A Qualitative Comparison of SSL Validation Alternatives

Size: px

Start display at page:

Download "A Qualitative Comparison of SSL Validation Alternatives"

Christal Hines
7 years ago
Views:

1 A Qualitative Comparison of SSL Validation Alternatives OWASP AppSec Research 2013 August 22nd, 2013 Henning Perl, Sascha Fahl, Michael Brenner, and Matthew Smith Leibniz Universität Hannover

2 Outline Of This Talk What s SSL again? Things broken in SSL So many solutions! The best solution (or why there isn t any yet) Our evaluation system Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 2

3 How SSL works trusts signs cert authenticates to Client Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 3

4 How SSL works and breaks trusts stolen cert signs cert authenticates to Client Man in the middle insecure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 3

6 SSL CA incidents In 2010, VeriSign was compromised, allowing the attackers to issue arbitrary certificates In March 2011, an attacker from Iran was able to compromise the Comodo CA and get certificates for wwwgooglecom, loginyahoocom, loginskypecom, addonsmozillaorg, and loginlivecom A MITMA attack with at least one these certificate was observed In August 2011, attackers used the DigiNotar CA to issue at least 200 fraudulent certificates and used them to impersonate web servers The breach eventually lead to the exclusion of the CA from most browsers and operating systems weakest link security Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 5

7 Things broken in SSL For sake of completeness Users ignore warnings (cf Sunshine et al, Crying Wolf: An Empirical Study of SSL Warning Effectiveness ) Attacks against the cryptosystem BEAST (2011) / CRIME (2012) attacks Padding oracle attack ( Lucky Thirteen, S&P 2013) Attacks against RC4 (Usenix 2013) SSL stripping (Marlinspike, Black Hat 2009) SSL validation / Weakest link CA security Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 6

8 Things broken in SSL For sake of completeness Users ignore warnings (cf Sunshine et al, Crying Wolf: An Empirical Study of SSL Warning Effectiveness ) Attacks against the cryptosystem BEAST (2011) / CRIME (2012) attacks Padding oracle attack ( Lucky Thirteen, S&P 2013) Attacks against RC4 (Usenix 2013) SSL stripping (Marlinspike, Black Hat 2009) SSL validation / Weakest link CA security Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 6

9 Types of solutions: Use of network perspective Perspectives, Convergence Keep a log of certificates Sovereign Keys (SK), Certificate Transparency (CT), Accountable Key Infrastructure (AKI) Serve certificates over DNS DANE Trust on first use TACK Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 7

10 Network Perspective (Perspectives, Convergence) globally distributed notaries N 1 N 2 N 3 N 4 N 5 N k Client No extra software on server Network delay Privacy Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 8

11 Keep A Log Of Certificates SK, CT, AKI trusts signs cert authenticates to Client Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 9

12 Keep A Log Of Certificates SK, CT, AKI Certificate Log submits certificate Proof of inclusion trusts authenticates to signs cert Client Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 9

13 Keep A Log Of Certificates SK, CT, AKI Certificate Log submits certificate Proof of inclusion trusts authenticates to signs cert Client Secure connection No extra software on server no extra network delay needs new infrastructure Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 9

14 Serve Certificates Over DNS DANE trusts signs cert authenticates to Client Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 10

15 Serve Certificates Over DNS DANE DNS submits certificate Domain admin certificate and DNS response authenticates to signs cert Client Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 10

16 Serve Certificates Over DNS DANE DNS submits certificate Domain admin certificate and DNS response authenticates to signs cert Client Secure connection No extra software on server reuses infrastructure DNSSEC Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 10

17 Pinning TACK Pinning on TACK public key; TACK secret key signs actual cert First connection TACK public key Client Secure connection? Subsequent connections Client TACK public key Secure connection Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 11

18 Pinning TACK Pinning on TACK public key; TACK secret key signs actual cert First connection TACK public key Client Secure connection? Subsequent connections Client TACK public key Secure connection No extra software on server no (just selfsign) No protection on first visit Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 11

19 What do we draw from this? Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 12

20 Our Evaluation Scheme Goals: Tool to compare solution Discussion about which properties are important Organize, formalize the debate Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 13

21 Our Evaluation Scheme Goals: Tool to compare solution Discussion about which properties are important Organize, formalize the debate Structure: One large table 12 Deployability Benefits 9 Security and Privacy Benefits Adversary Capabilities Active MITMA required Trusted CA certificate required Compromising user chosen third parties required Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 13

22 Capabilities Scheme Ref Deployability benefits No-User-Cost No--Cost -Compatible Browser-Compatible Incrementally-Deployable Negligible-Communication-Overhead Negligible-Computational-Overhead No-Additional-Infrastructure Trusted-Root-CA-support Custom-Root-CA-support Selfsigned-Certificate-support No-Out-Of-Band-Connection X509-Compatible Security benefits Built-In-Revocation OCSP-or-CRL-Compatibility Resilient-To-DOS-Attacks User-Privacy-Preserving Secure-Key-Migration Secure-Key-Migration-After-Credential-Theft Secure-Domain-Migration Active MITMA required Trusted CA certificate required (weakest link) Compromising user chosen third parties required (strongest link) First-Contact-Protection Connection-Protection SSL with CA-PKI (90 s) 0 Perspectives [13] (2008) n DANE [5] (2010) 1 Convergence [9] (2011) n Sovereign Keys [3] (2011) 1 Certificate Transparency [7] (2012) 1 TACK [8] (2012) 0 AKI [6] (2013) 1

23 Conclusion All proposals solve weakest link problem but in very different ways No clear winner Do we want/need/have to have? Deployment is challenging Question: When to fail hard? Perl, Fahl, Brenner, Smith A Qualitative Comparison of SSL Validation Alternatives Slide 15

Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

OWASP AppSec APAC 2012 The OWASP Foundation http://www.owasp.org Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs