Lesson 10: Attacks to the SSL Protocol

Transcription

1 Lesson 10: Attacks to the SSL Protocol Luciano Bello - [email protected] Chalmers University Dr. Alfonso Muñoz - [email protected] T>SIC Group. Universidad Politécnica de Madrid

2 Security of the SSL Protocol SSL is secure in its theoretical design; although this is a necessary, but insufficient condition. The "real security" of the SSL protocol must be specified. For example, its use on the Web goes far beyond the misconception that a page is secure if, and only if, it shows the famous "yellow padlock". 2

3 Security of the SSL Protocol Issues Programming failures Weaknesses Cryptanalysis and downgrade Misconfiguration Attacking OCSP Tricking the user Theft or compromising a trusted authority 3

4 Programming Failures Weaknesses Programming errors in implementations of the SSL Protocol affect its security Example: in 2008 the researcher Luciano Bello discovered problems with the OpenSSL/Debian random functions. This allowed to reverse random processes, forging X.509 certificates, SSH keys, etc. 4

5 Programming Failures Weaknesses Example: NULL byte attack (2009) Moxie Marlinspike discovered that the standards for SSL and the X.509 certificate define the CN (Common Name) string as a PASCAL string (the length of the string is declared in position 0 and the chain is inserted in the other positions). Interestingly, most certificate processing software is written in C. Such software usually handles the string as a C string, inserting a NULL "\0" at the end of the string to indicate where it ends. The problem comes when someone obtains a certificate using When processed by a browser, only the first part will be read ( making it easy to falsify the bank. 5

6 Cryptanalysis and Downgrade Weaknesses The use of cryptographic algorithms with vulnerabilities makes it easier to attack the protocol. Example: in the 25 th edition of the Chaos Communication Congress (2008) a SSL certificate was forged attacking the MD5 cryptographic algorithm. The use of older versions or downgrades forced by attackers should be avoided. 6

7 Misconfiguration Attacking OCSP If an attacker is performing a man-in-the-middle attack, they can intercept and use OCSP requests to their advantage. In a normal operation, a server using this protocol could send a Try Later response telling the client that it can't answer a request. The attacker could simulate this response, which has code 3 assigned, to tell the client that it is unable to attend its request at that moment. Given this situation, many Web clients will accept the digital certificate since they can't verify its validity. This is an obvious failure. 7

8 Tricking the User 1. Digital certificate created by the attacker. The web browser warns the user that the certificate isn't valid. The attack only takes place if the user accepts it. 8

9 Tricking the User 2. The SSLStrip Tool (Moxie Marlinspike, 2009) automates the man-in-the-middle attack to the SSL protocol. All the links with https are replaced by http, so the communication between the client and the attacker is done through http and the communication between attacker and server through https. 9

10 Tricking the User 3. In a hypothetical scenario, valid certificates of specific business entities for government forces could be created, for example, by court order. This would make a man-in-the-middle hardly detectable, as long as the certificate is valid and signed by a trusted authority. This could be done, for example, for a digital certificate with a specific serial number. 10

11 Theft or Compromising a Trusted Authority Fraudulent certificates signed by a trusted authority March 2011: SSL Certificates business line of the company Comodo in March 2011 Signing petitions were carried out without proper verification. This led to the issuance of false certificates for popular sites such as Google, Yahoo, Mozilla, etc. July 2011: Diginotar 11

12 Practical Advice The latest version of the TLS protocol with its recommended extensions is considered to be secure against known attacks. September 2011 (ekoparty Conference). Chosenplaintext attack against TLS v1.0 (no afecta TLS v1.1 y v1.2) Attacks that violate its security focus mainly on tricking the user with the URL to which they are connecting or with the digital certificate that authenticates the server. 12

13 Tips for Web Browsing 1. Use an updated Web browser 2. Connect directly to the https address using the URL. The "HTTPS Everywhere" add-on for Firefox can help automate this 3. Deny access to a website when the certificate is invalid 13

14 Tips for Web Browsing 4. Configure Web browsers so that they make OCSP checks by default 5. If the OCSP connection fails, the default certificate shouldn't be accepted as valid 14

15 Contact: