https, here and now

HTTPS, Here and NowPhilippe De Ryck

@PhilippeDeRyck

Invited Speaker @ VDAB ICT Security Happening

https://www.websec.be

What Is this HTTPS Thing?

2

Visit website, browse public pages

Login with username and password

Consult private information

It’s for Sending Sensitive Data

3




But All Data Is Sensitive!

4




But All Data Is Sensitive!

5




About Me – Philippe De Ryck

6

§ Postdoctoral Researcher @ DistriNet (KU Leuven)§ Focus on (client-side) Web security

§ Responsible for the Web Security training program§ Dissemination of knowledge and research results§ Target audiences include industry and researchers

§ Main author of the Primer on Client-Side Web Security§ 7 attacker models, broken down in 10 capabilities§ 13 attacks and their countermeasures§ Overview of security best practices

https://www.websec.be@PhilippeDeRyck

Overview

7

§ HTTPS, under the hood§ The basics of the HTTPS protocol§ TLS, keys, certificates, …

§ Deploying HTTPS in practice§ Requesting certificates§ Server configuration

§ HTTPS on the application layer§ Interactions between TLS and the Web application§ The security risks of incorrectly deploying HTTPS

SSL and TLS – A bit of History

8

1994SSL 1.0

Invented by Netscape, but never released

1995SSL 2.0

Improvement of SSL 1.0. Quickly considered to be

flawed

1996SSL 3.0

Full rewrite, with stronger security. Will be

actively used till 2014

1999TLS 1.0

Standardization of SSL 3.0, with small

improvements

2006TLS 1.1

Update of TLS 1.0, with stronger cipher

suites

2008TLS 1.2

Update of TLS 1.1, with stronger cipher suites, and support

for extensions

…TLS 1.3

Strong push towards better security, with

removal of old algorithms and enforcement of forward secrecy

2011Backwards

compatibility with old SSL versions (< 3) removed from spec

Opinions about HTTPS

9

§ It’s really complicated, and we can not set it up§ That’s why there is CloudFlare and Let’s Encrypt

§ It’s too costly ($$$, CPU, network)§ There are free certs, and your CPU has AES instructions§ Netflix does it

10http://arstechnica.com/security/2015/04/it-wasnt-easy-but-netflix-will-soon-use-https-to-secure-video-streams/http://expandedramblings.com/index.php/netflix_statistics-facts/3/

329 gbAmount of data pushed in 2015

400 000000

Opinions about HTTPS

11

§ It’s really complicated, and we can not set it up§ That’s why there is CloudFlare and Let’s Encrypt

§ It’s too costly ($$$, CPU, network)§ There are free certs, and your CPU has AES instructions§ Netflix does it

§ It doesn’t work well with caching§ That’s why there are localized CDNs

§ You need one IP per website§ Not since Windows XP has died …

HTTPS under the Hood

12

The S in HTTPS

13

§ HTTP protocol over a secure channel§ Established by the SSL/TLS protocol§ Separate URI scheme within the browser

HTTP:// HTTPS://

Network StackTLS

HTTPS:// HTTP://

Network StackTLS

Positioning TLS in the Stack

14

Application

Transport

Internet

Network

HTTP

TCP

IP

Ethernet

Data

DataTCP Header

DataTCP Header

IP Header

DataTCP Header

IP Header

FrameHeader

FrameFooter

Positioning TLS in the Stack

15

Application

Transport

Internet

Network

TLS

TCP

IP

Ethernet

TLS Record

TLS Record

TCP Header

TLS Record

TCP Header

IP Header

TLS Record

TCP Header

IP Header

FrameHeader

FrameFooter

HTTP DataIMAPPOP…

UDP

TLS in a Nutshell

16

§ The secure channel is capable of offering …§ Data confidentiality§ Data integrity§ Mutual entity authentication

§ The handshake protocol is used to negotiate parameters§ The record protocol is the workhorse, transmitting data

