Download
https and the lock icon n.
Skip this Video
Loading SlideShow in 5 Seconds..
HTTPS and the Lock Icon PowerPoint Presentation
Download Presentation
HTTPS and the Lock Icon

HTTPS and the Lock Icon

204 Vues Download Presentation
Télécharger la présentation

HTTPS and the Lock Icon

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. HTTPS and the Lock Icon Borrowed from Dan Boneh

  2. Goals for this lecture • Brief overview of HTTPS: • How the SSL/TLS protocol works (very briefly) • How to use HTTPS • Integrating HTTPS into the browser • Lots of user interface problems to watch for 2

  3. Threat Model: Network Attacker • Network Attacker: • Controls network infrastructure: Routers, DNS • Passive attacker: only eavesdrops on net traffic • Active attacker: eavesdrops, injects, blocks, and modifies packets • Examples: • Wireless network at Internet Café • Internet access at hotels (untrusted ISP) 3

  4. SSL/TLS overview Public-key encryption: • Bob generates (SKBob, PKBob ) • Alice: using PKBob encrypts messages and only Bob can decrypt Alice Bob m Enc m Dec c c SKBob PKBob 4

  5. Certificates • How does Alice (browser) obtain PKBob? BrowserAlice CA Server Bob choose (SK,PK) PK and proof “I am Bob” check proof SKCA PKCA PKCA issue Cert with SKCA : verify Cert Bob’s key is PK Bob’s key is PK Bob uses Cert for an extended period (e.g. one year) 5

  6. Certificates: example • Important fields: 6

  7. Certificates on the web • Subject’s CommonName can be: • An explicit name, e.g. cs.stanford.edu , or • A wildcard cert, e.g. • *.stanford.eduor cs*.stanford.edu • matching rules: • “*” must occur in leftmost component, does not match “.” • example: *.a.commatches x.a.com but not y.x.a.com • (as in RFC 2818: “HTTPS over TLS”) 7

  8. Certificate Authorities Browsers acceptcertificates from alarge number of CAs Top level CAs ≈ 60 Intermediate CAs ≈ 1200 8

  9. Brief overview of SSL/TLS server browser client-hello cert server-hello + server-cert (PK) SK key exchange (several options) rand. k client-key-exchange: E(PK, k) k Finished HTTP data encrypted with KDF(k) Most common: server authentication only 9

  10. HTTPS in the Browser

  11. The lock icon: SSL indicator • Intended goal: • Provide user with identity of page origin • Indicate to user that page contents were not viewed or modified by a network attacker • In reality: • Origin ID is not always helpful • example: Stanford HR is hosted at BenefitsCenter.com • Many other problems (next few slides) 11

  12. When is the (basic) lock icon displayed • All elements on the page fetched using HTTPS • (with some exceptions) • For all elements: • HTTPS cert issued by a CA trusted by browser • HTTPS cert is valid (e.g. not expired) • CommonName in cert matches domain in URL 12

  13. The lock UI: Extended Validation (EV) Certs • Harder to obtain than regular certs • requires human lawyer at CA to approve cert request • Designed for banks and large e-commerce sites • Helps block “semantic attacks”: www.bankofthevvest.com • note: HTTPS-EV and HTTPS are in the same origin

  14. HTTPS and login pages: how not to do it • Users often land on login page over HTTP: • Type site’s HTTP URL into address bar, or • Google links to the HTTP page View source: <form method="post" action="https://login.leumi.co.il/..." 14

  15. HTTPS and login pages: guidelines • General guideline: • Response to http://login.site.com should be Redirect: https://login.site.com

  16. Problems with HTTPS and the Lock Icon

  17. 1. HTTP  HTTPS upgrade • Common use pattern: • browse site over HTTP; move to HTTPS for checkout • connect to bank over HTTP; move to HTTPS for login • Easy attack: prevent the upgrade (ssl_strip) [Moxie’08] • <a href=https://…>  <a href=http://…> • Location: https://...  Location: http://... (redirect) • <form action=https://… >  <form action=http://…> HTTP SSL webserver attacker 17

  18. Tricks and Details • Tricks: drop-in a clever fav icon (older browsers) • Details: • Erase existing session and force user to login: • ssl_strip injects “Set-cookie” headers to delete existing session cookies in browser. • Number of users who detected HTTP downgrade: 0  18

  19. 2. Semantic attacks on certs • International domains: xyz.cn • Rendered using international character set • Observation: chinese character set contains charsthat look like “/” and “?” and “.” and “=” • Attack: buy domain cert for *.badguy.cn • setup domain called: • www.bank.com/accounts/login.php?q=me.baguy.cn • note: single cert *.badguy.cnworks for all sites • Extended validation (EV) certs may help defeat this 19

  20. [Moxie’08]

  21. 3. Certificate Issuance Woes • Wrong issuance: 2011: Comodoand DigiNotar RAs hacked, issue certs for Gmail, Yahoo! Mail, … • Rogue CA: • 2009: Etisalat CA in UAE Signs software patch on behalf of RIM • PacketForensics: HTTPS MiTMfor law enforcement (see also crypto.stanford.edu/ssl-mitm ) ⇒ enables eavesdropping w/o a warning in user’s browser 21

  22. Man in the middle attack using rogue certs GET https://bank.com BadguyCert BankCert • Attacker proxies data between user and bank. Sees all traffic and can modify data at will. attacker bank ClientHello ClientHello ServerCert (Bank) ServerCert (rogue) (cert for Bank by a valid CA) SSL key exchange SSL key exchange k2 k1 k1 k2 HTTP data enc with k1 HTTP data enc with k2 22

  23. What to do? (many good ideas) • HTTP public-key pinning, TACK • Let a site declare CAs that can sign its cert (similar to HSTS) • on subsequent HTTPS, browser rejects certs for site issued by other CAs • TOFU: Trust on First Use • Certificate Transparency: [LL’12] • idea: CA’s must advertise a log of all certs. they issued • Browser will only use a cert if it is on the CA’s log • Efficient implementation using Merkle hash trees • Companies can scan logs to look for invalid issuance 23

  24. 4. Mixed Content: HTTP and HTTPS • Page loads over HTTPS, but contains content over HTTP • (e.g. <script src=“http://.../script.js> ) • Active network attacker can hijack session • Modifies script en-route to browser • Another way to embed content: • <script src=“//.../script.js> • served over the same protocol as embedding page • Can use for content served over HTTP or HTTPS 24

  25. Mixed Content: HTTP and HTTPS IE7: Chrome: No SSL lock in address bar: 25

  26. 5. Peeking through SSL • Network traffic reveals length of HTTPS packets • TLS supports up to 256 bytes of padding • AJAX-rich pages have lots and lots of interactions with the server • These interactions expose specific internal state of the page BAM! Chen, Wang, Wang, Zhang, 2010

  27. Peeking through SSL: an example Vulnerabilities in an online tax application No easy fix. Can also be used to ID Tor traffic 27

  28. 6. Origin Contamination: an example Solution: remove lock from top page after loading bottom page 28

  29. THE END

  30. Integrating SSL/TLS with HTTP  HTTPS webproxy webserver • Two complications • Web proxies • solution: browser sends • CONNECT domain-name • before client-hello (dropped by proxy) • Virtual hosting: • two sites hosted at same IP address. • solution in TLS 1.1: SNI(RFC 4366) • client_hello_extension: server_name=cnn.com • implemented since FF2 and IE7 (vista) corporate network webserver client-hello server-cert ??? certCNN certFOX

  31. Why is HTTPS not used for all web traffic? • Slows down web servers • Breaks Internet caching • ISPs cannot cache HTTPS traffic • Results in increased traffic at web site • Incompatible with virtual hosting (older browsers) • May. 2013: IE6 ≈ 7% (ie6countdown.com)

  32. The lock UI: helps users authenticate site uninformative

  33. A general UI attack: picture-in-picture Trained users are more likely to fall victim to this [JSTB’07] 33

  34. Problems with HTTPS and the Lock Icon • Upgrade from HTTP to HTTPS • Semantic attacks on certs • Forged certs • Mixed content • HTTP and HTTPS on the same page • Origin contamination • Weak HTTPS page contaminates stronger HTTPS page • Does HTTPS hide web traffic? 34

  35. Defense: Strict Transport Security (HSTS) webserver Strict-Transport-Security max-age=31⋅106; • Header tells browser to always connect over HTTPS • After first visit, subsequent visits are over HTTPS • self signed cert results in an error • STS flag deleted when user “clears private data” (chrome) • Compromise: security vs. privacy 35