Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009.

Published byJeremiah Padilla Modified over 11 years ago

Similar presentations

Presentation on theme: "1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009."— Presentation transcript:

1 1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009

2 2 IEEE Symposium on Security and Privacy, May 2009 HTTPS: end-to-end secure protocol for web traffic. Adversary assumption: MITM (man-in-the-middle). browser HTTPS server Internet proxy SSL tunnel Are todays browser implementations consistent with this assumption?

3 3 IEEE Symposium on Security and Privacy, May 2009 Key finding A class of browser vulnerabilities (demo) proxy can defeat end-to-end security promised by HTTPSdemo Vulnerabilities exist in all major browsers Industry outreach Technical work finished in summer 2007 Paper withheld until this conference Worked with all vendors to address the issues

4 4 IEEE Symposium on Security and Privacy, May 2009 TCP/IP HTTP/HTTPS Rendering modules Browser PBP HTTPS server Unencrypted SSL tunnel, encrypted HTTP/HTTPS

5 5 IEEE Symposium on Security and Privacy, May 2009 Key issue: browsers load unencrypted content from proxy in the HTTPS context of the victim server Attack 1: Proxys error response Attack 2: Proxys redirection Attack 3: HTTP-intended pages that are HTTPS loadable Attack 4: Visual context (GUI behavior, no script)

6 6 IEEE Symposium on Security and Privacy, May 2009 <iframe src= https://bank.com> Proxys error page: e.g., 502-server-not-found, other 4xx/5xx response; Script in error page runs in https://bank.com. browser PBP Bank server https://bank.com 502:Server not found https://bank.com

7 7 IEEE Symposium on Security and Privacy, May 2009 browser PBP bank.com server https://bank.com evil.com server https://js.bank.com HTTP 302: redirection to https://evil.com https://evil.com Script will run in the context of https://bank.com

8 8 IEEE Symposium on Security and Privacy, May 2009 sensitive Many websites provide both HTTP and HTTPS services Sensitive pages, e.g. checkout HTTPS only Non-sensitive pages, e.g., merchandise Intended for HTTP access However, non-sensitive pages are often accessible through HTTPS as well!. Whats wrong with HPIHSL pages? They often import scripts through HTTP The scripts will run in the HTTPS context. Non-sensitive HTTP scripts HPIHSL

9 9 IEEE Symposium on Security and Privacy, May 2009 Browsers warn about HTTP resource in HTTPS contexts, dont they? The detection logic is only to determine the address bars appearance Address bar only concerns top level page, so …

10 10 IEEE Symposium on Security and Privacy, May 2009 Hidden iframe: HTTPS for an HPIHSL page http ://resources.jcpenny.com/foo.js Attack script to run in the HTTPS context Top level: HTTP Using an HTTPS iframe in an HTTP top level page.

11 11 IEEE Symposium on Security and Privacy, May 2009 Very easy to find HPIHSL pages that import scripts The paper shows 12 websites having this problem. These HTTPS domains are not trustworthy. They cover a wide range Online shopping sites Banks, credit card companies Open source projects management site Top computer science departments Even the home domain of a leading certificate authority

12 12 IEEE Symposium on Security and Privacy, May 2009 In attack 1, script in proxys error page runs in the HTTPS context. (all browsers) This attack No script, only static HTML Due to GUI behavior IE, Opera and Chrome display a certificate on the GUI as long as it is in the certificate cache.

13 13 IEEE Symposium on Security and Privacy, May 2009 Schedule a one-second timer for refreshing the page. Before the timer is expired, cache a PayPal certificate a response page Get a.jpg from the real server the phishing page (5xx) A perfect GUI spoofing attack Fresh browser, single tab, address bar input

14 14 IEEE Symposium on Security and Privacy, May 2009

15 15 IEEE Symposium on Security and Privacy, May 2009 Proxies are used in many environments Corporate and university networks Hospitals, hotels Third-party free proxies Due to PBP issues, security of HTTPS communication depends on proxys integrity Is proxy infected by viruses, hijacked by attackers or configured by malicious insiders?