TLS Record Protocol

Secure Communication Channel

TLS Handshake Protocol

A Closer Look at the TLS Record Protocol

17

Application Data

Fragment

Compress

Append Record Header

Encrypt

Add Integrity Check Data Integrity ensures that tampering will be detected

Confidentiality ensures that the data will be private

The TLS Handshake Protocol, Simplified

18

Hi some-shop.com, Give me your key please?

some-shop.com

TLS Depends on Public Key Certificates

19

§ A certificate asserts that a public key X belongs to party Y§ Issued by a Certificate Authority§ Generally for a lot of € € €§ Different levels of validation

Certificates and CAs

20

Root CAs

Intermediate CAs

Hey, I would like to be a CA. Please vouch that this is my key?

Hey, I’m some-shop.com. Please vouch that this is my key?

The Importance of Certificates in TLS

21

?



some-shop.com

The Importance of Certificates in TLS

22

Give me your key please? Give me your key please?

?

Browser Warnings Are Scary

23http://www.slate.com/articles/technology/future_tense/2015/02/ssl_warnings_users_ignore_them_can_we_fix_that.html

But Can Easily Be Avoided

24http://www.techfor.us/2015/06/your-connection-is-not-private-er_cert_common_name_invalid/

Similar Story With Mobile Apps

25

Doing It Right Is More Effort

26https://developer.android.com/training/articles/security-ssl.html

A Closer Look at the TLS Handshake

27

Client Hello (ciphers, extensions, …)

Server Hello (cipher, extensions, …)

Client Finished

Server Finished

Server Hello DoneVerify Certificate

Generate Pre-master secret

Calculate keys Calculate keys

Pre-master secret

Putting it Together in the Handshake

28



Client Finished

Server Finished




Pre-master secret

Entity Authentication


29



Client Finished

Server Finished




Pre-master secret

Key Exchange


30



Client Finished

Server Finished




Pre-master secret

Encryption / Integrity Checking


31



Client Finished

Server Finished




Pre-master secret

Cipher Suite Negotiation

Example of the TLS Handshake

32

Overview

33




Deploying HTTPS in practice

34

Deploying TLS Can Be Complex

35

§ The administrator needs to take a lot of steps§ Create keys§ Request certificate§ Verify and complete the certificate chain§ Configure the service to use TLS

§ Often used as an argument against TLS§ But no longer valid, as we will see shortly …

