How SSL-Encrypted Web Connections are Intercepted



Similar documents
Rethink defense-in-depth security model

A Guide to MAM and Planning for BYOD Security in the Enterprise

E-Guide UNDERSTANDING PCI MOBILE PAYMENT PROCESSING SECURITY GUIDELINES

Data warehouse software bundles: tips and tricks

Hybrid cloud computing explained

How to Develop Cloud Applications Based on Web App Security Lessons

Solution Spotlight BEST PRACTICES FOR DEVELOPING MOBILE CLOUD APPS REVEALED

E-Guide GROWING CYBER THREATS CHALLENGING COST REDUCTION AS REASON TO USE MANAGED SERVICES

Key best practices for cloud testing

E-Guide HOW THE VMWARE SOFTWARE DEFINED DATA CENTER WORKS: AN IAAS EXAMPLE

E-Guide SIX ENTERPRISE CLOUD STORAGE AND FILE-SHARING SERVICES TO CONSIDER

Securing the SIEM system: Control access, prioritize availability

SSL/TLS: The Ugly Truth

Managing Virtual Desktop Environments

Software Defined Networking Goes Well Beyond the Data Center

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

E-Guide CLOUD COMPUTING FACTS MAY UNCLENCH SERVER HUGGERS HOLD

HOW MICROSOFT AZURE AD USERS CAN EMPLOY SSO

Strategies for Writing a HIPAA-Friendly BYOD Policy

E-Guide CONSIDERATIONS FOR EFFECTIVE SOFTWARE LICENSE MANAGEMENT

Best Practices for Scaling a Big Data Analytics Project

5 free Exchange add-ons you should consider Eliminating administration pain points on a budget

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Installing your Digital Certificate & Using on MS Out Look 2007.

Is Your Data Safe in the Cloud?

Securing your Online Data Transfer with SSL

Advanced analytics key component for decision management systems

Exchange Server 2010 backup and recovery tips and tricks

3 common cloud challenges eradicated with hybrid cloud

Hyper-V 3.0: Creating new virtual data center design options Top four methods for deployment


E-Guide NETWORKING MONITORING BEST PRACTICES: SETTING A NETWORK PERFORMANCE BASELINE

E-Guide WHAT IT MANAGERS NEED TO KNOW ABOUT RISKY FILE-SHARING

Best Practices for Database Security

How To Protect Your Online Backup From Being Hacked

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

HOW TO SELECT THE BEST SOLID- STATE STORAGE ARRAY FOR YOUR ENVIRONMENT

Inspection of Encrypted HTTPS Traffic

Benefits of virtualizing your network

Public Key Infrastructure (PKI)

Managing Data Center Growth Explore Your Options

E-Guide THE LATEST IN SAN AND NAS STORAGE TRENDS

E-Guide COMPLIANCE IN THE CLOUD

ios7: 3 rd party or platform-enabled MAM? Taking a look behind the scenes with Jack Madden

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

The Benefits of SSL Content Inspection ABSTRACT

Using etoken for SSL Web Authentication. SSL V3.0 Overview

What is an SSL Certificate?

E-Guide VIDEO CONFERENCING SOFTWARE AND HARDWARE: HYBRID APPROACH NEEDED

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

E-Guide MANAGING AND MONITORING HYBRID CLOUD RESOURCE POOLS: 3 STEPS TO ENSURE OPTIMUM APPLICATION PERFORMANCE

6 Point SIEM Solution Evaluation Checklist

HTTPS Inspection with Cisco CWS

Streamlining the move to the cloud. Key tips for selecting the right cloud tools and preparing your infrastructure for migration

Order Management System Best Practices

Aligning Public Cloud Strategies to Improve Server Efficiency

E-Guide CONSIDER SECURITY IN YOUR DAILY BUSINESS OPERATIONS

Integrated SSL Scanning

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Lesson 10: Attacks to the SSL Protocol

E-Guide to Mobile Application Development

Expert guide to achieving data center efficiency How to build an optimal data center cooling system

Overview Most of the documentation out there on the transition from SHA-1 certificates to SHA-2 certificates will tell you three things:

Is Your SSL Website and Mobile App Really Secure?

