SSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust

Similar documents
SSL/TLS: The Ugly Truth

SSL BEST PRACTICES OVERVIEW

Public Key Infrastructure (PKI)

Web Security Considerations

Overview. SSL Cryptography Overview CHAPTER 1

Integrated SSL Scanning

Websense Content Gateway HTTPS Configuration

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Certificates and network security

SSL Report: ebfl.srpskabanka.rs ( )

Implementation Vulnerabilities in SSL/TLS

SSL Certificate Verification

SSL and Browsers: The Pillars of Broken Security

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Installation and configuration guide

Integrated SSL Scanning

How to configure SSL proxying in Zorp 3 F5

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

SSL: Paved With Good Intentions. Richard Moore

Displaying SSL Certificate and Key Pair Information

How the Barracuda Web Application Firewall Secures Your Mobile and IoT Services. Whitepaper

Installation and configuration guide

Transport Level Security

ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB

Automated Vulnerability Scan Results

Network Security Part II: Standards

Configuring SSL Termination

Security Protocols/Standards

Communication Systems SSL

Vulnerabilità dei protocolli SSL/TLS

Communication Security for Applications

SBClient SSL. Ehab AbuShmais

Contact Information. Document Number: Document Revision: SSL Proxy Deployment Guide SGOS 5.1.4

SSL Server Rating Guide

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Web Security. Introduction: Understand applicable laws, legal issues and ethical issues regarding computer crime

How To Understand And Understand The Security Of A Key Infrastructure

Certificates, Revocation and the new gtld's Oh My!

How to configure SSL proxying in Zorp 6

Topics in Network Security

Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

By Jan De Clercq. Understanding. and Leveraging SSL-TLS. for Secure Communications

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

TLS/SSL in distributed systems. Eugen Babinciuc

Web Security. Mahalingam Ramkumar

Where every interaction matters.

Owner of the content within this article is Written by Marc Grote

Best Practices for SIP Security

SSL Manager Certificate Verification Engine

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

SSL Decryption: Benefits, Configuration and Best Practices

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Certificate technology on Pulse Secure Access

Network Security Essentials Chapter 5

Best Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.

Analyzing DANE's Response to Known DNSsec Vulnerabilities

Certificate technology on Junos Pulse Secure Access

The Benefits of SSL Content Inspection ABSTRACT

Authenticity of Public Keys

Certified Secure Web Application Secure Development Checklist

Specific recommendations

How to configure HTTPS proxying in Zorp 5

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

SECURE SOCKETS LAYER (SSL)

SSL, PKI and Secure Communication

POODLE. Yoshiaki Kasahara Kyushu University 2015/3/3 APAN 39th in Fukuoka 1

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

Mobile Application Security

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Inspection of Encrypted HTTPS Traffic

Secure Web Appliance. SSL Intercept

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Introduction to the DANE Protocol

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Drive-by Enumeration of Web Filtering Solutions

TLS Proxies. draft-mcgrew-tls-proxy-server. D. McGrew D. Wing P. Gladstone Y. Nir

Internet Banking System Web Application Penetration Test Report

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Chapter 7 Transport-Level Security

Configuring Digital Certificates

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

SSL: Secure Socket Layer

DEF CON 19: Getting SSLizzard. Nicholas J. Percoco Trustwave SpiderLabs Paul Kehrer Trustwave SSL

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Breaking the Myths of Extended Validation SSL Certificates

Project X Mass interception of encrypted connections

Lesson 10: Attacks to the SSL Protocol

APNIC Trial of Certification of IP Addresses and ASes

OWASP Top Ten Tools and Tactics

Bugzilla ID: Bugzilla Summary:

Public Key Infrastructures

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

How To Protect A Web Application From Attack From A Trusted Environment

[SMO-SFO-ICO-PE-046-GU-

Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day. SSL Certificate - Subject Common Name Does Not Match Server FQDN

CS5008: Internet Computing

Transcription:

SSL Interception Proxies Jeff Jarmoc Sr. Security Researcher Dell SecureWorks and Transitive Trust

About this talk History & brief overview of SSL/TLS Interception proxies How and Why Risks introduced by interception Failure modes and impact to risk Tools to test Disclosure of vulnerable platforms Recommendations

