HTTPS and the Lock Icon

Similar documents
MODERN WEB APPLICATION DEFENSES

Crypto meets Web Security: Certificates and SSL/TLS

Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends

Defeating All Man-in-the-Middle Attacks

Trust Infrastructure of SSL

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

SSL Report: ( )

SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger

Breaking SSL Why leave to others what you can do yourself?

Using HTTPS - HSTS, TLS, HPKP, CSP and friends

Auth. Key Exchange. Dan Boneh

How to Render SSL Useless. Render SSL Useless. By Ivan Ristic 1 / 27

Securing Internet Communication: TLS

Evaluating the Security Risks of Static vs. Dynamic Websites

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Uniform Resource Locators (URL)

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

SSL/TLS Server Test of

Create Decryption Policies to Control HTTPS Traffic

SSL/TLS Security Assessment of e-vo.ru

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Public-Key Infrastructure NETS E2008

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

PROVING WHO YOU ARE TLS & THE PKI

SSL Report: sharplesgroup.com ( )

SSL/TLS Server Test of grupoconsultorefe.com

Legacy of Heartbleed: MITM and Revoked Certificates. Alexey Busygin NeoBIT

Scan Report Executive Summary

Testing login process security of websites. Benjamin Krumnow

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

RKN 2015 Application Layer Short Summary

Palo Alto Networks PAN-OS

Browser Trust Models: Past, Present and Future

Network Security. Thierry Sans

SSL Report: printware.co.uk ( )

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Server Certificate Validation

WHITE PAPER. Authentication and Encryption Design

Internet security and privacy

Configuring F5 for SSL Intercept

But where'd that extra "s" come from, and what does it mean?

DID WE LOSE THE BATTLE FOR A SECURE WEB?

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Web Security. New Browser Security Technologies

Scan Report Executive Summary

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

SSL Report: bourdiol.xyz ( )

CSP STS PKP SRI ETC OMG WTF BBQ

Configuring Internet Explorer for CareLogic

SHA-1 to SHA-2. Migration Guide

Security Fundamentals

Sirindhorn International Institute of Technology Thammasat University

Robust Defenses for Cross-Site Request Forgery

Coming of Age: A Longitudinal Study of TLS Deployment

Certified Secure Web Application Security Test Checklist

CSE484 Final Study Guide

Welcome to the OWASP TOP 10

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

SSL/TLS Deployment Best Practices

Installation and usage of SSL certificates: Your guide to getting it right

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Sichere Software vom Java-Entwickler

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Transport Layer Security

Host Website from Home Anonymously

CSE 565 Computer Security Fall 2018

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Security. Course: EPL 682 Name: Savvas Savva

Cryptographic Protocols 1

CS November 2018

Tabular Presentation of the Application Software Extended Package for Web Browsers

SSL Report: cartridgeworld.co.uk ( )

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):ekk.worldtravelink.com

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

On the Internet, nobody knows you re a dog.

2015 Online Trust Audit & Honor Roll Methodology

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Chapter 9: Key Management

HTTP Security Headers Explained

CS155b: E-Commerce. Lecture 6: Jan. 25, Security and Privacy, Continued

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Securing Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Security and Authentication

Transport Layer Security

Wireless Security and Monitoring. Training materials for wireless trainers

Post Connection Attacks

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Real-time protocol. Chapter 16: Real-Time Communication Security

Securing Internet Communication

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Authentication CHAPTER 17


Security Best Practices. For DNN Websites

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Transcription:

Web security HTTPS and the Lock Icon

Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating HTTPS into the browser Lots of user interface problems to watch for

Threat Model: Network Attacker Network Attacker: Controls network infrastructure: Routers, DNS Eavesdrops, injects, blocks, and modifies packets Examples: Wireless network at Internet Café Internet access at hotels (untrusted ISP)

SSL/TLS overview Public-key encryption: m Alice Enc c c Bob Dec m PK Bob SK Bob Bob generates (SK Bob, PK Bob ) Alice: using PK Bob encrypts messages and only Bob can decrypt

