Legacy of Heartbleed: MITM and Revoked Certificates. Alexey Busygin NeoBIT

Similar documents
Server-based Certificate Validation Protocol

DNS security extensions

When HTTPS Meets CDN

HTTPS is Fast and Hassle-free with Cloudflare

PROVING WHO YOU ARE TLS & THE PKI

How to Configure SSL Interception in the Firewall

Create Decryption Policies to Control HTTPS Traffic

Considerations for using short-term certificates

Key Management and Distribution

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Digital Certificates Demystified

Mavenir Systems Inc. SSX-3000 Security Gateway

SSL Report: printware.co.uk ( )

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

SSL Report: bourdiol.xyz ( )

Practical Issues with TLS Client Certificate Authentication

SSL Report: cartridgeworld.co.uk ( )

Bugzilla ID: Bugzilla Summary:

How to Configure SSL Interception in the Firewall

SSL Report: sharplesgroup.com ( )

SSL/TLS Server Test of grupoconsultorefe.com

SSL Report: ( )

SSL/TLS Server Test of

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

SSL/TLS and Why the CA System is Broken

Internet Engineering Task Force (IETF) Request for Comments: 6961 June 2013 Category: Standards Track ISSN:

OCSP Stapling. Let the web server protect the users! SWITCHpki Team Bern, SWITCH 1

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Browser Trust Models: Past, Present and Future

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

THE BUSINESS VALUE OF EXTENDED VALIDATION

Exposing The Misuse of The Foundation of Online Security

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

RSA Validation Solution

Palo Alto Networks PAN-OS

But where'd that extra "s" come from, and what does it mean?

Crypto meets Web Security: Certificates and SSL/TLS

TLS Security and Future

SSH Communications Tectia SSH

Let s Encrypt and DANE

Chapter 9: Key Management

Digital Certificates. About Digital Certificates

Barracuda Firewall Release Notes 6.6.X

SSL/TLS Deployment Best Practices

SSL/TLS Security Assessment of e-vo.ru

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

The Security Impact of HTTPS Interception

Blue Coat Security First Steps Solution for Controlling HTTPS

All over DNS BoF. ENOG III / RIPE NCC Regional Meeting May 2012, Odessa

Secure Web Appliance. SSL Intercept

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

Understanding HTTPS CRL and OCSP

Security Fundamentals

Defeating All Man-in-the-Middle Attacks

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Nov ember 14, Memo

Managing SSL/TLS Traffic Flows

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Configuring Certificate Authorities and Digital Certificates

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

Securing Communications with your Apache HTTP Server. Lars Eilebrecht

Axway Validation Authority Suite

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

The Case for Prefetching and Prevalidating TLS Server Certificates

Send documentation comments to

SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Barracuda Firewall Release Notes 6.5.x

Securing Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016

Is the Web Ready for OCSP Must-Staple?

Trust Infrastructure of SSL

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

MODERN WEB APPLICATION DEFENSES

A Free, Automated, and Open Certificate Authority. Josh Aas Co-Founder, Executive Director

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Application Layer Transport Security. Cesar Ghali, Adam Stubblefield, Ed Knapp, Jiangtao Li, Benedikt Schmidt, Julien Boeuf

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

CS Certificates, part 2. Prof. Clarkson Spring 2017

Certificate reputation. Dorottya Papp

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

The State of TLS in httpd 2.4. William A. Rowe Jr.

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Installation and usage of SSL certificates: Your guide to getting it right

Security in the CernVM File System and the Frontier Distributed Database Caching System

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

U.S. E-Authentication Interoperability Lab Engineer

Cryptography and Network Security

This chapter describes how to configure digital certificates.

Managing Certificates

Authenticating SMTP Sessions Using Client Certificates

The Evolving Architecture of the Web. Nick Sullivan

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

BIG-IP System: SSL Administration. Version

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7

Cryptographic Protocols 1

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Most Common Security Threats (cont.)

SSL Accelerated Services. Feature Description

Transcription:

Legacy of Heartbleed: MITM and Revoked Certificates Alexey Busygin busygin@neobit.ru NeoBIT

Notable Private Key Leaks 2010 DigiCert Sdn Bhd. issued certificates with 512-bit keys 2012 Trustwave issued CA certificate for one of its customers DLP system 2013 DigiNotar CA was totally compromised 2014 Heartbleed bug caused certificate revocation storm. 500000+ certs to be revoked 2015 RSA-CRT private key leaks 2017 Cloudbleed bug in Cloudflare reverse proxies 2

Checking Certificate Revocation Status: Certificate Revocation Lists (CRL) CAs publish CRLs lists of revoked certificate serial numbers Normally certificate contains URL of the corresponding CRL Why it s not OK? CRLs are not appropriate for online checks: Excess size (up to 1 MB) Vulnerable to replay attacks 3

