple Common Names, eg. paypal.com,mafia.com – Internet Explorer will respect all names in the list, Firefox will only respect the last one, and how has the CA interpreted this? • a SQL injection attack in the Certificate Signing Request to the CA • … sws2 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how

Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how

create your own exercise Christoph Schmidt, Team 1 Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how the NSA uses its access to the Backbone Goal 2: Understanding how MITM attacks can be done

1.02k views • 82 slides
KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber,

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber,

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes BS(l)idesVienna 0x7df whoami [ haku@bsidesbox ] % getent passwd whoami | awk F :

684 views • 33 slides
HTTPS: Achievements, Challenges, and Epiphany Michael Catanzaro <mcatanzaro@igalia.com> Web

HTTPS: Achievements, Challenges, and Epiphany Michael Catanzaro <mcatanzaro@igalia.com> Web

HTTPS: Achievements, Challenges, and Epiphany Michael Catanzaro <mcatanzaro@igalia.com> Web Engines Hackfest December 7, 2015 HTTPS Basics HTTPS: Achievements, Challenges, and Epiphany 2 Man-in-the-Middle (MITM) Attacks ARP spoofing

369 views • 24 slides
s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require: Hardware

360 views • 24 slides
Mount Eliza Secondary College Steiner Stream 20 sessions 10 8 sessions 6 sessions 4 sessions

Mount Eliza Secondary College Steiner Stream 20 sessions 10 8 sessions 6 sessions 4 sessions

Mount Eliza Secondary College Steiner Stream 20 sessions 10 8 sessions 6 sessions 4 sessions 2 sessions sessions Main lesson: Maths Ideea Lab Arts Indonesian Health and English electives: Physical education Humanities Performing

3.3k views • 11 slides
MiTM Attack MiTM Attack Edri Guy Edri Guy May 29 ,2013 May 29 ,2013 PC-Labs May 29 2013

MiTM Attack MiTM Attack Edri Guy Edri Guy May 29 ,2013 May 29 ,2013 PC-Labs May 29 2013

MiTM Attack - Haifa-Sec MiTM Attack MiTM Attack Edri Guy Edri Guy May 29 ,2013 May 29 ,2013 PC-Labs May 29 2013 MiTM Attack - Haifa-Sec MiTM Attack - Haifa-Sec DISCLAIMER DISCLAIMER 1 The following discussion is for informational

552 views • 33 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
0-to-hero 08/10 Mentors <> 08/10 Sessions Vugar Gasimov Software developer Relocate to

0-to-hero 08/10 Mentors <> 08/10 Sessions Vugar Gasimov Software developer Relocate to

0-to-hero 08/10 Mentors <> 08/10 Sessions Vugar Gasimov Software developer Relocate to Estonia https://www.workinestonia.com/ https://studyinestonia.ee/en The Most Digitally Savvy Country on Earth E-Residency The Pragma gmatic tic

708 views • 31 slides
Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS

Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS

Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Certificates Make use of trusted Certificate Authorities (CA) This public

472 views • 29 slides
s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance

s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance

When Hardware Attacks s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require:

688 views • 25 slides
Some tales about TLS Hanno B ock https://hboeck.de/ 1 / 60 Introduction Certificate

Some tales about TLS Hanno B ock https://hboeck.de/ 1 / 60 Introduction Certificate

Introduction Certificate Authorities Algorithms Attacks HTTPS by default Future Final remarks Some tales about TLS Hanno B ock https://hboeck.de/ 1 / 60 Introduction Certificate Authorities Algorithms How broken is TLS? Attacks

1.23k views • 60 slides
Side-Channel Attacks and Human Secrets Yossi Oren, BGU https://iss.oy.ne.ro @yossioren

Side-Channel Attacks and Human Secrets Yossi Oren, BGU https://iss.oy.ne.ro @yossioren

Side-Channel Attacks and Human Secrets Yossi Oren, BGU https://iss.oy.ne.ro @yossioren CROSSING Conference,TU Darmstadt, Germany September 2019 Joint work with Anatoly Shusterman, Lachlan Kang, Yosef Meltser, Yarden Haskal, Prateek Mittal

288 views • 27 slides
Neither Snow Nor Rain Nor MITM... Real World Email Delivery Security Zakir Durumeric

Neither Snow Nor Rain Nor MITM... Real World Email Delivery Security Zakir Durumeric

