Lecture22 – CAsandHTTPSAttacks

StephenCheckowayUniversityofIllinois atIllinois

CS487– Fall 2017SlidesfromMillerandBailey’sECE422

Certificates

•Makeuseoftrusted“CertificateAuthorities”(CA)

• “ThispublickeywithSHA-256hash(XXX)belongstothesite(name,e.g.,Amazon.com)”– Digitallysigned byacertificateauthority

• Yourbrowsers(e.g.,Firefox,Chrome)trustaspecificsetofCAsasrootCAs– ShippedwiththepublickeysoftherootCAs–Whydoweneedmorethan1?

HowtheCAverifiesyouridentity

• Typically’DV’(domain verification)–ProvesyouareincontrolofDNSregistration–Justanemailbasedchallengetotheaddressinthedomainregistrationrecords•Orsomedefaultemailaddress,admin@domain.com•Minimallysecure[Why?]

–Alternatelyaweb-basedchallenge–Includechallengeresponseina<meta>tag

• Certhasanexpirationdate(e.g.,oneyearahead)[Why?]

Howtoinvalidatecertificates?

• Expirationdateofcerts• Certificaterevocation• WhathappensifaCA’ssecretkeyisleaked?– CanwetrusttheoldcertsfromthatCA?

• Interestingfact:– GooglehasinstrumentedChromesuchthatwhenitobservesacertificateforGoogle.comthatitdoesn’trecognize,itpanics….(hashappenedseveraltimes)

Self-signedCertificates

• Issuersignstheirowncertificate– Aloopintheownerandsigner

• AvoidCAfees,usefulfortesting–YoucanaddyourselfasaCAtoyourownbrowser

• Browsersdisplaywarningsthatusershavetooverride• Protectsonlyagainstpassiveattacker“optimisticencryption”

TLS Certificates• Atrustedauthorityvouchesthatacertainpublickeybelongstoaparticularsite

• Formatcalledx.509(complicated)• BrowsersshipwithCApublickeysforlargenumberoftrustedCAs[accreditationprocess]

• Importantfields:• CommonName(CN)[e.g.,*.google.com]ExpirationDate[e.g.2yearsfromnow]Subject'sPublicKeyIssuer-- e.g.,VerisignIssuer'ssignature

• CommonNamefield• Explicitname,e.g.ece.illinois.edu• Orwildcard,e.g.*.illinois.edu

X509Certificates

Subject: C=US/O=GoogleInc/CN=www.google.comIssuer:C=US/O=GoogleInc/CN=GoogleInternetAuthoritySerialNumber:01:b1:04:17:be:22:48:b4:8e:1e:8b:a0:73:c9:ac:83ExpirationPeriod: Jul122010- Jul192012PublicKeyAlgorithm:rsaEncryptionPublicKey:43:1d:53:2e:09:ef:dc:50:54:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4:ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:39:23:46

SignatureAlgorithm: sha1WithRSAEncryption

Signature:39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4:ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:1e:5d:b5

CertificateChains• CAcandelegateabilitytogeneratecertificatesforcertainnames:IntermediateCAs

• RootCAsigns"certificateissuingcertificate"fordelegatedauthority• Browserthattrustsrootcanexaminecertstoestablishvalidity-- "Chainoftrust”

• HowtofindoutaboutalltheCAs?• Morethan1000trustedpartiestoday,cansignforanydomain– hugeproblem!

CertificateChains

Subject:C=US/…/O=GoogleInc/CN=*.google.comIssuer:C=US/…/CN=GoogleInternetAuthorityPublicKey:Signature: bf:dd:e8:46:b5:a8:5d:28:04:38:4f:ea:5d:49:ca

Subject:C=US/…/CN=GoogleInternetAuthorityIssuer: C=US/…/OU=EquifaxSecureCertificateAuthorityPublicKey:Signature:be:b1:82:19:b9:7c:5d:28:04:e9:1e:5d:39:cd

Subject:C=US/…/OU=EquifaxSecureCertificateAuthorityIssuer:C=US/…/OU=EquifaxSecureCertificateAuthorityPublicKey:Signature:39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:38:c9:d1

MozillaFirefoxBrowser

Iauthorizeandtrustthiscertificate;here

ismysignature

Iauthorizeandtrustthiscertificate;here

ismysignature

Trusteverythingsignedbythis

“root”certificate

CertificateAuthorityEcosystem

EachbrowsertrustsasetofCAsCAscansigncertificatesfornewCAsCAscansigncertificatesforanywebsite

IfasingleCAiscompromised,thentheentiresystemiscompromised

WeultimatelyplaceourcompletetrustoftheInternetintheweakestCA

ImmediateConcerns

• NobodyhasanyideawhoalltheseCAsare…

• 1,733umich-knownbrowsertrustedCAs

• HistoryofCAsbeinghacked(e.g.Diginotar)

• Oooops,Koreagaveeveryelementaryschool,library,andagencyaCAcertificate(1,324)– Luckilyinvalidduetoahigher-upconstraint

GettingaCertificate

• Certificatesarefree(fromLetsEncrypt!)–Identityvalidatedbychallengetowebsite

• Certificatesarecheapelsewheretoo–Identityisvalidatedviae-mailtothedefaulte-mailaddresses

• SettingupSSLishard.Peopleareterribleatit.CertificateSigningRequests,eughIntegratinginawebserver

