SSL, HTTPS and the Lock Icon

Borrowed from Dan Boneh & others

Goals for this lecture

• Brief overview of HTTPS:•How the SSL/TLS protocol works (very briefly)

•How to use HTTPS

• Integrating HTTPS into the browser•Lots of user interface problems to watch for

2

Threat Model: Network Attacker

Network Attacker:• Controls network infrastructure: Routers, DNS

Passive attacker: only eavesdrops on net traffic

Active attacker: eavesdrops, injects, blocks, and modifies packets

Examples:• Wireless network at Internet Café

• Internet access at hotels (untrusted ISP)3

Reminder: Public-Key Encryption

Alice

Encm cBob

Decc m

PKBob SKBob

Bob generates (SKBob , PKBob )

Alice: using PKBob encrypts messages and only Bob can

decrypt

Public-key encryption:

4

Certificates

How does Alice (browser) obtain PKBob ?

CA

PK andproof “I am Bob”

BrowserAlice

SKCA

checkproof

issue Cert with SKCA :

Bob’s key is PKBob’s

key is PK

choose (SK,PK)

Server Bob

PKCA

verifyCert

Bob uses Cert for an extended period (e.g. one year)

PKCA

5

Certificates: example

Important fields:

6

Certificates on the web

Subject’s CommonName can be:

• An explicit name, e.g. cs.stanford.edu , or

• A wildcard cert, e.g.*.stanford.edu or cs*.stanford.edu

matching rules: “*” must occur in leftmost component, does not match “.”

example: *.a.com matches x.a.com but not y.x.a.com(as in RFC 2818: “HTTPS over TLS”)

7

Managing your certificates

Firefox: Tools > Options > Advanced > Certificates

Certificate Authorities

Browsers acceptcertificates from alarge number of CAs

Top level CAs ≈ 60Intermediate CAs ≈ 1200

9

SSL/TLS

SSL/TLS: the cryptographic protocol in HTTPS

Establish a session • Agree on algorithms• Share secrets• Perform authentication

Transfer application data• Ensure privacy and integrity

11

Handshake

• Negotiate Cipher-Suite Algorithms• Symmetric cipher to use• Key exchange method• Message digest function

• Establish and share master secret• Optionally authenticate server and/or client

12

Brief overview of SSL/TLS

browser server

SK

client-hello

server-hello + server-cert (PK)

key exchange (several options)

Finished

cert

client-key-exchange: E(PK, k)

rand. k

k

HTTP data encrypted, Symmetric cipher(k)

Most common: server authentication only13

ClientHello

C

ClientHello

S

Client announces (in plaintext):• Protocol version he is running• Cryptographic algorithms he

supports

struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites; CompressionMethod

compression_methods;} ClientHello

ClientHello (RFC)Highest version of the

protocol supported by the client

Set of cryptographic algorithms supported by the

client (e.g., RSA or Diffie-Hellman)

Client Hello - Cipher Suites

INITIAL (NULL) CIPHER SUITE

PUBLIC-KEYALGORITHM

SYMMETRICALGORITHM

HASHALGORITHM

CIPHER SUITE CODES USEDIN SSL MESSAGES

SSL_NULL_WITH_NULL_NULL = { 0, 0 }

SSL_RSA_WITH_NULL_MD5 = { 0, 1 }

SSL_RSA_WITH_NULL_SHA = { 0, 2 }

SSL_RSA_EXPORT_WITH_RC4_40_MD5 = { 0, 3 }

SSL_RSA_WITH_RC4_128_MD5 = { 0, 4 }

SSL_RSA_WITH_RC4_128_SHA = { 0, 5 }

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0, 6 }

SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 }

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0, 8 }

SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 }

SSL_RSA_WITH_3DES_EDE_CBC_SHA = { 0, 10 }

16

ServerHello

C

Versionc, suitec, Nc

ServerHello

SServer responds (in plaintext) with:• Highest protocol version

supported by both client and server• Strongest cryptographic suite

selected from those offered by the client

Server selects the protocol version and the crypto algorithms

ServerKeyExchange

C

Versions, suites, Ns,ServerKeyExchange

SServer sends his public-key certificatecontaining either his RSA, orhis Diffie-Hellman public key (depending on chosen crypto suite)

