Post on 01-Jan-2021
Bug ID : 1408647Decryption, E_WHUT?! And why we should be afraid of it.
def-not-root@unimportant-machine:~$ whoami
Roy van DongenSecurity ResearcherExperience with IDP, NGFW, Decryption ;-(, Networking,…
def-not-root@unimportant-machine:~$ ./presentation –a intro
What is this talk about?
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) Just me myself and I
def-not-root@unimportant-machine:~$ ./presentation –a intro
• Intro) small introduction.• 1) How does the www work (simplified)• 2) What is SSL and how does it work?• 3) What is Decryption and how does it work?• 4) Why is Decryption bad, and what is actually happening?
• 5) Bug ID: 1408647????• 6) How can a certain government use decryption against you?
• 7) What can you do?
def-not-root@unimportant-machine:~$ ./presentation –a chapter1
How does a normal HTTP request look like ?
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/Transport_Layer_Security
Client_______________
| ___________ || | | || | | || | | || | | || |___ ___| ||_____|\_/|_____|
_|__|/ \|_|_/ ********** \
/ ************ \--------------------
Server,---------,
," ,"|," ," |
," ," |+---------+ || -==----'| || | ||`---= | ||==== ooo | ;|(((( [33]| ,"|(((( | ,"| |,"+---------+
Request HTTP Connection (http://www.reddit.com/r/Catloaf/)1.
2.Servers starts transfer of data ( Cat pictures!!11!!eleven!1!! )\ /\) ( ')( / )\(__)|
def-not-root@unimportant-machine:~$ ./presentation –a chapter1
These days when browsing the internet, we are tought to use mostlyHTTPS websites because «experts» tell us it is really secure!
How did this even start? Why do we need HTTPS? I’ve got nothing to hide…
1969DARPA creates first
ARPANET link
1977TCP/IP Standard
Agreed on
1981TCP/IP RFC’s published
1981CERN migrates to IPv4Protocol goes global
1989World Wide Web is born,
First HTTP standard
1995First Government
Authorised network wiretap
2000HTTPS RFC-2818
created
±2006NSA first uses BullrunTo decrypt SSL(HTTPS)
1950 Present Day
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://www.wikipedia.org
or do I?
def-not-root@unimportant-machine:~$ ./presentation –a chapter2
Title: What is SSL and how does it work?
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/Transport_Layer_Security
Client_______________
| ___________ || | | || | | || | | || | | || |___ ___| ||_____|\_/|_____|
_|__|/ \|_|_/ ********** \
/ ************ \--------------------
Server,---------,
," ,"|," ," |
," ," |+---------+ || -==----'| || | ||`---= | ||==== ooo | ;|(((( [33]| ,"|(((( | ,"| |,"+---------+
Request SSL Connection (https://www.reddit.com/r/Catloaf/)
Servers will now send its certificate
The client now validates the server certificate locally
Client generates and sends a session key to the server
Servers starts encrypted transfer of data ( Cat pictures!!11!!eleven!1!! )
1.
2.
3.
4.
5.
\ /\) ( ')( / )\(__)|
def-not-root@unimportant-machine:~$ ./presentation –a chapter2
Looks good doesn’t it?
Let me give you a hint…
Client_______________
| ___________ || | | || | | || | | || | | || |___ ___| ||_____|\_/|_____|
_|__|/ \|_|_/ ********** \
/ ************ \--------------------
Server,---------,
," ,"|," ," |
," ," |+---------+ || -==----'| || | ||`---= | ||==== ooo | ;|(((( [33]| ,"|(((( | ,"| |,"+---------+
The client now validates the server certificate locally3.
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/Transport_Layer_Security
Already got an idea what’s happening here?
def-not-root@unimportant-machine:~$ ./presentation –a chapter3
Title: What is Decryption and how does it work?
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://www.techopedia.com/definition/1773/decryption
Decryption is the process of transforming data thathas been rendered unreadable through encryptionback to its unencrypted form.
def-not-root@unimportant-machine:~$ ./presentation –a chapter3
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719
Client_______________
| ___________ || | | || | | || | | || | | || |___ ___| ||_____|\_/|_____|
_|__|/ \|_|_/ ********** \
/ ************ \--------------------
Server,---------,
," ,"|," ," |
," ," |+---------+ || -==----'| || | ||`---= | ||==== ooo | ;|(((( [33]| ,"|(((( | ,"| |,"+---------+
Client requests SSL Connection(https://www.reddit.com/r/Catloaf/)
Server will now send its certificate
The client now validates the server certificate locally
Client generates and sendsa session key to the server
Servers starts encrypted transfer of data ( Cat pictures!!11!!eleven!1!! )
1.
3.
9. 8.
2.
3th Party device requests SSL Connection(https://www.reddit.com/r/Catloaf/)
3th Party device signs anew certificate with hisown CA Certificate 4.
5.
Dunno? The NSA ?+----------+| ╔═══╗ || ║╔═╗║ || ╚╝╔╝║ || ──║╔╝ || ──╔╗ || ──╚╝ |+----------+
+----------+| ╔═══╗ || ║╔═╗║ || ╚╝╔╝║ || ──║╔╝ || ──╔╗ || ──╚╝ |+----------+
3th Party device generates and sendsa new session key to the server6. 7.
Precious cat pictures
\ /\) ( ')( / )\(__)|
-> ??? E_WHUT
def-not-root@unimportant-machine:~$ ./presentation –a chapter3
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) http://knowyourmeme.com/memes/did-you-just-assume-my-gender
Did you just assume my trust ?
The client now validates the server certificate locally5.
def-not-root@unimportant-machine:~$ ./presentation –a chapter4
It’s now about time we start talking about trust…
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/Chain_of_trust
-> reddit.com ?
def-not-root@unimportant-machine:~$ ./presentation –a chapter4
How does this work IRL?
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) Google Chrome on OSX
def-not-root@unimportant-machine:~$ ./presentation –a chapter4
This is where the pre-defined system roots kick in
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) Privately owned Windows, Linux and OSX System
def-not-root@unimportant-machine:~$ ./presentation –a chapter5
Titel: «Bug ID: 1408647\?\?\?\?»
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://bugzilla.mozilla.org/show_bug.cgi?id=1408647
def-not-root@unimportant-machine:~$ ./presentation –a chapter5
Proposal for: «Wet op de Inlichtingen en Veiligheidsdiensten 2017»
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://zoek.officielebekendmakingen.nl/stb-2017-317.html
def-not-root@unimportant-machine:~$ ./presentation –a chapter6
So when will this…
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) Google Chrome on OSX
become this ?
def-not-root@unimportant-machine:~$ ./presentation –a chapter7
Title: What can you do?
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning2) https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
def-not-root@unimportant-machine:~$ ./presentation –a chapter7
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning2) https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
DNS CAA
Public Key Pinning
Untrusted Certificates List ( OS Dependant )
def-not-root@unimportant-machine:~$ ./presentation –a outro
def-not-root@unimportant-machine:~$ cat /etc/apt/sources.d/presentation1) https://pixelbar.nl2) https://stazidernederlanden.org