Deploying HTTPS Step By Step

36

§ To request a certificate, you need a key pair

§ From which you can generate a certificate signing request

§ With this CSR, you can get a certificate from a CA

openssl genrsa –out websec_sandbox00.key 2048

openssl req –new –sha256 –key … –out ….csr

StartSSL Offers Free Certificates

37

Requesting a Certificate From StartSSL

38

Requesting a Certificate From StartSSL

39


40

-----BEGIN CERTIFICATE-----MIIGQzCCBSugAwIBAgIHBkV4e/No3zANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMB4XDTE1MDkxMzExMjIwM1oXDTE2MDkxMzAyMDgzM1owUDELMAkGA1UEBhMCQkUxHDAaBgNVBAMTE3NhbmRib3gyMC53ZWJzZWMuYmUxIzAhBgkqhkiG9w0BCQEWFGhvc3RtYXN0ZXJAd2Vic2VjLmJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtC9jgaVoZiw5kiiz7E5JGWHELnlv74R2hk7Ziw9gQzcIe3HXQTjAlBePyvXCfy/wrYbrCO1coOGH3xLBQwV4UDaWB1eVo+yO50GPn6DBet7Dvk+XS1MUceOCfzeGP+FdowA8oDe0kNe49SE8NWjELvGrYDB0pugumgsz/4ww+9kvdqrltXekzpxRYFte67jmctDVi+4nYmZjkz5HT0cV4XcXKBvLqt96hjaxTJAPTqzdvF6t2gkY42M6TQecHoIFN3N3o+wVEEh+7rT7zCLP7Sw6eGj9FkF/HIDtV4EntyaKwcGbQrnqy6zIA02pcrL1AlK9oPbizXEiNE7DqMS8wIDAQABo4IC4zCCAt8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFJzCyX0Qjl8z3Ff2jLwihh36m5J+MB8GA1UdIwQYMBaAFOtCNNCYsKuf9BtrCPfMZC7vDixFMCkGA1UdEQQiMCCCE3NhbmRib3gyMC53ZWJzZWMuYmWCCXdlYnNlYy5iZTCCAVYGA1UdIASCAU0wggFJMAgGBmeBDAECATCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENsYXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVyLmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQELBQADggEBAJq45Um2ULzWpSIaK1pBGcEScEJcP9ZOZLKsZ1kV+0XV2sTXSUd5Wzha0mTkIbBLpJ0ap68je4iN8kIC0A6RjCTKYwqEgXgRM9XMC360kIyNTJ2ZqpVj+qt/ahxW7xjAhchJB293aNNrDgVLq6ms1kUGQL5LM2cSULL4kt9Tz5f88ayMWTYftKSCXtyKmDeYVbnXi/1FWGXX09hmdqxkWcIqdb1pXzD9AouSG0ZBfVgIk3vmMvghX/V7DdOIKf/2El

uQrIXhnJze/mOm566NPdJqge6o5IC3NPGos6SLK3RtPGNttJwzg6IvEpeYPunjjuRfFAtWIvciqTC83aoRWIo=-----END CERTIFICATE-----


41

§ With the keys and certificate, we can configure the server§ Define a new virtual host§ Enable the SSL engine§ Point to the private key and certificate

# Example NGINX configuration (bare essentials)server {

listen 443;server_name sandbox00.websec.be;root /site;

ssl on;ssl_certificate /etc/ssl/websec_sandbox00.pem;ssl_certificate_key /etc/ssl/websec_sandbox00.key;ssl_protocols SSLv3 TLSv1.0 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;

}


42

§ With the keys and certificate, we can configure the server§ Define a new virtual host§ Enable the SSL engine§ Point to the private key and certificate

# Example Apache configuration (bare essentials)<VirtualHost *:443>

ServerName sandbox00.websec.beDocumentRoot /site

SSLEngine OnSSLCertificateFile /etc/ssl/websec_sandbox00.pemSSLCertificateKeyFile /etc/ssl/websec_sandbox00.key

</VirtualHost>

Still a Tedious Process …

43https://letsencrypt.org

Let’s Encrypt Pushes for HTTPS Everywhere

44

§ Free certificates for everyone§ Let’s Encrypt has established a CA to issue certificates§ They have built a toolchain to automate the process

git clone https://github.com/letsencrypt/letsencrypt .

./letsencrypt-auto certonly --webroot -w /var/www/ -d www.websec.be

Let’s Encrypt Automates Domain Validation

45https://letsencrypt.org/howitworks/technology/

Let’s Encrypt Automates Certificate Issuing

46https://letsencrypt.org/howitworks/technology/

Where Should a Connection Go?

47



Client Finished

Server Finished




Pre-master secret

GET example.com

Server Name Indication (SNI)

48

§ SNI is a TLS extension§ Includes the hostname a client is connecting to§ Allows the server software to send it to the correct virtual host

§ SNI allows admins to run multiple TLS servers on one IP§ Which is great, since IPv4 addresses are limited anyway§ Client support has increased a lot since Windows XP died J

§ Often only one SSL configuration per Web server supported§ Because underlying stack takes care of it

SSL Termination

49

§ A single point in the network where SSL connections end§ Sensitive key material is stored in one single place§ Dedicated crypto hardware can take care of the SSL operations

§ Internal servers run interactive web sites§ Higher chance of getting compromised§ They can use self-signed certs internally§ Server software may be less trustworthy than the termination point

Overview

50




HTTPS on the Application Layer

51

Verifying your TLS Deployment

52

§ How do you know if you deployed HTTPS correctly?§ The browser seems to be happy …

§ But the browser is very forgiving if you screw up

§ Qualys offers an SSL server test§ Checks your configuration against current best practices§ Gives you a grade based on how good/bad your setup is

https://www.ssllabs.com/ssltest/

Default Ubuntu 14.04 LTS Installationhttps://www.ssllabs.com/ssltest/

Want to Run Your Own Test?