Versionc, suitec, Nc

ClientKeyExchange

C

Versions, suites, Ns,sigca(S,Ks),“ServerHelloDone”

S

Versionc, suitec, Nc

ClientKeyExchange

Client generates some secret key materialand sends it to the server encrypted withthe server’s public key (if using RSA)

Client selects what will become the secret session key

What is Authenticated in SSL ? #1

• Server’s PK provided as a Cert signed by CA• Browser has CA’s public key

•Verified signature Trust the server’s PK• But does the server hold the matching SK ?

20

What is Authenticated in SSL? #2

• Browser’s secret random k encrypted by PK• Server decrypts k• Browser & server derive shared secret key• All subsequent messages are encrypted

•With symmetric cipher, e.g. RC4• If browser decrypts successfully

Server got the correct kServer had the SK matching the CertServer is authenticated

• Client is NOT authenticated: usually has to login (through the encrypted channel)

21

Version Rollback Attack

C

Versions=2.0, suites, Ns,sigca(S,Ks),“ServerHelloDone”

S

Versionc=2.0, suitec, Nc

{Secretc}Ks

C and S end up communicating using SSL 2.0 (weaker earlier version of the protocol that

does not include “Finished” messages)

Server is fooled into thinking he is communicating with a client who supports only SSL 2.0

Fixed in SSL v3.0

“Chosen-Protocol” Attacks

• Why do people release new versions of security protocols? Because the old version got broken!

• New version must be backward-compatibleNot everybody upgrades right away

• Attacker can fool someone into using the old, broken version and exploit known vulnerability

Similar: fool victim into using weak crypto algorithms

• Defense is hard: must authenticate version early• Many protocols had “version rollback” attacks

SSL, SSH, GSM (cell phones)

HTTPS in the Browser

The lock icon: SSL indicator

Intended goal:• Provide user with identity of page origin• Indicate to user that page contents were not

viewed or modified by a network attacker

In reality:• Origin ID is not always helpful

example: Stanford HR is hosted at BenefitsCenter.com• Many other problems (next few slides)

25

When is the (basic) lock icon displayed

• All elements on the page fetched using HTTPS(with some exceptions)

• For all elements:•HTTPS cert issued by a CA trusted by browser•HTTPS cert is valid (e.g. not expired)•CommonName in cert matches domain in URL

26

The lock UI: Extended Validation (EV) Certs

• Green background or text in browser URL• Harder to obtain than regular certs

• requires human lawyer at CA to approve cert request

• Designed for banks and large e-commerce sites

27

A general UI attack: picture-in-picture

Trained users are more likely to fall victim to this [JSTB’07]28

HTTPS and login pages: the bad way

Users often land on login page over HTTP:

•Type site’s HTTP URL

into address bar, or

• Google links to the HTTP page

<form method="post" action="https://onlineservices.wachovia.com/..."

View source:

HTTPS and login pages: guidelines

General guideline: never show a login screen via http

•Response to http://login.site.comshould be Redirect: https://login.site.com

Problems with HTTPS and the Lock Icon

1. HTTP HTTPS upgrade

Common use pattern:•browse site over HTTP; move to HTTPS for checkout•connect to bank over HTTP; move to HTTPS for login

Easy attack: prevent the upgrade (ssl_strip) [Moxie’08]

<a href=https://…> <a href=http://…>

Location: https://... Location: http://... (redirect)

<form action=https://… > <form action=http://…>

webserverattacker

SSLHTTP

32

Tricks and Details

Tricks: drop-in a clever fav icon (older browsers)

Details:• Erase existing session and force user to login:

ssl_strip injects “Set-cookie” headers to delete existing session cookies in browser.

