Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Forged SSL Certificates in the Wild

Published byConstance Barrette Modified over 6 years ago

Similar presentations

Presentation on theme: "Analyzing Forged SSL Certificates in the Wild"— Presentation transcript:

1 Analyzing Forged SSL Certificates in the Wild
Lin-Shung Huang, Collin Jackson: Carnegie Mellon University Alex Rice, Erling Ellingsen: Facebook Mohammad Ali Javidian

2 OVERVIEW SSL man-in-the-middle attack SSL Tamper Detection Method
Introduction: SSL/TLS SSL man-in-the-middle attack SSL Tamper Detection Method Analysis of Forged SSL Certificates Survey of Mitigations: some possible defenses Conclusion

3 Introduction: SSL/TLS

4 Secure Socket Layer (SSL)
SSL is an encryption protocol designed to provide secure communication and data transfers over the Internet SSL handshake

5 SSL man-in-the-middle attack

6 SSL man-in-the-middle attack
Forged certificates are used to mount man-in-the-middle attacks The attacker can read and modify all the encrypted messages between server and client

7 Tamper Detection Techniques for Websites

8 Web Tripwires Websites deploy JavaScript to the client’s browser that detects modifications on webpages during transmission. Limitations: Can detect modifications to only unencrypted web traffic Does not detect either passive eavesdropping or man-in-the-middle attacks

9 Content Security Policy (CSC)
It enables websites to restrict browsers to load page content only from a server-specified list of trusted sources Limitation: CSP does not detect eavesdropping on SSL connections

10 Browser Plugins Browser plugins like Java and Flash Player are used to diagnose the client's network Limitation: Are not effective in detecting man-in-the-middle attacks

11 Proposed SSL Tamper Detection Method

12 A. Threat Model Proposed SSL Tamper Detection Method Assumption:
consider an active network attacker who has control over the victim’s network connection. However, the attacker does not have control over the website. The goal of the adversary: read encrypted messages between the victim client and the HTTPS website The attacker may impersonate the legitimate web site with either: a trusted certificate issued by a trusted CA, an untrusted certificate (e.g. a self-signed certificate) Proposed SSL Tamper Detection Method

13 B. Design Proposed SSL Tamper Detection Method
The design of the proposed system contain two main components : 1) Client-Side Applet 2) Lenient Certificate Extraction Proposed SSL Tamper Detection Method

14 Client-Side Applet Proposed SSL Tamper Detection Method B. Design
Our approach is to use a client-side applet that observes the server’s SSL certificate from the client’s perspective, directly during the SSL handshake. We implemented a Shockwave Flash (SWF) applet that can: open a raw socket connection to its own HTTPS server (typically on port 443), and perform an SSL handshake over the connection in the Flash Player. Proposed SSL Tamper Detection Method B. Design

15 Client-Side Applet … Proposed SSL Tamper Detection Method B. Design
Flash Player plugin does not allow any applets to access socket connections, unless the remote host runs a Flash socket policy server. Proposed SSL Tamper Detection Method B. Design

16 Client-Side Applet … Proposed SSL Tamper Detection Method B. Design
A valid socket policy file format (XML) :

17 Client-Side Applet … Proposed SSL Tamper Detection Method B. Design
the client-side applet may be implemented using other browser plugins, for example, the Java plugin Java applets are allowed to create socket connections from the client to any port on the same host that the applet was served from. Limitations of Java applet: 1) the Java plugin is currently blocked by default on several client platforms, and may require additional user interaction to activate the Java plugin. 2) visible icon would be displayed in the system traywhich might annoy or confuse some of the website’s users. Proposed SSL Tamper Detection Method B. Design

18 Lenient Certificate Extraction
The raw bytes of the ServerHello and ServerCertificate messages are parsed to extract the server certificates, since it enabled us to preserve the SSL handshake bytes for further investigation, even if early versions of our extraction code failed while parsing certificates. Proposed SSL Tamper Detection Method B. Design

19 Implementation Proposed SSL Tamper Detection Method
The client-side applet was deployed on Facebook’s servers to run experiments. a logging endpoint was setup on the HTTPS servers, in PHP, that parses the reports, and aggregates data into the back-end databases. SSL certificates were processed and read using the OpenSSL library. They built an internal web interface for querying the log reports. Proposed SSL Tamper Detection Method

20 Experimentation Proposed SSL Tamper Detection Method
The client-side applet was served randomly to sampled clients on Facebook's website. The data was collected and analyzed from Nov 20, 2012 to Mar 31,2013. Proposed SSL Tamper Detection Method

21 Experimentation … Proposed SSL Tamper Detection Method
CATEGORIZATI ON OF REPORTS: Only 6845 (0.2%) of the observed certificates were not legitimate, nor were they in any way approved by Facebook (forged certificates). Proposed SSL Tamper Detection Method

22 Limitations Proposed SSL Tamper Detection Method
Possible ways in which the attacker can evade the detection: Attack1 Attackers may corrupt all SWF files in transmission, to prevent the client-side applet from loading. Defence websites may consider randomizing the locations of their SWF files. Attack2 Attackers may restrict Flash-based sockets by blocking Flash socket policy traffic on port 843. Defence1 websites could possibly serve socket policy files over firewall-friendly ports (80 or 443). Defence2 websites can try falling back to Java applets on supporting clients if Flash-based sockets are blocked Proposed SSL Tamper Detection Method