16 16 IEEE Symposium on Security and Privacy, May 2009 All these attacks work as long as (1) Attacker can sniff your machine at the link layer For HTTPS, you need to assume this. (2) The browser has its proxy capability ON WPAD: Web Proxy Auto Discovery PAC script: Proxy Auto Config script Manual configuration

17 17 IEEE Symposium on Security and Privacy, May 2009 GET /wpad.dat return PBP_cfg GET /wpad.dat return goodProxy_cfg attacker Our test bed Proxy required for web traffic to the Internet WPAD (default), PAC-script-config or manual-config Tested on Ethernet Tested on open wireless network

18 18 IEEE Symposium on Security and Privacy, May 2009 IE 8 (since beta 2) Firefox 3.0.10 Safari 3.2.2 (or before) Opera since Dec. 2007 Chrome 1.0.154.53 Error-response issue Fixed Redirection issueN/A Fixed N/A HPIHSL issue fix suggested for next version Fix proposedAcknowledged Cached certificate issue FixedN/A Fixed Besides point fixes, how can we systematically prevent (or find) these bugs? Future PBP issues

19 19 IEEE Symposium on Security and Privacy, May 2009 Not a fundamental solution HTTPS security should not depend on the network. However, it is worthwhile to have mitigations Some issues not patched New issues found in the future Mitigations Wireless router: use WPA (WiFi Protected Access) Corporate network: deploy IPSec on many types of servers Not only web servers, but DNS, DHCP, PAC servers Travelling employees: secure-VPN to your corporate networks

20 20 IEEE Symposium on Security and Privacy, May 2009 The PBP adversary Targeting the rendering modules Encrypted/unencrypted contents confused TCP/IP HTTP/HTTPS Rendering modules Developers of rendering modules need to deal with MITM HTTPS layer not masking MITM for rendering modules. Beyond HTTPS Other end-to-end protocols: Kerberos, IPSec, etc E.g., HTTP over IPSec, using Kerberos authentication What do you want to achieve if a proxy is in between?

21 21 IEEE Symposium on Security and Privacy, May 2009 HTTPS is flawed. We argue that many proxies are not secure enough to tunnel HTTPS. We advocate link layer security. In addition to browser issues, we also show issues in WPAD, etc.

22 22 IEEE Symposium on Security and Privacy, May 2009 A free web service for timestamping research ideas Why: some research contributions cannot be published immediately, e.g., due to responsible disclosure policy. What: OCCUR gives your idea a timestamp from VeriSign Details: search for Microsoft OCCUR or ask me offline http://research.microsoft.com/en-us/projects/occur/

Download ppt "1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009."

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
CS193H: High Performance Web Sites Lecture 10: Rule 6 – Put Scripts at the Bottom Steve Souders Google

CS193H: High Performance Web Sites Lecture 10: Rule 6 – Put Scripts at the Bottom Steve Souders Google
JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)

JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)
Security Issues In Mobile IP

Security Issues In Mobile IP
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Overview Environment for Internet database connectivity

Overview Environment for Internet database connectivity
The Internet and the World Wide Web. Una DooneySlide 2Internet and WWW What is the Internet? This is the physical infrastructure or backbone of computers,

The Internet and the World Wide Web. Una DooneySlide 2Internet and WWW What is the Internet? This is the physical infrastructure or backbone of computers,
The internet. Background Created in 1969, connected computers at UCLA, Stanford Research Institute, U. of Utah, and UC at Santa Barbara With an estimated.

The internet. Background Created in 1969, connected computers at UCLA, Stanford Research Institute, U. of Utah, and UC at Santa Barbara With an estimated.
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Network Security.

Network Security.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Addition 1’s to 20.

Addition 1’s to 20.
® Microsoft Office 2010 Browser and Email Basics.

® Microsoft Office 2010 Browser and Basics.
Services Course Windows Live SkyDrive Participant Guide.

Services Course Windows Live SkyDrive Participant Guide.
What’s New in WatchGuard Dimension v1.2

What’s New in WatchGuard Dimension v1.2
Week 1.

Week 1.

Similar presentations

Ads by Google