56


Great TLS Score, but what with Security?

57https://www.ssllabs.com/ssltest/

Deploying Sites over HTTP is a Bad Idea

58some-shop.com

Visit http://some-shop.com

Welcome, please log in

Login as Philippe to http://some-shop.com/login

Welcome Philippe

Visit http://some-shop.com/catalog

Here you go Philippe, please buy lots of stuff

…

Deploying Sites over HTTP is a Bad Idea

59

§ Eavesdropping attacks are trivial nowadays

§ But nobody cares …§ Take the BEL20 ...

Only 2 sites use HTTPS for their main page

2 sites even submit login forms over HTTP

http://deredactie.be/cm/vrtnieuws/binnenland/1.2163105http://www.clickx.be/nieuws/134342/telenet-laat-je-surfen-via-de-modem-van-je-buren/

HTTPS to the Rescue

60some-shop.com



Login as Philippe to https://some-shop.com/login

Welcome Philippe



Session Hijacking

61some-shop.com



Login as Philippe to https://some-shop.com/login

Welcome Philippe





Man in the Middle Attacks

62some-shop.com



Login as Philippe

Welcome Philippe

Send items to address X

Items will be sent to X



Login as Philippe

Welcome Philippe

Send items to address A

Items will be sent to A

Stripping HTTPS from Login Forms

63some-shop.com



Login as Philippe

Welcome Philippe





Login as Philippe

Welcome Philippe



Rewrite HTTPS

to HTTP

Demo Time

64

§ Demo with the Wifi Pineapple§ Wireless honeypot

§ Can be configured as a hotspot§ Can also mimic other hotspots

Our Setup

65

§ We control the wireless access point§ Full man-in-the-middle attack

some-shop.com

Stripping HTTPS from Login Forms

66some-shop.com



Login as Philippe

Welcome Philippe





Login as Philippe

Welcome Philippe



Rewrite HTTPS

to HTTP

HTTPS Prevents Man in the Middle Attacks

67some-shop.com

Visit https://some-shop.com


Login as Philippe

Welcome Philippe



Visit https://some-shop.com


Login as Philippe

Welcome Philippe



Bootstrapping the HTTPS Site

68

GET http://some-shop.com

some-shop.com

301 Moved PermanentlyLocation: https://some-shop.com

GET https://some-shop.com

200 OKResponse page

SSL Stripping

69

GET http://some-shop.com

200 OKResponse page

POST http://some-shop.com

GET http://…

301 Moved

GET https://…

200 OK

Rewrite HTTPS URLs

User: philippe & pass: pazzw0rd

POST https://…

some-shop.com

HTTP Strict Transport Security (HSTS)

70

§ Instruct the browser to only visit a site over HTTPS§ Once-enabled no HTTP requests will be sent anymore§ Prevents SSL stripping attacks§ Prevents cookie stealing over HTTP

GET https://websec.be

websec.be

200 OKResponse page

Diving into HSTS

71

§ HSTS is a server-driven browser-enforced security policy§ Server sends the Strict-Transport-Security response header§ Browser enforces this for the lifetime specified in the header§ Effectively prevents SSL stripping attacks

§ HSTS originates from a research proposal: ForceHTTPS§ First proposed in 2008, standardized in 2012

Strict-Transport-Security: max-age=31536000

Specifying the HSTS header

72

§ Configuration is straightforward§ max-age specifies the duration for forcing the use of HTTPS§ includeSubdomains specifies whether subdomains are included

