VIDEO Intypedia010en
LESSON 10: ATTACKS TO THE SSL PROTOCOL
AUTHORS: D. Luciano Bello and PhD. Alfonso Muñoz
R&D Security Researcher (Chalmers University) R&D Security Researcher. T>SIC Group – UPM
ALICE
Hello and welcome to Intypedia. In previous lessons we learned the basics of the SSL protocol. Today we will delve into this protocol and see some real attacks to it and how to mitigate them. Join us!
SCENE 1. IS SSL SECURE?
ALICE
Hello, Bob. In previous lessons we learned the basics of cryptography. We also learned how cryptography is implemented in algorithms and widely used protocols, like the SSL protocol we studied in lesson 9. However, sometimes there are news of attacks to such protocols and since SSL is a protocol widely used on the Internet, it's particularly interesting to study it.
BOB
Alice, don't trust everything that is published, I think that SSL is very secure and reliable.
ALICE
I agree with you. SSL is inherently secure because the protocols it uses are based on strong and mature theories. But even so, there are still many things that might become a problem. First of all, there’s complexity which is usually detrimental to usability. In addition, there might be programming bugs in the implementations. Furthermore, new techniques of cryptanalysis can be developed, making some protocols less secure than expected. This, added to the fact that
Script Intypedia010en 1 the computing power of attackers is increasing according to Moore's Law, makes older versions of SSL insecure, stressing the need to review the protocols.
BOB
Wait... So you're telling me that SSL isn’t that secure?
ALICE
Don't stress out, Bob. SSL is secure in its theoretical design. But this is a necessary, although insufficient condition. Nowadays, the use of this protocol is crucial in e-commerce between clients (users) and suppliers of products. Its use is common in many transactions, such as buying a book on a Web store or in online banking. Although SSL has other uses, as we saw in the previous lesson, it is widely known for its use on the Web. Using SSL adequately will minimize attacks: not only classic ones like the man-in-the-middle attack against exchanged information, but also spoofing attacks in the access to social networks.
Nonetheless, we must give an exact account of the "real security" of the SSL protocol. For example, its use on the Web goes far beyond the misconception that a page is secure if, and only if, it shows the famous "yellow padlock".
To get an idea of what we're talking about, we will analyse some of the attacks this protocol has suffered in recent years and finish with some practical advice for a proper use.
BOB
Sounds like a great idea. Please continue, Alice.
SCENE 2. PROGRAMMING ERRORS IN IMPLEMENTATIONS. CRYPTANALYSIS AND DOWNGRADE.
ALICE
Programming errors often cause really severe problems. One of the most famous attacks on SSL was the vulnerability announced in May 2008. The Argentinean researcher Luciano Bello discovered that random functions used in OpenSSL/Debian had been implemented incorrectly. This produced predictable "random" material that made it easier to reverse cryptographic processes. As a result, X.509 certificates, SSH keys and even encrypted material were exposed.
BOB
Yes... I remember vaguely. One implication was that private keys could be reconstructed from the distributed public keys. Without random cryptographic functions, cryptosystems were defenceless.
ALICE
Indeed, it was a specific problem that in the end got solved. However, to those implementation issues we must add the increasing computing capacity of attackers and the development of Script Intypedia010en 2 cryptanalysis. These factors could simplify the creation of false custom-made digital certificates.
An example of this can be found in the results published by the 25th edition of the Chaos Communication Congress held in Berlin in December 2008. Researchers created a "valid" SSL certificate taking advantage of the emission particularities of certain certification authorities, a collision attack to the MD5 cryptographic algorithm and the huge computing capacity of one hundred PlayStations. It is true that MD5 is no longer used by certification authorities to calculate the hash of a certificate signed with a private key, but the current standard SHA-1 is also starting to encounter similar problems to those of its counterpart.
This is a great example to justify why the cryptographic algorithms used in SSL are reviewed and updated by the scientific community. The use of older versions of the protocol should be avoided wherever possible, especially protocol downgrades forced by attackers.
BOB
Do you know of any other type of attack?
ALICE
Yes, another interesting attack was discovered by the researcher Moxie Marlinspike. When creating an SSL certificate and sending it to a certification authority to get it signed, the field that often gets more attention is CN (Common Name) which specifies the server name, like www.example.org. Moxie Marlinspike discovered that the standards for SSL and the X.509 certificate define the CN string as a PASCAL string (the length of the string is declared in position 0 and the chain is inserted in the other positions). Interestingly, most certificate processing software is written in C. Such software usually handles the string as a C string, inserting a NULL (\0) at the end of the string to indicate where it ends. The problem comes when someone obtains a certificate using www.realbank.com\0www.atacker.org. When processed by a browser, only the first part will be read (www.realbank.com), making it easy to falsify the bank. The easiest solution to this problem is for certification authorities to reject all certificates containing the NULL character.
When fraudulent certificates are detected, they are usually revoked by the serial number included and, for this, the OCSP (Online Certificate Status Protocol) is usually used. Again, an incorrect configuration of the OCSP would allow attacks to the SSL protocol.
BOB
Excuse me, Alice; I think it would be interesting to define how to attack the OCSP.
ALICE
You're right. The Online Certificate Status Protocol is used to check online if a particular digital certificate has been revoked or not. For this, the client sends the request to the address of the Certificate Revocation List (CRL), which is included in the digital certificate. If an attacker is
Script Intypedia010en 3 performing the man-in-the-middle attack to use one of these digital certificates, then they can intercept the OCSP requests and use them to their advantage.
In a normal operation, a server using this protocol could send a Try Later response telling the client that it can't answer a request. The attacker could simulate this response, which has code 3 assigned, to tell the client that it is unable to attend its request at that moment. Given this situation, many Web clients will accept the digital certificate since they can't verify its validity. This is an obvious failure.
BOB
Alice, are you saying that it's easy to fool a system when the user accesses via https?
ALICE
Not only that. While many problems can be mitigated by updating our software, there is an element of the system that is very difficult to upgrade: the user.
SCENE 3. TRICKING THE USER. SSL VULNERABILITY ON THE WEB.
ALICE
In practice, the easiest way to breach the security provided by SSL/TLS is to trick users into thinking they are using it when they actually aren't.
BOB
I would say that isn't possible, Alice. When I connect to my bank safely, I can see the yellow padlock in my browser, which tells me that the access to the site is secure and that the digital certificate that authenticates my bank has been properly validated.
ALICE
Unfortunately, Bob, that was a bad way to educate non-technical personnel on how to corroborate if a SSL protocol was being used. The truth is that many other conditions, which I will let you know shortly, must be considered.
BOB
Wait a minute. I know that if my computer has been compromised by a Trojan, for instance, it could be hoaxed to show a yellow padlock in the web browser implying that SSL encryption is being used when in fact it isn’t.
ALICE
Well, Bob, if you really have a Trojan in your computer, it could have total control and be able, not only to trick you, but to capture your passwords, redirect your data or authentication traffic and so on. But, possibly, the most interesting attacks are those that don't have internal access
Script Intypedia010en 4 to your computer, like man-in-the-middle attacks whose main objective is to intercept a communication between client and server and view or alter the information in transit.
BOB
What if I connect to a page via https, is that possible?
ALICE
It depends on the complexity of the attack. Some may be solved with minimal training of the user; while other much more sophisticated attacks would be hardly detectable.
The simplest example of a man-in-the-middle attack is to create a false digital certificate. That is, when a user connects via https to their online bank, the attacker connects between the two of them and sends their certificate to the client posing as the bank. The web browser detects that the digital certificate isn’t recognized and prompts the user whether they want to accept the connection. Most users with no security training will accept, so the attacker will be in the middle and will be able to do as they please with the data in transit, as well as the captured keys. Once the user accepts the certificate, the SSL protocol will operate as usual and they will see the typical yellow padlock. On the contrary, if the user with a minimum of security knowledge were to reject the connection, the attack wouldn’t take place.
BOB
Wow, I hadn't thought of that. Are there other similar attacks to SSL?
ALICE
Another peculiar attack is the use of the SSLStrip tool. Moxie Marlinspike presented at the BlackHat computer security conference in 2009 a tool that automates a man-in-the-middle attack to the SSL protocol. The idea is simple: when a website is called, all the links with https are replaced by http, so the communication between the client and the attacker is done through http and the communication between attacker and server through https. To mislead the user even more, certain tricks are used, such as simulating the "yellow padlock" by loading this image in the favicon.
Other more sophisticated attacks are related to stealing certificates or impersonating certification authorities, as we saw earlier.
It’s obvious that, in a hypothetical scenario, valid certificates of specific business entities for government forces could be created, for example, by court order. This would make a man-in- the-middle hardly detectable, as long as the certificate is valid and signed by a trusted authority. This could be done, for example, for a digital certificate with a specific serial number.
BOB
I see that the attackers are very clever.
Script Intypedia010en 5
ALICE
Wait, there's more. In other cases, stolen certificates signed by a trusted authority can pose many problems. A famous example took place in March 2011 with the SSL Certificates business line of the security company Comodo.
One of their partners (who sold SSL certificates) was compromised, so they launched petitions for signing SSL certificates without proper verification. This resulted in the issuance of several false SSL digital certificates, that is, certificates valid for certain sites like mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org, login.live.com, etc. These certificates were fully valid for any Web browser.
The impact of this attack meant that any person or organization able to implement a man-in- the-middle attack would be able to convey a false https web for Yahoo, Google and others without the browser noticing. Fortunately, these certificates were revoked by their serial number. However, this event highlights the current problem that Internet has to obtain digital certificates without proper validation by the suppliers.
As you can see, Bob, in practice, the violation of the SSL protocol is attempted directly or indirectly, attacking the protocol, the software or, ultimately, the users.
SCENE 4. SECURE USE OF SSL. PRACTICAL ADVICE.
BOB
Alice, this you tell me is very interesting... So what can I do to use the SSL protocol in safety?
ALICE
First I would recommend the use of the latest version of the SSL protocol, properly configured and making sure that the implementations of this protocol are free from known bugs. This is not always possible and depends on the need to maintain compatibility between systems. For its use on the Web, here are five tips that will help mitigate known problems:
1. Keep the Web browser updated so the SSL protocol implementation is free from known vulnerabilities.
2. Add the direct https address to the URL (where possible) of the site you want to connect to. The "HTTPS Everywhere" add-on for Firefox can help automate this.
3. Deny access to a website when the certificate is invalid. This is especially critical for access to bank accounts, personal data and so on. Otherwise, the user will grade the risk-access ratio to this website.
4. Configure Web browsers so that they make OCSP checks by default and that if the OCSP connection fails, the default certificate is not accepted as valid. This will prevent attacks based on denial of service to OCSP and the use of revoked certificates.
Script Intypedia010en 6
5. Certain software complements can help in the detection of plagiarism. For Firefox there's the Certificate Patrol add-on that monitors changes to https servers. This way, if one day the Gmail SSL certificate is different from the registered one, it will notify you of this change.
BOB
Well, Alice, I have a much better idea of security in SSL now. I think this is enough for today. On the Intypedia website you will find additional information on this subject. See you soon!
ALICE
Goodbye!
Madrid, Spain. October 2011 http://www.intypedia.com http://twitter.com/intypedia
Script Intypedia010en 7