More Trick For Defeating SSL DEFCON 17 Moxie Marlinspike Outline 1. Introduction 2. Background Knowledge SSL/TLS protocol 3. sslstrip 4. sslsniff A. Basic Constraints vulnerability B. Null-Prefix Attack C. bypassing OCSP 5. Conclusion Introduction Demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Background Knowledge SSL/TLS Protocol SSL/TLS Introduction abbreviation for Transport Layer Security and it’s successor Secure Socket Layer Provide communication security over the Internet. Even when the network is being MITM attack. Network Stack Handshake Process Handshake Process SSLstrip SSLstrip Introduction[1] demonstration of the HTTPS stripping attacks It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homographsimilar HTTPS links How it work Bridge www.facebook.com bridge https://www.facebook.com? 302 redirect Hyper link 302 Redirect Detail – Normal Scenario User User type: example.com Browser http://example.com Server reply 302 redirect to https://abc.example.com https://abc.example.com SSL/TLS handshake Serve reply 200 ok Server Detail – Normal Scenario Detail – Attack Scenario http://example.com http://example.com Strip https to http Server reply 302 redirect to http://abc.example.com Record url http://abc.example.co m url match Server reply 302 redirect to https://abc.example.com https://abc.example.com http://abc.example.com SSL/TLS handshake Strip https to http Application Data Stripped Application Data User/browser Attacker Server Result(without strip) Result(with strip) What can’t sslstirp do the browser query https://abc.example.com directly. Bookmark User typing Other protocol smtps Ftps Sftp…. SSLsniff Basic Constraints vulnerability Certificate Chaining Certificate Chaining How we verify Verify that the name of the leaf node is the same as the site you're connecting to. Verify that the leaf certificate has not expired. Check the signature If the signing CA is in our list of trusted root CAs, stop. Otherwise, move one up the chain and repeat. What they say Verify that the name of the leaf node is the same as the site you're connecting to. Verify that the leaf certificate has not expired. Check the signature If the signing CA is in our list of trusted root CAs, stop. Otherwise, move one up the chain and repeat. Something must be wrong, but... All the signatures are valid. Nothing has expired. The chain is in tact. The root CA is embedded in the browser and trusted. The missing piece Back in the day Most CAs didn't explicitly set basicConstraints: CA=False Whether the field was there or not, most SSL implementations didn't bother to check it. Anyone with a valid leaf node certificate could create and sign a leaf node certificate for any other domain. When presented with a complete chain, IE, Outlook, Konqueror, OpenSSL, and others considered it valid... And then in 2002... Microsoft claimed that it was impossible to exploit. So The Author published the tool that exploits it. SSLsniff detail https://abc.example.com SSL/TLS handshake Application Data User/browser 1. Generate a certificate for the site it is connected to 2. Sign it with any random valid leaf node certificate. 3. Pass that certificate chain to the client. Get the Data from server Encrypt it with our private key 3. Send to user https://abc.example.com SSL/TLS handshake 1. 2. Attacker Application Data SSLsniff – Null Prefix Attack Author’s PPT What's with certificates, anyways? X509 Certificate Version Serial Number Issuer Validity Subject PublicKey Signature Algorithm Signature Issue by some Issuer Identify some subjects Get the public key Issuer Signature The Big Three Secrecy Authenticity Integrity - Encryption algorithm Digital Signature Checksum SSL Handshake Beginnings