Certificates How does Alice (browser) obtain PK Bob? Browser Alice PK CA Verify cert Bob s key is PK Server Bob choose (SK,PK) PK CA PK and proof I am Bob issue Cert with SK CA : Bob s key is PK CA check proof SK CA Bob uses Cert for an extended period (e.g. one year)

Important fields: Certificates: example

Certificates on the web Subject s CommonName can be: An explicit name, e.g. cs.stanford.edu, or A wildcard cert, e.g. *.stanford.edu or cs*.stanford.edu matching rules: * must occur in leftmost component, does not match. example: *.a.com matches x.a.com but not y.x.a.com (as in RFC 2818: HTTPS over TLS )

Certificate Authorities Browsers accept certificates from a large number of CAs Top level CAs 60 Intermediate CAs 1200

Brief overview of SSL/TLS browser client-hello server-hello + server-cert (PK) server cert SK key exchange (several options): EC-DHE server-key-exchange client-key-exchange k Finished k HTTP data encrypted with KDF(k) Most common: server authentication only

Integrating SSL/TLS with HTTP: HTTPS Two complications Web proxies solution: browser sends CONNECT domain-name before client-hello corporate network web proxy web server Virtual hosting: two sites hosted at same IP address. client-hello web server solution in TLS 1.1: SNI (June 2003) client_hello_extension: server_name=cnn.com implemented since FF2 and IE7 (vista) server-cert??? cert CNN cert ABC

Why is HTTPS not used for all web traffic? Crypto slows down web servers (but not by much if done right) Some ad-networks still do not support HTTPS Reduced revenue for publishers Incompatible with virtual hosting (older browsers) March 2017: IE6 1-5% in china (ie6countdown.com) Aug 2014: Google boosts ranking of sites supporting HTTPS

HTTPS in the Browser

The lock icon: SSL indicator Intended goal: Provide user with identity of page origin Indicate to user that page contents were not viewed or modified by a network attacker In reality: many problems (next few slides)

When is the (basic) lock icon displayed All elements on the page fetched using HTTPS For all elements: HTTPS cert issued by a CA trusted by browser HTTPS cert is valid (e.g. not expired) Domain in URL matches: CommonName or SubjectAlternativeName in cert

The lock UI: Extended Validation Certs Harder to obtain than regular certs requires human at CA to approve cert request no wildcard certs (e.g. *.stanford.edu ) Helps block semantic attacks : www.bankofthevvest.com note: HTTPS-EV and HTTPS are in the same origin

A general UI attack: picture-in-picture Trained users are more likely to fall victim to this [JSTB 07]

HTTPS and login pages: incorrect usage Users often land on login page over HTTP: Type HTTP URL into address bar Google links to HTTP page View source: <form method="post" action="https://onlineservices.wachovia.com/..." (old site)

HTTPS and login pages: guidelines General guideline: Response to http://login.site.com should be Location: https://login.site.com (redirect) Should be the response to any HTTP address

Problems with HTTPS and the Lock Icon

Problems with HTTPS and the Lock Icon 1. Upgrade from HTTP to HTTPS 2. Forged certs 3. Mixed content: HTTP and HTTPS on the same page 4. Does HTTPS hide web traffic? Problems: traffic analysis, compression attacks

1. HTTP HTTPS upgrade Common use pattern: browse site over HTTP; move to HTTPS for checkout connect to bank over HTTP; move to HTTPS for login SSL_strip attack: prevent the upgrade [Moxie 08] HTTP SSL attacker <a href=https:// > <a href=http:// > web server Location: https://... Location: http://... (redirect) <form action=https:// > <form action=http:// >

Tricks and Details Tricks: drop-in a clever fav icon (older browsers) fav icon no longer presented in address bar More tricks: inject Set-cookie headers to delete existing session cookies in browser. Force login. Number of users who detected HTTP downgrade: 0