Number of users who detected HTTP downgrade: 0

33

2. Semantic attacks on certs

International domains: xyz.cn• Rendered using international character set• Observation: Chinese character set contains chars

that look like “/” and “?” and “.” and “=”

Attack: buy domain cert for *.badguy.cnsetup domain called:

www.bank.com/accounts/login.php?q=me.baguy.cn

note: single cert *.badguy.cn works for all sites

Extended validation (EV) certs may help defeat this34

[Moxie’08] 35

3. Certificate Issuance Woes

Wrong issuance:2011: Comodo and DigiNotar RAs hacked, issue certs for Gmail, Yahoo! Mail, …

Rogue CA: 2009: Etisalat CA in UAE

Signs software patch on behalf of RIM

PacketForensics: HTTPS MiTM for law enforcement(see also crypto.stanford.edu/ssl-mitm )

⇒ enables eavesdropping w/o a warning in user’s browser36

Man in the middle attack using rogue certs

Attacker proxies data between user and bank. Sees all traffic and can modify data at will.

bankattackerClientHello ClientHello

BankCertBadguyCert

ServerCert (Bank)ServerCert (rogue)

GET https://bank.com

SSL key exchange SSL key exchange

k1 k1 k2 k2

HTTP data enc with k1 HTTP data enc with k2

(cert for Bank by a valid CA)

37

What to do? (many good ideas)

1. HTTP public-key pinning, TACK

• Let a site declare CAs that can sign its cert• on subsequent HTTPS, browser rejects certs for site

issued by other CAs• TOFU: Trust on First Use

2. Certificate Transparency: [LL’12]

• idea: CA’s must advertise a log of all certs. they issued• Browser will only use a cert if it is on the CA’s log

•Efficient implementation using Merkle hash trees

• Companies can scan logs to look for invalid issuance 38

4. Mixed Content: HTTP and HTTPS

Page loads over HTTPS, but contains content over HTTP(e.g. <script src=“http://.../script.js> )

Active network attacker can hijack session• Modifies script en-route to browser

Another way to embed content:

<script src=“//.../script.js>

served over the same protocol as embedding page• Can use for content served over HTTP or HTTPS

39

Mixed Content: HTTP and HTTPS

IE7:

No SSL lock in address bar:

Chrome:

40

5. Peeking through SSL

Network traffic reveals length of HTTPS packets• TLS supports up to 256 bytes of padding

AJAX-rich pages have lots and lots of interactions with the server

These interactions expose specific internal state of the page BAM!

Chen, Wang, Wang, Zhang, 2010

Peeking through SSL: an example

Vulnerabilities in an online tax application

No easy fix. Can also be used to ID Tor traffic

42

THE END

6. Origin Contamination: an example

Solution: remove lock from top page after loading bottom page44

Integrating SSL/TLS with HTTP HTTPS

Two complications

• Web proxiessolution: browser sends

CONNECT domain-name

before client-hello (dropped by proxy)

• Virtual hosting:two sites hosted at same IP address.

solution in TLS 1.1: SNI (RFC 4366)

client_hello_extension: server_name=cnn.com

implemented since FF2 and IE7 (vista)

webproxy web

server

corporate network

webserver

certCNN

certFOX

client-hello

server-cert ???

Why is HTTPS not used for all web traffic?

• Slows down web servers

• Breaks Internet caching•ISPs cannot cache HTTPS traffic•Results in increased traffic at web site

• Incompatible with virtual hosting (older browsers)May. 2013: IE6 ≈ 7% (ie6countdown.com)

The lock UI: helps users authenticate site

uninformative

Problems with HTTPS and the Lock Icon

1. Upgrade from HTTP to HTTPS

2. Semantic attacks on certs

3. Forged certs

4. Mixed content• HTTP and HTTPS on the same page

5. Origin contamination• Weak HTTPS page contaminates stronger HTTPS page

6. Does HTTPS hide web traffic? 48

Defense: Strict Transport Security (HSTS)

Header tells browser to always connect over HTTPS

• After first visit, subsequent visits are over HTTPS

•self signed cert results in an error

• STS flag deleted when user “clears private data” (chrome)

•Compromise: security vs. privacy

webserver

Strict-Transport-Security max-age=31 10⋅ 6;

49