More Trick For Defeating SSL
DEFCON 17
Moxie Marlinspike
Outline
 1. Introduction
 2. Background Knowledge
 SSL/TLS protocol
 3. sslstrip
 4. sslsniff
 A. Basic Constraints vulnerability
 B. Null-Prefix Attack
 C. bypassing OCSP
 5. Conclusion
Introduction
 Demonstrate some new tricks for defeating SSL/TLS
in places where sslstrip does not reach.
Background Knowledge
SSL/TLS Protocol
SSL/TLS Introduction
 abbreviation for Transport Layer Security and it’s
successor Secure Socket Layer
 Provide communication security over the Internet.
 Even when the network is being MITM attack.
Network Stack
Handshake Process
Handshake Process
SSLstrip
SSLstrip Introduction[1]
 demonstration of the HTTPS stripping attacks
 It will transparently hijack HTTP traffic on a network,
watch for HTTPS links and redirects, then map those
links into either look-alike HTTP links or homographsimilar HTTPS links
How it work
 Bridge
 www.facebook.com bridge https://www.facebook.com?
 302 redirect
 Hyper link
302 Redirect
Detail – Normal Scenario
User
User type:
example.com
Browser
http://example.com
Server reply
302 redirect to
https://abc.example.com
https://abc.example.com
SSL/TLS handshake
Serve reply
200 ok
Server
Detail – Normal Scenario
Detail – Attack Scenario
http://example.com
http://example.com
Strip https to http
Server reply
302 redirect to
http://abc.example.com
Record url
http://abc.example.co
m
url match
Server reply
302 redirect to
https://abc.example.com
https://abc.example.com
http://abc.example.com
SSL/TLS handshake
Strip https to http
Application Data
Stripped
Application Data
User/browser
Attacker
Server
Result(without strip)
Result(with strip)
What can’t sslstirp do
 the browser query https://abc.example.com directly.
 Bookmark
 User typing
 Other protocol
 smtps
 Ftps
 Sftp….
SSLsniff Basic Constraints vulnerability
Certificate Chaining
Certificate Chaining
How we verify
 Verify that the name of the leaf node is the same as
the site you're connecting to.
 Verify that the leaf certificate has not expired.
 Check the signature
 If the signing CA is in our list of trusted root CAs, stop.
Otherwise, move one up the chain and repeat.
What they say
 Verify that the name of the leaf node is the same as
the site you're connecting to.
 Verify that the leaf certificate has not expired.
 Check the signature
 If the signing CA is in our list of trusted root CAs, stop.
Otherwise, move one up the chain and repeat.
Something must be wrong, but...




All the signatures are valid.
Nothing has expired.
The chain is in tact.
The root CA is embedded in the browser and trusted.
The missing piece
Back in the day
 Most CAs didn't explicitly set
 basicConstraints: CA=False
 Whether the field was there or not, most SSL implementations
didn't bother to check it.
 Anyone with a valid leaf node certificate could create and sign a
leaf node certificate for any other domain.
 When presented with a complete chain, IE, Outlook, Konqueror,
OpenSSL, and others considered it valid...
And then in 2002...
 Microsoft claimed that it was impossible to exploit.
 So The Author published the tool that exploits it.
SSLsniff detail
https://abc.example.com
SSL/TLS
handshake
Application Data
User/browser
1. Generate a certificate
for the site it is connected to
2. Sign it with any random valid
leaf node certificate.
3. Pass that certificate chain to
the client.
Get the Data from server
Encrypt it with our
private key
3. Send to user
https://abc.example.com
SSL/TLS handshake
1.
2.
Attacker
Application Data
SSLsniff –
Null Prefix Attack
Author’s PPT
What's with certificates, anyways?
 X509 Certificate






Version
Serial Number
Issuer
Validity
Subject
PublicKey
 Signature Algorithm
 Signature
Issue by some Issuer
Identify some subjects
Get the public key
Issuer Signature
The Big Three
 Secrecy
 Authenticity
 Integrity
-
Encryption algorithm
Digital Signature
Checksum
SSL Handshake Beginnings