TLS inthebrowser

• Lockicon– HTTPScertmustbeissuedbyaCAtrustedbybrowser (orchaintoonethatis)

– HTTPScertisvalid(e.g.,notexpiredorrevoked)– CommonName incertmatchesdomaininURL

• ExtendedValidation(EV)certificates– CAdoesextraworktoverifyidentity-- expensive,butNO moresecure

• Invalidcertificatewarnings

AttackVectors

• AttacktheweakestCertificateAuthority

• Attackbrowserimplementations

• MagicallynoticeabuginakeygenerationlibrarythatleadsyoutodiscoveringalltheprivatekeysontheInternet

• Attackthecryptographicprimitives–Mathishard

Googlenoevil

Attackingsitedesign

• SSLstrip attack– Proxythroughthecontentw/oHTTPS

• Defense– DefaultHTTPSforallwebsites?– HSTS(hypertextstricttransportsecurity):headersays:alwaysexpectHTTPS,enforcedbybrowsers.

– HTTPSEverywhere:browserextension– EV:ExtendedValidation(comparedtoDV:DomainValidation)

Attackingsitedesign

• MixedContentattack-- PageloadsoverHTTPSbutcontainscontentoverHTTP– e.g.JavaScript,Flash– ActiveattackercantamperwithHTTPcontenttohijacksession

• Defense:Browserwarnings:["Thispagecontainsinsecurecontent"],– butinconsistentandoftenignored

UIinterfacebasedattacks

• Invalidcerts– Expired,CommonName!=URL,unknownCA(e.g.,self-signed)

• Defense: browserwarnings,anti-usabilitytobypass…• Picture-in-pictureattack:spooftheuserinterface– Attackerpagedrawsfakebrowserwindowwithlockicon

• Defense:individualizedimage

AttackingthePKI:CAcompromiseExample:DigiNotar

AttackingthePKI:CAcompromiseExample:DigiNotar

• DigiNotarwas aDutchCertificateAuthority

• OnJune10,2011,*.google.com certwasissuedtoanattackerandsubsequentlyusedtoorchestrateMITMattacksinIran

• Nobodynoticedtheattackuntilsomeonefoundthecertificateinthewild…andpostedtopastebin

DigiNotarContd.

• DigiNotarlateradmittedthatdozensoffraudulentcertificateswerecreated

• Google,Microsoft,AppleandMozillaallrevokedtherootDiginotarcertificate

• DutchGovernmenttookoverDiginotar

• Diginotarwentbankruptanddied

AttackingthePKI:Hashcollisions

• MD5/SHA1isknowntobebroken-- Cangeneratecollisions• In2008,researchersshowedthattheycouldcreatearogueCAcertificateusinganMD5collision

• Attack:MakecollidingmessagesA,B,withsameMD5hash:– A:Sitecertificate:"cn=attack.com,pubkey=....”– B:DelegatedCAcertificate:"pubkey=....isallowedtosigncertsfor*”– GetCAtosignA-- SignatureisSign(MD5(message))– SignaturealsovalidforB(samehash)– AttackerisnowaCA!–Makeacertforanysite,browserswillacceptit

MD5consideredharmful

• MD5CAcertificatesstillexist,butCAshavestoppedsigningcertificateswiththem– 879,705certificatesstillhaveMD5signatures

•SHA-1shouldnotbeusedeither– 46,969,095outof146,442,087certseverseenbyCensys useSHA1WithRSA (32%)

Attackingimplementations:NullTerminationAttack

• ASN.1utilizesPascal-stylestrings

• WebbrowsersutilizeuseC-stylestrings

• AnnouncedbyMoxieMarlinspikein2009

gmail.com\0.badguy.com

NullTerminationAttack• www.attacker.com

– [CAsverifycertbylookingupwhoownsthelastpartofthedomainviaDNSrecord]– emails"webmaster@attack.com"-->"Clickheretovalidatecertrequest”

• x.509certsencodeCNfieldasaPascalstring(length+data)• BrowserscopyitintoaCstring(data+\0)• WhatifCAcontains"\0"?

– www.paypal.com\0.attacker.com?– CAcontacts"attacker.com"toverify(lastpartofdomainname)– BrowserscopytoCstring,terminatesat"\0"-- seeonlypaypal.com– AttackernowhasacertthatworksforPaypal!

Otherimplementation-basedattacks

• Gotofail,Feb.2014(AppleSSLbug;skippedcertificatecheckforalmostayear!)

• Heartbleed,April2014(OpenSSLbug;leakeddata,possiblyincludingprivatekey!)

• MozillaBERserkvulnerability,Oct2014(Buginverifyingcertsignatures,allowedspoofingcerts,probablysincethebeginning….!)•Logjam,Oct2016(TLSvulnerabletoMan-in-themiddle“Downgrade”attack)

WhocontrolstheTLSendpoint?

Cloudbleed - (theotherbignewslastweek)- oneofthemostpopular“contentdeliverynetworks”- actsastheSSLendpointformanyservers- abufferoverflow attackcausedittoleakHTTPSdata

ClientsideHTTPInterception -- MostantivirussoftwareinterceptsyourHTTPS[How?]- Introducesnewvulnerabilitiesbyimplementingpoorly

Takeaways

• UseHTTPS!It’ssomuchbetterthannothing

• TLS keepsbreaking.Useit,butdon'trelyonitexclusively.