Checking Certificate Revocation Status: Online Certificate Status Protocol (OCSP) CAs maintain OCSP responders answering with certificate revocation status Normally certificate contains URL of the OCSP responder OCSP provides optional replay attack protection Why it s not OK? Slows down connection establishment Browsing history leaks to CA OCSP responder is DDoS target 4

Checking Certificate Revocation Status: OCSP Stapling No browsing history leaks Choose one: o Replay attack protection o TLS server side OCSP response caching: Minimal impact on connection establishment time Reduced load on OCSP responder Why it s not OK? Stapled OCSP responses are optional and may be stripped by MITM OCSP responder is DDoS target (if replay attack protection is enabled) 5

Checking Certificate Revocation Status: Vendor Specific Solutions Software updates Revocation information pushes Why it s not OK? Offline revocation check Not controlled by end users What about private CAs? 6

Man-in-the-Middle Attack Scenario Use revoked certificate and block revocation info 7

Default Revocation Checks: Mozilla Firefox Why it s not OK? Fall-back positions Check local OneCRL store Check stapled OCSP response Query OCSP responder explicitly Soft fail MITM vulnerable OCSP replay attack protection is not supported OCSP stapling for CA certificates is not supported Online checks for DV CA certs are not performed Certificate is valid 8

Default Revocation Checks: Google Chrome Check stapled OCSP response Why it s not OK? Fall-back positions Check local CRLSets store Query OCSP responder explicitly (for EV certificates only) Soft fail MITM vulnerable OCSP replay attack protection is not supported OCSP stapling for CA certificates is not supported Online checks for DV CA and EE certificates are not performed Certificate is valid 9

Default Revocation Checks: Microsoft Internet Explorer / Edge Why it s not OK? Fall-back positions Check untrusted certificate store Check stapled OCSP response Query OCSP responder explicitly Fetch CRL Soft fail MITM vulnerable OCSP replay attack protection is not supported OCSP stapling for CA certificates is not supported Certificate is valid 10

Why is hard fail not enforced? Adam Langley explains: https://www.imperialviolet.org/2014/04/19/revchecking.html CA infrastructure becomes a single point of failure CA infrastructure becomes a DDoS target Increases CA maintenance costs (more network bandwidth and DDoS protection required) Increases number of connection failures in noisy networks Captive portals frequently deny access to OCSP responders 11

Hard Fail Enforcement: Mozilla Firefox Why it s still not OK? Online checks for DV CA certificates are not performed Vulnerable to OCSP or CRL replay attacks Hard fail is enforced for all sites 12

Hard Fail Enforcement: Google Chrome Why it s still not OK? Vulnerable to OCSP or CRL replay attacks Hard fail is enforced for all sites 13

Hard Fail Enforcement: Microsoft Internet Explorer Edit registry: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Main \ FeatureControl \ FEATURE_WARN_ON_SEC_CERT_REV_FAILED \ iexplore.exe = 1 Why it s still not OK? It doesn t prevent attack Vulnerable to OCSP or CRL replay attacks Hard fail is enforced for all sites 14

Hard Fail Enforcement: Squid Proxy TLS decryption (SslBump feature) Custom certificate verification procedures (SSL Server Certificate Validator feature) Optional transparent mode (TPROXY or WCCP features) Enforces hard fail for predefined set of sites Why it s still not OK? Proxy decrypts TLS traffic 15

Future Revocation Strategies Not all services require paranoid revocation checks. Strict revocation status checking mode Online checks Replay attack protection Hard fail Lightweight revocation status checking mode Offline checks Short-lived certificates 16

Strict Checking Service indicates that strict checking is required via certificate extension field OCSP stapling with replay attack protection for entire certificate chain Hard fail RFC 7633 TLS Feature Extension as strict checking requirement indicator 17

Strict Checking: OCSP Availability Enhancements Session resumption via session IDs or session tickets to reduce OCSP responder loads Load balancing between independent CAs: Reduce loads Mitigate DDoS Protect against OCSP responder failures 18

Strict Checking: Browser Adoption Chrome (v.59) TLS Feature Extension OCSP replay attack protection OCSP stapling for CA certificates Session resumption (session ID, session ticket) Edge (v.40) IE (v.11) Firefox (v.54) Opera (v.46) 19

Lightweight Checking Online checks are not performed End entity certificates with short validity period Certificates are auto renewed Intermediate CA revocation information pushes (CRLSets or OneCRL like) Open standard for TLS client/revocation info pushing service integration is required 20

Takeaways Certificate revocation is broken Use secondary browser configuration with enforced hard fail revocation checking to enhance your personal security Use proxy with enforced hard fail revocation checking to enhance security of organization Wait for new revocation checking strategies to be implemented and adopted 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback