More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.
-
Upload
garret-sears -
Category
Documents
-
view
226 -
download
3
Transcript of More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.
![Page 1: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/1.jpg)
More Trick For Defeating SSL
DEFCON 17Moxie Marlinspike
![Page 2: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/2.jpg)
1. Introduction 2. Background Knowledge
SSL/TLS protocol 3. sslstrip 4. sslsniff
A. Basic Constraints vulnerability B. Null-Prefix Attack C. bypassing OCSP
5. Conclusion
Outline
![Page 3: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/3.jpg)
Demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach.
Introduction
![Page 4: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/4.jpg)
Background KnowledgeSSL/TLS Protocol
![Page 5: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/5.jpg)
abbreviation for Transport Layer Security and it’s successor Secure Socket Layer
Provide communication security over the Internet.
Even when the network is being MITM attack.
SSL/TLS Introduction
![Page 6: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/6.jpg)
Network Stack
![Page 7: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/7.jpg)
Handshake Process
![Page 8: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/8.jpg)
Handshake Process
![Page 9: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/9.jpg)
SSLstrip
![Page 10: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/10.jpg)
demonstration of the HTTPS stripping attacks It will transparently hijack HTTP traffic on a
network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links
SSLstrip Introduction[1]
![Page 11: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/11.jpg)
Bridge www.facebook.com bridge https://www.facebook.com?
302 redirect Hyper link
How it work
![Page 12: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/12.jpg)
302 Redirect
![Page 13: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/13.jpg)
Detail – Normal Scenario
User type:example.com
http://example.com
https://abc.example.com
Server reply302 redirect tohttps://abc.example.com
SSL/TLS handshake
Serve reply200 ok
User BrowserServer
![Page 14: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/14.jpg)
Detail – Normal Scenario
![Page 15: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/15.jpg)
Detail – Attack Scenario
User/browser Attacker Server
http://example.com http://example.com
Server reply302 redirect tohttps://abc.example.com
Strip https to http
http://abc.example.com
Server reply302 redirect tohttp://abc.example.com
http://abc.example.com
Record url
url match https://abc.example.com
SSL/TLS handshake
Application DataStripped Application Data
Strip https to http
![Page 16: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/16.jpg)
Result(without strip)
![Page 17: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/17.jpg)
Result(with strip)
![Page 18: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/18.jpg)
the browser query https://abc.example.com directly. Bookmark User typing
Other protocol smtps Ftps Sftp….
What can’t sslstirp do
![Page 19: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/19.jpg)
SSLsniff -Basic Constraints vulnerability
![Page 20: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/20.jpg)
Certificate Chaining
![Page 21: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/21.jpg)
Certificate Chaining
![Page 22: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/22.jpg)
Verify that the name of the leaf node is the same as the site you're connecting to.
Verify that the leaf certificate has not expired.
Check the signature If the signing CA is in our list of trusted root
CAs, stop. Otherwise, move one up the chain and repeat.
How we verify
![Page 23: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/23.jpg)
![Page 24: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/24.jpg)
![Page 25: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/25.jpg)
Verify that the name of the leaf node is the same as the site you're connecting to.
Verify that the leaf certificate has not expired.
Check the signature If the signing CA is in our list of trusted root
CAs, stop. Otherwise, move one up the chain and repeat.
What they say
![Page 26: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/26.jpg)
All the signatures are valid. Nothing has expired. The chain is in tact. The root CA is embedded in the browser and
trusted.
Something must be wrong, but...
But we just created a valid certificate for PayPal, and we're not PayPal?
![Page 27: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/27.jpg)
The missing piece
![Page 28: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/28.jpg)
Most CAs didn't explicitly set basicConstraints: CA=False
Whether the field was there or not, most SSL implementations didn't bother to check it.
Anyone with a valid leaf node certificate could create and sign a leaf node certificate for any other domain.
When presented with a complete chain, IE, Outlook, Konqueror, OpenSSL, and others considered it valid...
Back in the day
![Page 29: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/29.jpg)
Microsoft claimed that it was impossible to exploit.
So The Author published the tool that exploits it.
And then in 2002...
![Page 30: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/30.jpg)
SSLsniff detail
User/browser Attacker
https://abc.example.com
SSL/TLS handshake
Application Data
https://abc.example.com
1. Generate a certificate for the site it is connected to2. Sign it with any random valid leaf node certificate.3. Pass that certificate chain to the client.
SSL/TLS handshake
Application Data
1. Get the Data from server2. Encrypt it with our private key3. Send to user
![Page 31: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/31.jpg)
SSLsniff –Null Prefix Attack
Author’s PPT
![Page 32: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/32.jpg)
X509 Certificate Version Serial Number Issuer Validity Subject PublicKey
Signature Algorithm Signature
What's with certificates, anyways?
Identify some subjectsGet the public key
Issue by some Issuer
Issuer Signature
![Page 33: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/33.jpg)
![Page 34: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/34.jpg)
Secrecy - Encryption algorithm Authenticity - Digital Signature Integrity - Checksum
The Big Three
![Page 35: More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike.](https://reader036.fdocuments.us/reader036/viewer/2022062313/56649ca45503460f94965487/html5/thumbnails/35.jpg)
SSL Handshake Beginnings