Neither Snow Nor Rain Nor MITM... Real World Email Delivery Security Zakir Durumeric University of Michigan How is your everyday email protected? Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security

943 views • 44 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security Zakir

Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security Zakir

Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Kurt Thomas, Vijay Eranti, Nicholas Lidzborski, Elie Bursztein, Michael Bailey, J. Alex

522 views • 33 slides
Embedded Linux size reduction techniques Michael Opdenacker

Embedded Linux size reduction techniques Michael Opdenacker

Embedded Linux Conference 2017 Embedded Linux size reduction techniques Michael Opdenacker michael.opdenacker@free-electrons.com http://free-electrons.com 1/1 free electrons free electrons - Embedded Linux, kernel, drivers - Development,

816 views • 42 slides
ENSDF: Structure via particle spectroscopy and a few tips for evaluation M. Shamsuzzoha Basunia,

ENSDF: Structure via particle spectroscopy and a few tips for evaluation M. Shamsuzzoha Basunia,

ENSDF: Structure via particle spectroscopy and a few tips for evaluation M. Shamsuzzoha Basunia, LBNL Joint ICTP-IAEA Workshop on Nuclear Structure and Decay Data: Experiment, Theory and Evaluation Trieste, Italy, Oct 15 26, 2018 Outline:

413 views • 37 slides
ECBAE 2020 (University of Paris) Reduced Subordinate Clauses in German Susanne Winkler

ECBAE 2020 (University of Paris) Reduced Subordinate Clauses in German Susanne Winkler

ECBAE 2020 (University of Paris) Reduced Subordinate Clauses in German Susanne Winkler University of Tbingen 15.07.2020 susanne.winkler@uni-tuebingen.de Reduced Subordinate Clauses (RCs) in German (1) a Sandy spielt FUSSball, [weil

675 views • 38 slides
Introduction to string manipulation REGULAR EX P RES S ION S IN P YTH ON Maria Eugenia

Introduction to string manipulation REGULAR EX P RES S ION S IN P YTH ON Maria Eugenia

Introduction to string manipulation REGULAR EX P RES S ION S IN P YTH ON Maria Eugenia Inzaugarat Data Scientist You will learn String manipulation e.g. replace and nd specic substrings String formatting e.g. interpolating a string

519 views • 29 slides
TURNING SWU INTO U TURNING SWU INTO U Thomas L. Neff Center for International Studies

TURNING SWU INTO U TURNING SWU INTO U Thomas L. Neff Center for International Studies

TURNING SWU INTO U TURNING SWU INTO U Thomas L. Neff Center for International Studies Massachusetts Institute of Technology tlneff@mit.edu URANIUM & SWU IMBALANCE World Uranium Production Substantially Below Apparent Requirements

405 views • 15 slides
Adventures with RISC-V Vectors and LLVM Robin Kruppe Roger Espasa Chief Architect Embedded

Adventures with RISC-V Vectors and LLVM Robin Kruppe Roger Espasa Chief Architect Embedded

Adventures with RISC-V Vectors and LLVM Robin Kruppe Roger Espasa Chief Architect Embedded Systems and Applications Group 1 Background RISC-V is a new open-source ISA rapidly gaining momentum Definition controlled by the RISC-V

530 views • 23 slides
PbSn60 Solder Bumping PbSn60 Solder Bumping by Electroplating by Electroplating Juergen Wolf

PbSn60 Solder Bumping PbSn60 Solder Bumping by Electroplating by Electroplating Juergen Wolf

Pixel 2000, Genova Pixel 2000, Genova, June 5-8, 2000 , June 5-8, 2000 PbSn60 Solder Bumping PbSn60 Solder Bumping by Electroplating by Electroplating Juergen Wolf Wolf Juergen Fraunhofer IZM Fraunhofer IZM Berlin, Germany Berlin,

249 views • 23 slides
Antlia 2 The hidden giant Vasily Belokurov Institute of Astronomy, Cambridge based on Torrealba

Antlia 2 The hidden giant Vasily Belokurov Institute of Astronomy, Cambridge based on Torrealba

Antlia 2 The hidden giant Vasily Belokurov Institute of Astronomy, Cambridge based on Torrealba et al. 2019 What controls the size of a (dwarf) galaxy? based on: size-luminosity + abundance matching (both highly non-linear) Kravtsov 2013

561 views • 32 slides

More recommend