Properties of Encryption Privacy Integrity Authenticity

SSL / TLS History of SSL SSL v2.0 - Netscape Draft, 1994 SSL v3.0 - IETF Draft, 1996 TLS v1.0 - RFC 2246, 1999 TLS v1.1 - RFC 4346, 2006 TLS v1.2 - RFC 5246, 2008 Related HTTP Over TLS - RFC 2818, 2000 X.509 and CRL - RFC 5280, 2008 OCSP - RFC5019, 2007

SSL Session Establishment Client Hello Server Hello Certificate Server Hello Done Client endpoint ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Server Endpoint ApplicationData

X.509 Certificate Validation Responsible for validating certificate trust Verify certificate integrity Compare signature to cert hash Check for expiration Issue time < Current time < Expiration time Check Issuer Trusted? Follow chain to root Check revocation via CRL and/or OCSP

Result Typical Uses Privacy Cipher Suite prevents sniffing Integrity Cipher Suite prevents modification Authenticity Certificate validation ensures identity Malicious uses Privacy Cipher Suite bypasses detection Integrity Cipher Suite bypasses prevention Authenticity Certificate validation ensures identity

Enterprise Response Intercept, Inspect, Filter DLP Web Content Filters Anti-Malware Solutions IDS / IPS NG / DPI Firewalls Endpoint Security Suites Broadly termed SSL Interception Proxies

SSL / TLS Interception Proxies Man In The Middle Negotiate two sessions Act as Client on Server Side Act as Server on Client Side Generate new server key pair on client side Disrupt Authenticity to Effect Privacy/Integrity End-to-end session becomes two point-topoint sessions

SSL / TLS Interception Proxies Server Hello Certificate Server Hello Done Server Hello Certificate Server Hello Done Client endpoint Interception Proxy Server Endpoint ApplicationData Plain text ApplicationData Disrupt Authenticity to Effect Privacy/Integrity

Establishing endpoint trust Private CA Must be added as trust root to all endpoints Can pose a logistical challenge Public SubCA Delegated public root authority These are sometimes available Trustwave disclosed this, reversed course GeoTrust previously advertise it as GeoRoot Signing Key exposure risks are significant

Unintended side effects Two separate cipher-suite negotiations May use weaker crypto than endpoints support Proxy becomes high-value target Access to clear-text sessions Contains Private Keys Legalities disclosure, user expectations Transitive Trust Client cannot independently verify server identity Client relies on Proxy s validation of server-side certificate

Untrusted Root Client does not trust server certificate s CA Client Trust: Corporate CA Don t Trust: Diginotar Public CA Issuer: commonname = DigiNotar Public CA Subject: commonname = www.example.com www.example.com

Transitive Root Trust Proxy trusts Server Certificate s CA Client trusts Proxy Certificate s CA Client Trust: Corporate CA Don t Trust: Diginotar Public CA Issuer: commonname = Corporate CA Subject: commonname = www.example.com SSL Interception Proxy Trust: DigiNotar Public CA Issuer: commonname = DigiNotar Public CA Subject: commonname = www.example.com Therefore, Client trusts Server Certificate s CA www.example.com

Transitive Trust X.509 X.509 Validation flaws can also be transitive Self-signed certificates Expired certificates Revoked certificates Basic constraints Moxie Marlinspike, 2002 Null prefix injection Moxie Marlinspike, 2009 Dan Kaminsky, 2009

Key pair caching Dynamically generating SSL key pairs is computationally expensive Network-based interception proxies handle large numbers of connections Caching generated key pairs helps performance How cached key pairs are indexed is important

Write Key pair caching First visit Key Pair Cache Issuer: commonname = Corporate CA Subject: commonname = www.example.com Fingerprint: 0x0A0B0C0D0E0F0102 Client SSL Interception Proxy www.example.com Trust: Corporate CA Issuer: commonname = Corporate CA Subject: commonname = www.example.com Fingerprint: 0x0A0B0C0D0E0F0102 Trust: Real Public CA Issuer: commonname = Real Public CA Subject: commonname = www.example.com Fingerprint: 0x0102030405060708