23 Limitations … Proposed SSL Tamper Detection Method
Attack3 Attackers may try to avoid intercepting SSL connections made by the Flash Player. Defence website may tailor its client-side applet to act similarly to a standard browser. Attack4 Attackers could possibly tamper the reports and trick our log servers to believe that the website’s legitimate certificate was observed. Defence The website may need additional mechanisms to verify the integrity of their reports. Proposed SSL Tamper Detection Method

24 Analysis of Forged SSL Certificates

25 Analysis of Forged SSL Certificates
Size Characteristics Certificate chain sizes: Most of the forged certificates are less than 1 KB, they only include self-signed certificate. Certificate chain depths: chain depth is the number of certificates Analysis of Forged SSL Certificates

26 Size Characteristics …
Public key sizes: Most of the forged certificates had either 1024-bit or 2048-bit public keys, which are not characteristically different from legitimate SSL certificates. Analysis of Forged SSL Certificates

27 Analysis of Forged SSL Certificates
Certificate Subjects Analysis of Forged SSL Certificates

28 Analysis of Forged SSL Certificates
Certificate Issuers Analysis of Forged SSL Certificates

29 Survey of Mitigations

30 Strict Transport Security
HTTP Strict Transport Security (HSTS) is a HTTP response header that allows websites to instruct browsers to make SSL connections mandatory on their site. It prevents users from accepting untrusted certificates Limitations: HSTS is not designed to protect against malware or professional attackers that use forged certificates that would be accepted by the browser Survey of Mitigations

31 Public Key Pinning Survey of Mitigations
The Public Key Pinning Extension for HTTP (HPKP) instruct browsers to reject any certificates with unknown public keys. Both HSTS and HPKP defenses require that clients must first visit the legitimate website securely before connecting from untrusted networks. Limitations: It would be difficult to accurately distinguish real attacks from legitimate certificate changes, or alternative certificates. Survey of Mitigations

32 Origin-Bound Certificates
The TLS Origin-Bound Certificates (TLS-OBC) enables browsers to generate self-signed client certificates on demand. It blocks most of the existing man-in-the-middle attack toolkits, since attackers cannot impersonate the client. Limitations: It requires code changes to the network stack on servers. It also induces extra computational costs for client certificate generation. Survey of Mitigations

33 Certificate Validation with Notaries
Compares server certificates against multiple notaries to reveal inconsistencies. Limitations: Notary approaches might produce false positives when servers switch between alternative certificates. It may also affect the SSL connection times due to querying multiple notaries during certificate validation Survey of Mitigations

34 Certificate Audit Logs
All the legitimately issued certificates are recorded such that mis-issued certificates can be easily discovered, while off-the-record certificates are simply rejected. Limitations: browsers need to be modified to support the mechanism, and changes are needed on the CAs or servers to deliver the audit proof Survey of Mitigations

35 DNS-based Authentication
DNS-based Authentication of Named Entities (DANE) allows the domain operator to sign SSL certificates for websites on its domain. It prevents any CAs (gone rogue) from issuing trusted certificates for any domain on the Internet. Limitations: These methods fundamentally rely on DNSSEC to prevent forgery and modification of the DNS records. Survey of Mitigations

36 Discussion: Script kiddie
A script kiddie is a relatively unskilled individual who simply downloads attack toolkits that have been created by others. These attackers generally only attempt to perform attacks with less sophisticated methods (with self-signed forged certificates) and on a smaller scale, such as a local public WiFi hotspot. All of the defenses are immune to script kiddies. Even HSTS can block these attacks, because any invalid certificates will hard-fail in supporting browsers. Survey of Mitigations

37 Discussion: Corporate-level surveillance
The corporate IT technicians may access the client’s machine to establish trust with their self-signed root certificates. HSTS and HPKP can not protect against Corporate- level surveillance. Other defences including audit logs and notary-based approaches can detect these attacks. Survey of Mitigations

38 Discussion: Professional attacker and Malware
Professional attacker : An entity that has managed to obtained a forged certificate from a trusted CA. HSTS can not protect against these attacks. Malware: It may have access to the victim client’s machine, and simply tamper with the client’s root CA store. None of the possible defences are designed to prevent malware attackers. Survey of Mitigations

39 Conclusion Authors: designed a novel method for websites to collect direct evidence of man-in-the-middle attacks against their SSL connections implemented this detection method on Facebook’s website. conducted the first analysis on forged SSL certificates by measuring over 3 million SSL connections. Results show that 0.2% SSL connections are in fact tampered with forged certificates. Based real-world data, they categorized the root causes of forged SSL certificates, and showed that most of the SSL interceptions are due to antivirus software and organization-scale content filters. provided evidence of SSL interceptions by malware, which have infected users across at least 45 countries.

40

Download ppt "Analyzing Forged SSL Certificates in the Wild"

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Robust Defenses for Cross-Site Request Forgery CS6V81 - 005 Presented by Saravana M Subramanian.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.

CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
CSC8320. Outline Content from the book Recent Work Future Work.

CSC8320. Outline Content from the book Recent Work Future Work.
CSCE 201 Web Browser Security Fall 2015. CSCE 201 - Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Module 7: Advanced Application and Web Filtering.

Module 7: Advanced Application and Web Filtering.
Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.

Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.

Similar presentations

Ads by Google