MDM features vs. native mobile security

Getting a Secure Intranet

E-Guide BEST PRACTICES FOR CLOUD BASED DISASTER RECOVERY

5 ways to leverage the free VMware hypervisor Key tips for working around the VMware cost barrier

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

CLOUD APPLICATION INTEGRATION AND DEPLOYMENT MADE SIMPLE

The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

Security Digital Certificate Manager

White paper. How to choose a Certificate Authority for safer web security

Social channels changing contact center certification

BUYING PROCESS FOR ALL-FLASH SOLID-STATE STORAGE ARRAYS

The State of Desktop Virtualization in 2013: Brian Madden analyzes uses cases, preferred vendors and effective tools

Websense Content Gateway HTTPS Configuration

CLOUD SECURITY CERTIFICATIONS: HOW IMPORTANT ARE THEY?

Specification Alternatives to Certificate Authorities Segurança em Sistemas Informáticos Mestrado Integrado em Engenharia Informática e Computação

Solution Spotlight KEY OPPORTUNITIES AND PITFALLS ON THE ROAD TO CONTINUOUS DELIVERY

Setting Up SSL on IIS6 for MEGA Advisor

Security Digital Certificate Manager

Social Media-based Customer Loyalty Programs

Evaluation of Certificate Revocation in Microsoft Information Rights Management v1.0

Cloud Storage: Top Concerns, Provider Considerations, and Application Candidates

Protecting Your Name on the Internet The Business Benefits of Extended Validation SSL Certificates

Where every interaction matters.

Tips to ensuring the success of big data analytics initiatives

MAC Web Based VPN Connectivity Details and Instructions

SSL CERTIFICATE GOOD PRACTICE GUIDE

Content Teaching Academy at James Madison University

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

More on SHA-1 deprecation:

B U S I N E S S G U I D E

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

TELNET CLIENT 5.0 SSL/TLS SUPPORT

Data Security using Encryption in SwiftStack

NIST ITL July 2012 CA Compromise

Preparing for the cloud: Understanding the infrastructure impacts Eight essential tips for a successful cloud migration

Overview. SSL Cryptography Overview CHAPTER 1

Transcription:

Web Connections are

Web Connections Are When an encrypted web connection is intercepted, it could be by an enterprise for a lawful reason. But what should be done when the interception is illegal and caused by an attacker? This expert E-Guide examines how encrypted web connections are intercepted and the four key strategies you can use to defend against Secure Sockets Layer (SSL) interception attacks. By: Sherri Davidoff, Contributor Encrypted Web connections are routinely intercepted by enterprises for legitimate reasons. Unfortunately, attackers can use the same methods for tapping into "secure" connections, most often because of endpoint weaknesses. In this tip, we'll examine how enterprises and attackers intercept Web connections that are encrypted using the Transport Layer Security (TLS) protocol or its predecessor, the Secure Sockets Layer (SSL) protocol. A digital certificate, often used in conjunction with TLS/SSL, is just a little chunk of data describing an identity -- such as the name and URL of an organization -- signed with a digital signature. Signing is a complex mathematical operation based on the contents of the certificate and the signer's cryptographic key. If the values in the certificate are altered in transit, the digital signature will not match, and a browser will display an error message. How do you know if a digital certificate is really owned by the person you think? It's all a chain of trust. When you go to Alice's website, for example, she presents you with her certificate. Alice's certificate has been verified and signed by her friend Bob. In turn, Bob's certificate has been verified and signed by his friend Charlie. Charlie is also a good friend of yours, and you trust him implicitly. Charlie in this case represents a root certificate authority Page 2 of 6

