Presentation is loading. Please wait.

Presentation is loading. Please wait.

More Trick For Defeating SSL

Published byGarret Sears Modified over 9 years ago

Similar presentations

Presentation on theme: "More Trick For Defeating SSL"— Presentation transcript:

1 More Trick For Defeating SSL
DEFCON 17 Moxie Marlinspike

2 Outline 1. Introduction 2. Background Knowledge 3. sslstrip
SSL/TLS protocol 3. sslstrip 4. sslsniff A. Basic Constraints vulnerability B. Null-Prefix Attack C. bypassing OCSP 5. Conclusion

3 Introduction Demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach.

4 Background Knowledge SSL/TLS Protocol

5 SSL/TLS Introduction abbreviation for Transport Layer Security and it’s successor Secure Socket Layer Provide communication security over the Internet. Even when the network is being MITM attack.

6 Network Stack

7 Handshake Process

8 Handshake Process

9 SSLstrip

10 SSLstrip Introduction[1]
demonstration of the HTTPS stripping attacks It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links

11 How it work Bridge 302 redirect Hyper link
bridge 302 redirect Hyper link

12 302 Redirect

13 Detail – Normal Scenario
Server User User type: example.com Browser Server reply 302 redirect to SSL/TLS handshake Serve reply 200 ok

14 Detail – Normal Scenario

15 Detail – Attack Scenario
Strip https to http Record url Server reply 302 redirect to Server reply 302 redirect to SSL/TLS handshake Application Data url match Strip https to http Stripped Application Data User/browser Attacker Server

16 Result(without strip)

17 Result(with strip)

18 What can’t sslstirp do the browser query directly. Bookmark User typing Other protocol smtps Ftps Sftp….

19 SSLsniff - Basic Constraints vulnerability

20 Certificate Chaining

21 Certificate Chaining

22 How we verify Verify that the name of the leaf node is the same as the site you're connecting to. Verify that the leaf certificate has not expired. Check the signature If the signing CA is in our list of trusted root CAs, stop. Otherwise, move one up the chain and repeat.

23

24

25 What they say Verify that the name of the leaf node is the same as the site you're connecting to. Verify that the leaf certificate has not expired. Check the signature If the signing CA is in our list of trusted root CAs, stop. Otherwise, move one up the chain and repeat.

26 Something must be wrong, but...
All the signatures are valid. Nothing has expired. The chain is in tact. The root CA is embedded in the browser and trusted. But we just created a valid certificate for PayPal, and we're not PayPal?

27 The missing piece

28 Back in the day Most CAs didn't explicitly set
basicConstraints: CA=False Whether the field was there or not, most SSL implementations didn't bother to check it. Anyone with a valid leaf node certificate could create and sign a leaf node certificate for any other domain. When presented with a complete chain, IE, Outlook, Konqueror, OpenSSL, and others considered it valid...

29 And then in Microsoft claimed that it was impossible to exploit. So The Author published the tool that exploits it.

30 SSLsniff detail User/browser Attacker https://abc.example.com
1. Generate a certificate for the site it is connected to 2. Sign it with any random valid leaf node certificate. 3. Pass that certificate chain to the client. SSL/TLS handshake SSL/TLS handshake Get the Data from server Encrypt it with our private key Send to user Application Data Application Data User/browser Attacker

31 SSLsniff – Null Prefix Attack Author’s PPT

32 What's with certificates, anyways?
X509 Certificate Version Serial Number Issuer Validity Subject PublicKey Signature Algorithm Signature Issue by some Issuer Identify some subjects Get the public key Issuer Signature

33

34 The Big Three Secrecy - Encryption algorithm
Authenticity - Digital Signature Integrity - Checksum

35 SSL Handshake Beginnings

Download ppt "More Trick For Defeating SSL"

Similar presentations

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSLstrip Stepan Shykerynets 23.03.2013.

SSLstrip Stepan Shykerynets
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
“Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.

“Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
SSL Serguei Mokhov SOEN321, Fall 2004. Contents Background SET SSL –origins –protocol.

SSL Serguei Mokhov SOEN321, Fall Contents Background SET SSL –origins –protocol.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.

DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Similar presentations

Ads by Google