§ The protection is only applied for the duration of max-age§ Make sure this value covers non-frequent visitors§ The value 0 disables the HSTS policy for this particular host

• Only if received over an error-free channel

4 4 7 11From version … 4.4.4 7.1

Strict-Transport-Security: max-age=31536000; includeSubdomains

HSTS Best Practices

73

§ HSTS Header processing§ HSTS response headers must be sent over a secure channel§ Headers received on an insecure channel are ignored§ Incorrectly formatted headers are ignored§ Only the first header will be processed

§ HSTS does not care about TCP ports§ Matches only on hostname§ Port 80 is translated to 443, other ports are preserved

HSTS Overview

74


websec.be

200 OKResponse page

Strict-Transport-Security: max-age=31536000;includeSubdomains


200 OKResponse page


www.websec.beGET https://www.websec.be

200 OKResponse page


The Bootstrapping Problem … Again

75


websec.be

200 OKResponse page



200 OKResponse page


www.websec.beGET https://www.websec.be

200 OKResponse page


Preloading HSTS

76

§ The bootstrapping problem is solved by a preloaded list§ Contains all sites that have explicitly subscribed to HSTS§ Distributed along with the browsers§ Available on https://hstspreload.appspot.com/

Conditions for making the preload list

77

§ Having a valid certificate (no SHA1 allowed after 2016)

§ Redirect all HTTP traffic to HTTPS

§ Serve all subdomains over HTTPS (especially www if it exists)

§ Serve HSTS on the base domain (e.g. websec.be)§ Max-age of at least 18 weeks§ includeSubdomains must be specified§ preload must be specified§ In case of a redirect, specify HSTS on the redirect, not the destination

Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

Inspecting HSTS in the Browser

78

§ Available through chrome://net-internals/#hsts


79



80


How to Get an A+ Rating?

82

ssl on;ssl_certificate /etc/letsencrypt/live/www.websec.be/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/www.websec.be/privkey.pemssl_dhparam /etc/ssl/dhparams.pem;

ssl_session_timeout 5m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256';

ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security "max-age=31556926";}

Conclusion

83

Things Will Get Worse …

84

§ More SSL/TLS failures will be discovered§ CAs misbehaving or getting hacked§ Server administrators deploying imperfect configurations§ Client software being clueless about SSL

http://www.pentestpartners.com/blog/hacking-defcon-23s-iot-village-samsung-fridge/http://www.zdnet.com/article/hundreds-of-android-apps-open-to-ssl-linked-intercept-fail/

The Push for HTTPS Will Become Stronger

85

§ Browser vendors and corporations are pushing for HTTPS§ Google already uses HTTPS as a ranking signal for search§ Mozilla will mark HTTP sites with password fields as insecure

§ The US government mandates the use of HTTPS§ All publicly accessible sites§ By the end of 2016

§ The use of HTTPS is gaining widespread attention§ Mainstream media pick up an HTTPS story now and then§ Remember the article about Belgian banks

Wrapping Up

86

§ The time of closed networks is over§ Networks are available everywhere, to all kinds of devices§ Do not put explicit trust in the network infrastructure

§ HTTPS effectively prevents passive and active attacks§ New security policies push security even further (HSTS, HPKP)§ For the first time, we can defend against very powerful attacks

§ Only awareness is standing in the way of HTTPS deployment

Week-long application security course

https://www.secappdev.org

Progressive Web Security course

1. Why simply deploying HTTPS will not get you an A+ grade

2. How to avoid common pitfalls in authentication and authorization

3. Why modern security technologies will eradicate XSS

4. Four new browser communication mechanisms, and how they affect you

State-of-the-arttechnologies

Hands-on labs included

3rd edition starts on April 12th 2016https://www.websec.be

HTTPS, Here and NowAcknowledgements

Icons by Visual Pharm (https://icons8.com)

HTTPS, Here and NowPhilippe De Ryck

[email protected]

/in/philippederyck

https://www.websec.be

@PhilippeDeRyck

https, here and now

Technology