Web Connections Are (CA) for our public key infrastructure (PKI). When you see Charlie's signature on Alice's verifiable certificate chain, you trust that Alice is who she says she is. In real life, your Web browser comes with pre-installed, trusted root CA certificates for network infrastructure companies such as VeriSign Inc. Your Web browser will automatically trust digital certificates issued by the preinstalled root CAs. Attackers, however, can exploit this trust. How trustworthy are digital certificates? Nobody's perfect -- not even trusted root certificate authorities. In 2001, VeriSign mistakenly issued "code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee" (MS01-017). According to the Microsoft Security Bulletin, "the ability to sign executable content by using keys that purport to belong to Microsoft would clearly be advantageous to a malicious user who wanted to convince users to allow the content to run. The certificates could be used to sign programs, ActiveX controls, Microsoft Office macros, and other executable content." Digital signatures can also be forged. Last year, at the Chaos Communication Congress in Berlin, a group of researchers leveraged weaknesses in the MD5 cryptographic algorithm to create a "rogue" certificate with a valid root CA signature (Sotirov et al). This certificate had never been signed by the trusted root CA, but since it had a valid signature, it was trusted by all common browsers. SSL interception tools More commonly, attackers bypass TLS/SSL connections using man-in-themiddle techniques along with certificates that are generated on the fly. Enterprises routinely intercept TLS/SSL connections. Why? Imagine you are an employee checking your Web-based personal email at work. Your company has strong incentive to peek into your traffic, to make sure you aren't leaking proprietary data or mistakenly downloading viruses. Enterprises frequently want to inspect all traffic flowing into and out of their network to prevent malware infections and protect their proprietary data. Page 3 of 6

Web Connections Are To break a TLS/SSL connection and sniff employee traffic, enterprises often use an SSL proxy, such as ProxySG from Blue Coat Systems Inc. The SSL proxy intercepts traffic between an individual's computer and the outside world. When a user surfs to a "secure" site, the SSL proxy fetches the real Web server certificate and establishes a legitimate TLS/SSL connection between the proxy and the Web server. Then, the proxy makes a fake digital certificate on the fly, which looks similar to the Web server's certificate. It presents this fake digital certificate to the user, and sets up a second TLS/SSL session between his or her browser and the Web proxy. The user may receive a pop-up error message (and probably click it away) because the fake digital certificate is not trusted. Of course, if the organization takes the time to import the proxy's certificate as a trusted root in user Web browsers, then users won't see an error message at all. The net result? There is a "secure" TLS/SSL session between the user's computer and the proxy, and a second "secure" TLS/SSL session between the proxy and the Web server. On the proxy itself, the individual's information can be viewed in plain text. The company can then automatically search the traffic for specific keywords, or screen it for malware. Unfortunately, attackers can use the same techniques as enterprises to intercept SSL connections. One particular free, publicly available tool makes this trivially easy. As with enterprise TLS/SSL interceptors, the attacker can use such a tool to automatically connect to the real Web server, capture certificate information, and generate a new certificate on the fly with the same information. It then presents the user with the new certificate and sets up an SSL connection. From that point on, there is a "secure" SSL session between the user's computer and the attacker, and a second "secure" SSL session between the attacker and the Web server. Another similar tool exists that removes the client SSL connection entirely, and uses social engineering techniques (such as lock icons) to trick users into thinking the connection is encrypted. Page 4 of 6

Web Connections Are What can users do to protect against SSL interception attacks? Here are four key strategies: 1. Always use a trusted computer when surfing to sites with valuable information. If your computer is untrusted or has been compromised, then someone could have installed an illegitimate trusted certificate authority in your Web browser. 2. Consider using integrity-checking or rollback software to detect and eliminate unauthorized changes to trusted certificate authority lists. 3. Do not accept untrusted certificates. If possible, configure users' browser to automatically reject untrusted certificates. 4. Think before you click. Remember, even trusted CAs make mistakes. Train employees and home users to think critically about visiting websites. TLS/SSL is like a nice sturdy two-by-four. Can you use it to build a secure infrastructure? Yes. Is it a secure infrastructure all by itself? No. An entire industry has grown around SSL interception. Enterprises and law enforcement want to be able to tap into encrypted traffic just as much as attackers, so the incentives for stronger protections at the endpoints are mixed. However, with careful attention to detail, businesses and home users can detect and avoid TLS/SSL interception and bypass attacks. About the author: Sherri Davidoff is the co-author of the new SANS class "Sec558: Network Forensics" and author of Philosecurity. She is a GIAC-certified forensic examiner and penetration tester. She provides security consulting for many types of organizations, including legal, financial, healthcare, manufacturing, academic and government institutions. Page 5 of 6

Web Connections Are Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information