Read Key pair caching later visits Key Pair Cache Issuer: commonname = Corporate CA Subject: commonname = www.example.com Fingerprint: 0x0A0B0C0D0E0F0102 Client Trust: Corporate CA Issuer: commonname = Corporate CA Subject: commonname = www.example.com Fingerprint: 0x0A0B0C0D0E0F0102 SSL Interception Proxy Trust: Real Public CA www.example.com Issuer: commonname = Real Public CA Subject: commonname = www.example.com Fingerprint: 0x0102030405060708

Read Key pair caching attack Key Pair Cache Issuer: commonname = Corporate CA Subject: commonname = www.example.com Fingerprint: 0xABCDEF12 Attacker Client SSL Interception Proxy www.example.com Trust: Corporate CA Issuer: commonname = Corporate CA Subject: commonname = www.example.com Fingerprint: 0xABCDEF12 Trust: Other Public CA Issuer: commonname = Other Public CA Subject: commonname = www.example.com Fingerprint: 0xDEADBEEF

Failure Modes If a certificate is invalid, how do we proceed? No RFC specification for MITM interception Three common approaches Fail Closed Friendly Error Passthrough Each has trade offs.

Failure Modes Fail Closed Terminate both sessions immediately. Security++; No reason given User_Experience--; Out of band agents Provide info Deployment burden

Failure Modes Friendly Error Terminate server side session immediately Provide friendly message on client side session In context of requested site Include content from the certificate? Malformed certificate as web attack vector XSS in context of requested page via invalid cert? Allow user override? CSRF to disable validation?

Failure Modes Passthrough Most common for name and expiry failures Continue server side session Client-side Certificate uses identical data Relies on client-side validation routines Downstream interception or unusual user-agents can combine to cause unexpected behaviors Generally preserves user-experience / warnings But without visibility into the original cert Users often make poor choices

Testing for common issues https://ssltest.offenseindepth.com Visit from a client behind proxy Table lists vulnerabilities CSS includes from host for each vuln Host certs are invalid to demonstrate vuln If vulnerable, CSS loads and flags vulnerability Shows request headers Certificate warnings In passthrough failure mode decision will affect results.

Client visiting directly

Same client via proxy

Cisco IronPort Web Security Appliance Self-Signed Certificates Accepted No CVE, Cisco Bug ID 77544 for mitigations Unknown CA Roots Accepted No CVE, Cisco Bug ID 77544 for mitigations

Cisco IronPort Web Security Appliance Lack of CRL or OCSP checking CVE-2012-1316 Cisco Bug ID 71969 Basic Constraints not validated CVE-2012-1326 Keypair Cache weaknesses CVE-2012-0334 Cisco Bug ID 78906

Cisco IronPort Web Security Appliance All findings apply to version 7.1.3-014 Patches forthcoming V7.5-07/2012 V7.7-07/2012 No UI for managing trust roots Patches addressed recent revocations Passthrough Failure Mode Problems in combination with certain downstream validators

Astaro Security Gateway Lack of CRL or OCSP checking Firmware 8.300 Pattern 23977 Sophos / Astaro Security Team Response Design Decision CRL / OCSP is broken in general Monitoring ongoing developments for future response

Astaro Security Gateway Friendly Error failure mode Includes support for managing trust roots Includes support for managing certificate blacklists Updates to both pushed frequently

No known issues Checkpoint Security Gateway R75.20 Microsoft Forefront TMG 2010 SP2 Include support for managing trust roots Fail Closed in all tested scenarios

Recommendations - Implementers Patch regularly Test proxies prior to deployment Consider security and user-experience Inform end users of interception Be aware of trust roots, be ready to adapt Harden hosts running proxies, monitor closely Consider failure modes Realize that interception has consequences

Recommendations - Developers Allow administrators to manage trust roots Blacklist specific certs, etc. Use secure default settings Administrators should accept risks of less secure settings if necessary Test systems under attack scenarios Be wary of aiding attacks against authenticity Consider update and patch deployments Secure private keys

PLEASE COMPLETE THE SPEAKER FEEDBACK SURVEYS. THIS WILL HELP SPEAKERS TO IMPROVE AND FOR BLACK HAT TO MAKE BETTER DECISIONS REGARDING CONTENT AND PRESENTERS FOR FUTURE EVENTS.

Questions? SSL Interception Proxies and Transitive Trust Jeff Jarmoc Sr. Security Researcher Dell SecureWorks

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information