16-https
TRANSCRIPT
-
7/29/2019 16-https
1/35
HTTPS and the Lock Icon
Dan Boneh
-
7/29/2019 16-https
2/35
Goals for this lecture
Brief overview of HTTPS:
How the SSL/TLS protocol works (very briefly)
How to use HTTPS
Integrating HTTPS into the browser
Lots of user interface problems to watch for
-
7/29/2019 16-https
3/35
Threat Model: Network Attacker
Network Attacker:
Controls network infrastructure: Routers, DNS
Passive attacker: only eavesdrops on net traffic
Active attacker: eavesdrops, injects, blocks, and
modifies packets
Examples:
Wireless network at Internet Caf
Internet access at hotels (untrusted ISP)
-
7/29/2019 16-https
4/35
SSL/TLS overview
Alice
Enc
m c
Bob
Dec
c m
PKBob SKBob
Bob generates (SKBob , PKBob )
Alice: using PKBob encrypts messages
and only Bob can decrypt
Public-key encryption:
-
7/29/2019 16-https
5/35
Certificates
How does Alice (browser) obtain PKBob ?
CA
PK andproof I am Bob
Browser
Alice
SKCA
check
proof
issue Cert with SKCA :
Bobskey is PKBobs
key is PK
choose
(SK,PK)
Server Bob
PKCA
verify
Cert
Bob uses Cert for an extended period (e.g. one year)
PKCA
-
7/29/2019 16-https
6/35
Certificates: example
Important fields:
-
7/29/2019 16-https
7/35
Certificates on the web
Subjects CommonName can be:
An explicit name, e.g. cs.stanford.edu , or
A wildcard cert, e.g.*.stanford.edu or cs*.stanford.edu
matching rules:
* must occur in leftmost component, does not match .
example: *.a.com matches x.a.com but not y.x.a.com
(as in RFC 2818: HTTPS over TLS)
-
7/29/2019 16-https
8/35
Certificate Authorities
Browsers accept
certificates from alarge number of CAs
Top level CAs 60Intermediate CAs 1200
-
7/29/2019 16-https
9/35
Brief overview of SSL/TLS
browser server
SK
client-hello
server-hello + server-cert (PK)
key exchange (several options)
Finished
cert
client-key-exchange: E(PK, k)
rand. k
k
HTTP data encrypted with KDF(k)
Most common: server authentication only
-
7/29/2019 16-https
10/35
Integrating SSL/TLS with HTTP HTTPS
Two complications
Web proxies
solution: browser sends
CONNECT domain-name
before client-hello (dropped by proxy)
Virtual hosting:
two sites hosted at same IP address.
solution in TLS 1.1: SNI (RFC 4366)
client_hello_extension: server_name=cnn.com
implemented since FF2 and IE7 (vista)
webproxy web
server
corporate network
webserver
certCNN
certFOX
client-hello
server-cert ???
-
7/29/2019 16-https
11/35
Why is HTTPS not used for all web traffic?
Slows down web servers
Breaks Internet caching ISPs cannot cache HTTPS traffic
Results in increased traffic at web site
Incompatible with virtual hosting (older browsers)May. 2013: IE6 7% (ie6countdown.com)
-
7/29/2019 16-https
12/35
HTTPS in the Browser
-
7/29/2019 16-https
13/35
The lock icon: SSL indicator
Intended goal:
Provide user with identity of page origin Indicate to user that page contents were not
viewed or modified by a network attacker
In reality: Origin ID is not always helpful
example: Stanford HR is hosted at BenefitsCenter.com
Many other problems (next few slides)
-
7/29/2019 16-https
14/35
When is the (basic) lock icon displayed
All elements on the page fetched using HTTPS(with some exceptions)
For all elements:
HTTPS cert issued by a CA trusted by browser
HTTPS cert is valid (e.g. not expired)
CommonName in cert matches domain in URL
-
7/29/2019 16-https
15/35
The lock UI: helps users authenticate site
uninformative
-
7/29/2019 16-https
16/35
The lock UI: Extended Validation (EV) Certs
Harder to obtain than regular certs requires human lawyer at CA to approve cert request
Designed for banks and large e-commerce sites
Helps block semantic attacks: www.bankofthevvest.com
note: HTTPS-EV and HTTPS are in the same origin
-
7/29/2019 16-https
17/35
A general UI attack: picture-in-picture
Trained users are more likely to fall victim to this [JSTB07]
-
7/29/2019 16-https
18/35
HTTPS and login pages: incorrect version
Users often land on
login page over HTTP:
Type sites HTTP URLinto address bar, or
Google links to the
HTTP page
-
7/29/2019 16-https
19/35
HTTPS and login pages: guidelines
General guideline:
Response to http://login.site.com
should be Redirect: https://login.site.com
-
7/29/2019 16-https
20/35
Problems with HTTPS and the Lock Icon
-
7/29/2019 16-https
21/35
Problems with HTTPS and the Lock Icon
1. Upgrade from HTTP to HTTPS
2. Semantic attacks on certs
3. Forged certs
4. Mixed content
HTTP and HTTPS on the same page
5. Origin contamination
Weak HTTPS page contaminates stronger HTTPS page
6. Does HTTPS hide web traffic?
-
7/29/2019 16-https
22/35
1. HTTP HTTPS upgrade
Common use pattern:
browse site over HTTP; move to HTTPS for checkout
connect to bank over HTTP; move to HTTPS for login
Easy attack: prevent the upgrade (ssl_strip) [Moxie08]
Location: https://... Location: http://... (redirect)
webserverattacker
SSLHTTP
-
7/29/2019 16-https
23/35
Tricks and Details
Tricks: drop-in a clever fav icon (older browsers)
Details:
Erase existing session and force user to login:ssl_strip injects Set-cookie headers to delete
existing session cookies in browser.
Number of users who detected HTTP downgrade: 0
-
7/29/2019 16-https
24/35
Defense: Strict Transport Security (HSTS)
Header tells browser to always connect over HTTPS
After first visit, subsequent visits are over HTTPS
self signed cert results in an error
STS flag deleted when user clears private data (chrome)
Compromise: security vs. privacy
webserver
Strict-Transport-Security max-age=31106;
-
7/29/2019 16-https
25/35
2. Semantic attacks on certs
International domains: xyz.cn
Rendered using international character set
Observation: chinese character set contains chars
that look like / and ? and . and =
Attack: buy domain cert for *.badguy.cn
setup domain called:
www.bank.com/accounts/login.php?q=me .baguy.cn
note: single cert *.badguy.cn works for all sites
Extended validation (EV) certs may help defeat this
-
7/29/2019 16-https
26/35
[Moxie08]
-
7/29/2019 16-https
27/35
3. Certificate Issuance Woes
Wrong issuance:
2011: Comodo and DigiNotar RAs hacked, issue certs for
Gmail, Yahoo! Mail,
Rogue CA:
2009: Etisalat CA in UAE
Signs software patch on behalf of RIM
PacketForensics: HTTPS MiTM for law enforcement
(see also crypto.stanford.edu/ssl-mitm )
enables eavesdropping w/o a warning in users browser
-
7/29/2019 16-https
28/35
Man in the middle attack using rogue certs
Attacker proxies data between user and bank.
Sees all traffic and can modify data at will.
bankattackerClientHello ClientHello
BankCertBadguyCert
ServerCert (Bank)ServerCert (rogue)
GET https://bank.com
SSL key exchange SSL key exchange
k1 k1 k2 k2HTTP data enc with k1 HTTP data enc with k2
(cert for Bank by a valid CA)
-
7/29/2019 16-https
29/35
What to do? (many good ideas)
1. HTTP public-key pinning, TACK
Let a site declare CAs that can sign its cert (similar to HSTS)
on subsequent HTTPS, browser rejects certs for site
issued by other CAs
TOFU: Trust on First Use
2. Certificate Transparency: [LL12]
idea: CAs must advertise a log ofall certs. they issued
Browser will only use a cert if it is on the CAs log
Efficient implementation using Merkle hash trees
Companies can scan logs to look for invalid issuance
-
7/29/2019 16-https
30/35
4. Mixed Content: HTTP and HTTPS
Page loads over HTTPS, but contains content over HTTP
(e.g. )
Active network attacker can hijack session
Modifies script en-route to browser
Another way to embed content:
served over the same protocol as embedding page
Can use for content served over HTTP or HTTPS
-
7/29/2019 16-https
31/35
Mixed Content: HTTP and HTTPS
IE7:
No SSL lock in address bar:
Chrome:
-
7/29/2019 16-https
32/35
5. Peeking through SSL
Network traffic reveals length of HTTPS packets
TLS supports up to 256 bytes of padding
AJAX-rich pages have lots and lots of
interactions with the server
These interactions expose specificinternal state of the page BAM!
Chen, Wang, Wang, Zhang, 2010
-
7/29/2019 16-https
33/35
Peeking through SSL: an example
Vulnerabilities in an online tax application
No easy fix. Can also be used to ID Tor traffic
-
7/29/2019 16-https
34/35
6. Origin Contamination: an example
Solution: remove lock from top page after loading bottom page
-
7/29/2019 16-https
35/35
THE END