Defense: Strict Transport Security (HSTS) Strict-Transport-Security: max-age=63072000; includesubdomains (ignored if not over HTTPS) web server Header tells browser to always connect over HTTPS Subsequent visits must be over HTTPS (self signed certs result in an error) Browser refuses to connect over HTTP or if site presents an invalid cert Requires that entire site be served over valid HTTPS HSTS flag deleted when user clears private data : security vs. privacy

https://hstspreload.org/ Preloaded HSTS list Strict-Transport-Security: max-age=63072000; includesubdomains; preload Preload list hard-coded in Chrome source code. Examples: Google, Paypal, Twitter, Simple, Linode, Stripe, Lastpass,

CSP: upgrade-insecure-requests The problem: many pages use <img src= http://site.com/img > Makes it difficult to migrate a section of a site to HTTPS Solution: gradual transition using CSP Content-Security-Policy: upgrade-insecure-requests <img src= http://site.com/img > <img src= https://site.com/img > <img src= http://othersite.com/img > <img src= https://othersite.com/img > <a href= http://site.com/img > <a href= https://othersite.com/img > <a href= http://othersite.com/img > <a href= http://othersite.com/img > Always use protocol relative URLs <img src= //site.com/img >

2. Certificates: wrong issuance 2011: Comodo and DigiNotar CAs hacked, issue certs for Gmail, Yahoo! Mail, 2013: TurkTrust issued cert. for gmail.com (discovered by pinning) 2014: Indian NIC (intermediate CA trusted by the root CA IndiaCCA) issue certs for Google and Yahoo! domains Result: (1) India CCA revoked NIC s intermediate certificate (2) Chrome restricts India CCA root to only seven Indian domains 2015: MCS (intermediate CA cert issued by CNNIC) issues certs for Google domains Result: current CNNIC root no longer recognized by Chrome enables eavesdropping w/o a warning on user s session

Man in the middle attack using rogue cert GET https://bank.com BadguyCert ClientHello attacker ClientHello ServerCert (rogue) ServerCert (Bank) (cert for Bank by a valid CA) SSL key exchange SSL key exchange BankCert bank k 1 k 1 k 2 k 2 HTTP data enc with k 1 HTTP data enc with k 2 Attacker proxies data between user and bank. Sees all traffic and can modify data at will.

What to do? (many good ideas) 1. Dynamic HTTP public-key pinning (RFC 7469) Let a site declare CAs that can sign its cert (similar to HSTS) on subsequent HTTPS, browser rejects certs issued by other CAs TOFU: Trust on First Use 2. Certificate Transparency: [LL 12] idea: CA s must advertise a log of all certs. they issued Browser will only use a cert if it is published on log server Efficient implementation using Merkle hash trees Companies can scan logs to look for invalid issuance

HPKP example (HTTP header from server) Public-Key-Pins[-Report-only]: max-age=2592000; pin-sha256="e9cz9indbd+2erqozyqqbq2yxlvkb9+xcprmf+44u1g="; pin-sha256="lpjnul+wow4m6dsqxbninhswhlwfp0jecwqzypolmcq="; report-uri="https://example.net/pkp-report" Note: not currently supported by IE, Edge, and Safari Max-age: 2,592,000 seconds is the most common max-age value used (30 days) Examine browser s pinning DB: chrome://net-internals/#hsts Max-age statistics provided by Andrei Sabelfeld and Steven Van Acker in Apr. 2017.

3. Mixed Content: HTTP and HTTPS Page loads over HTTPS, but contains content over HTTP (e.g. <script src= http://.../script.js> ) never write this Active network attacker can hijack session by modifying script en-route to browser IE7: Old Chrome: Mostly ignored by users

https://badssl.com (Chrome 58, 2017) Mixed script: <script src="http://mixed-script.badssl.com/nonsecure.js"></script> (script is blocked, click to load) Mixed image: <img class="mixed" src=http://mixed.badssl.com/image.jpg > Image loaded, but no HTTPS indicator

4. Peeking through SSL: traffic analysis Network traffic reveals length of HTTPS packets TLS supports up to 256 bytes of padding AJAX-rich pages have lots and lots of interactions with the server These interactions expose specific internal state of the page BAM! Chen, Wang, Wang, Zhang, 2010

Peeking through SSL: an example [CWWZ 10] Vulnerabilities in an online tax application No easy fix. Can also be used to ID Tor traffic

THE END

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback