SSL and the Future of Authenticity
Total Page:16
File Type:pdf, Size:1020Kb
SSL And The Future Of Authenticity Moving beyond Certificate Authorities Wednesday, September 28, 2011 Comodo Wednesday, September 28, 2011 Web Firm Suspects Iran Hacked Into It Internet-Security Company Says It Was Tricked Into Authenticating Fake Sites, Opening Access to Data, Not Money Wall Street Journal, March 15th, 2011 Wednesday, September 28, 2011 The Damage ★ mail.google.com ★ www.google.com ★ login.yahoo.com ★ login.skype.com ★ addons.mozilla.org ★ login.live.com Wednesday, September 28, 2011 “This [attack] was extremely sophisticated and critically executed...it was a very well orchestrated, very clinical attack, and the attacker knew exactly what they needed to do and how fast they had to operate.” -- Melih Abdulhayoglu, Comodo Founder Wednesday, September 28, 2011 “All the IPs were from Iran...” -- Melih Abdulhayoglu, Comodo Founder Wednesday, September 28, 2011 cyber Wednesday, September 28, 2011 “All of the above leads us to one conclusion only: that this was likely to be a state-driven attack. ” -- Melih Abdulhayoglu, Comodo Founder Wednesday, September 28, 2011 picture Wednesday, September 28, 2011 hack --> war Wednesday, September 28, 2011 “What does this mean?” Wednesday, September 28, 2011 “How would they use them?” Wednesday, September 28, 2011 sslsniff Wednesday, September 28, 2011 “ ” Wednesday, September 28, 2011 212.95.136.18 [16/Mar/2011:09:56:03 +0000] “GET http:// www.thoughtcrime.org/software/sslsniff/index.html HTTP/1.1” 200 “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13 Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)” Wednesday, September 28, 2011 212.95.136.18 [16/Mar/2011:09:56:03 +0000] “GET http:// www.thoughtcrime.org/software/sslsniff/index.html HTTP/1.1” 200 “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13 Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)” Wednesday, September 28, 2011 212.95.136.18 [16/Mar/2011:09:56:03 +0000] “GET http:// www.thoughtcrime.org/software/sslsniff/index.html HTTP/1.1” 200 “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13 Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)” Wednesday, September 28, 2011 212.95.136.18 [16/Mar/2011:09:56:03 +0000] “GET http:// www.thoughtcrime.org/software/sslsniff/index.html HTTP/1.1” 200 “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13 Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)” Wednesday, September 28, 2011 referrer Wednesday, September 28, 2011 Wednesday, September 28, 2011 ...it was a very well “orchestrated, very clinical attack, and the attacker knew exactly vs what they needed to do and how fast they had to operate. ” -- Melih Abdulhayoglu Wednesday, September 28, 2011 And more embarrassing Google search referrers... “SSL protocol mitm howto iptables prerouting” Wednesday, September 28, 2011 Wednesday, September 28, 2011 He just wouldn’t shut up! Wednesday, September 28, 2011 “ If there were a Secure and Trusted DNS this issue would be a moot point! We need a Secure and Trusted DNS! ” -- Melih Abdulhayoglu, Comodo Founder Wednesday, September 28, 2011 Comodo admits two more resellers pwned in SSL cert hack How deep does the rabbit hole go? The Register, March 30th, 2011 Wednesday, September 28, 2011 New hack on Comodo reseller exposes private data And then there were four The Register, May 24th, 2011 Wednesday, September 28, 2011 What happened to Comodo? Wednesday, September 28, 2011 nothing Wednesday, September 28, 2011 “ Melih Abdulhayoglu named entrepreneur of the year at RSA 2011. ” Wednesday, September 28, 2011 problem Wednesday, September 28, 2011 A Secure Protocol • Secrecy • Integrity • Authenticity Wednesday, September 28, 2011 early 90’s Wednesday, September 28, 2011 ! information Wednesday, September 28, 2011 ! e-commerce Wednesday, September 28, 2011 ! web applications Wednesday, September 28, 2011 tiny Wednesday, September 28, 2011 < 5 million Wednesday, September 28, 2011 > 4 billion Wednesday, September 28, 2011 < 10 “secure” sites Wednesday, September 28, 2011 > 2 million Wednesday, September 28, 2011 intense pressure Wednesday, September 28, 2011 4am decisions == javascript Wednesday, September 28, 2011 A Secure Protocol ✓Secrecy ✓Integrity ‣ Authenticity Wednesday, September 28, 2011 A Secure Connection Client PayPal Wednesday, September 28, 2011 A Secure Connection Attacker Client PayPal Wednesday, September 28, 2011 entirely theoretical Wednesday, September 28, 2011 certificates and certificate authorities Wednesday, September 28, 2011 “...a bit of a hand wave.” Wednesday, September 28, 2011 Wednesday, September 28, 2011 Wednesday, September 28, 2011 Wednesday, September 28, 2011 Wednesday, September 28, 2011 Wednesday, September 28, 2011 cyber war Wednesday, September 28, 2011 happening every day Wednesday, September 28, 2011 login.live.com? Wednesday, September 28, 2011 Mike Zussman just asked for it. Wednesday, September 28, 2011 Eddy Nigg got mozilla.com ...with no validation Wednesday, September 28, 2011 VeriSign issued “Microsoft Corporation” Wednesday, September 28, 2011 SSL-In-A-Box.com Wednesday, September 28, 2011 These are the people securing the internet. Wednesday, September 28, 2011 Wednesday, September 28, 2011 Wednesday, September 28, 2011 Wednesday, September 28, 2011 State Sponsored? Wednesday, September 28, 2011 Wednesday, September 28, 2011 good news Wednesday, September 28, 2011 “total ripoff” “total ripoff and mostly worthless” Wednesday, September 28, 2011 problem? Wednesday, September 28, 2011 Campus Berlin-Buch Westsaechsische Hochschule Zwickau FIZ CHEMIE Berlin GmbH DFN-CERT Services GmbH Forschungsverbund Berlin e.V. Humboldt-Universitaet zu Berlin Universitaet Flensburg T-Systems SfR Deutsche Nationalbibliothek Hochschule Furtwangen Universitaet Erlangen-Nuernberg T-Systems SfR GmbH Hochschule Bremerhaven Fachhochschule Flensburg GeoForschungsZentrum Potsdam Jacobs University Bremen gGmbH Universitaet Erfurt IFW Dresden e.V. Universitaet Marburg Universitaet Augsburg Leibniz-Rechenzentrum Universitaet Muenster IFM-GEOMAR Fachhochschule Landshut Universitaet Leipzig Fachhochschule Ansbach HAWK Fachhochschule Hildesheim/Holzminden/Goettingen Hochschule Kempten Rheinische Fachhochschule Koeln gGmbH Uni-Konstanz Universitaet Stuttgart Fachhochschule Luebeck Fachhochschule Bielefeld Universitaet Potsdam Hochschule Anhalt (FH) Friedrich-Loeffler-Institut Hochschule Fulda Beuth Hochschule fuer Technik Berlin Universitaet Ulm Fachhochschule Rosenheim Fachhochschule Ingolstadt Technische Universitaet Berlin Universitaet Jena Hochschule Biberach IPK Gatersleben Max-Planck-Institut fuer Zuechtungsforschung Universitaet Mannheim NEC Europe Ltd. Bundesanstalt fuer Wasserbau Fachhochschule Stralsund Universitaet Dortmund Hochschule Bremen Deutsches Elektronen-Synchrotron DESY Stiftung Tieraerztliche Hochschule Hannover Technische Fachhochschule Georg Agricola zu Bochum Universitaet Bielefeld Fachhochschule Aachen Otto-Friedrich-Universitaet Bamberg Fachhochschule Osnabrueck Universitaet Bremen Paedagogische Hochschule Heidelberg Technische Universitaet Braunschweig Institut fuer Photonische Technologien e.V. Universitaet Bayreuth Universitaet Wuerzburg Universitaet zu Koeln Technische Universitaet Chemnitz Hochschule fuer Technik und Wirtschaft Berlin Hochschule fuer Technik Stuttgart Universitaet Passau Hochschule fuer Musik und Theater Hannover Helmholtz-Zentrum fuer Infektionsforschung GmbH Ruhr-Universitaet Bochum Mitteldeutscher Rundfunk Fritz-Haber-Institut der Max-Planck-Gesellschaft Berlin-Brandenburgische Akademie der Wissenschaften Berufsakademie Sachsen Staatliche Studienakademie Bautzen Max-Planck-Gesellschaft Fachhochschule Giessen-Friedberg Staatliche Hochschule f. Musik u. Darstellende Kunst Stuttgart Johann Wolfgang Goethe-Universitaet Forschungszentrum Dresden-Rossendorf e.V. Max-Planck-Institut fuer Biophysik Universitaet zu Luebeck Hochschule fuer Musik und Theater Leipzig Technische Universitaet Darmstadt Technische Universitaet Hamburg-Harburg Universitaet Kiel Hochschule Darmstadt Heinrich-Heine-Universitaet Duesseldorf Medizinische Hochschule Hannover Universitaet Osnabrueck Hochschul-Informations-System GmbH Mathematisches Forschungsinstitut Oberwolfach gGmbH Leibniz-Institut fuer Polymerforschung Dresden e.V. Fachhochschule Augsburg Leuphana Universitaet Lueneburg Paedagogische Hochschule Schwaebisch Gmuend Regionales Hochschulrechenzentrum Kaiserslautern Deutsches Klimarechenzentrum GmbH Universitaet der Bundeswehr Muenchen Fachhochschule Braunschweig/Wolfenbuettel Zentrum fuer Informationsverarbeitung und Informationstechnik AC CAMERFIRMA S.A. Deutsches Zentrum fuer Luft- und Raumfahrt e.V. (DLR) Hochschule fuer Technik, Wirtschaft und Kultur Leipzig Deutsches Institut fuer Ernaehrungsforschung (DIfE) Max-Planck-Institut zur Erforschung von Gemeinschaftsguetern AC Camerfirma SA CIF A82743287 Helmholtz-Zentrum Berlin fuer Materialien und Energie GmbH Bayerische Staatsbibliothek ESO - European Organisation for Astronomical Research Swisscom AC Camerfirma SA state-institutions Hochschule Mittweida (FH) - University of Applied Sciences Georg-August-Universitaet Goettingen Technische Fachhochschule Berlin Universitaet Hamburg Hochschule Karlsruhe - Technik und Wirtschaft ComSign Ltd. Bank Leumi Le-Israel LTD Konrad-Zuse-Zentrum fuer Informationstechnik Berlin (ZIB) Technische Universitaet Dresden Bibliotheksservice-Zentrum Baden-Wuerttemberg Ludwig-Maximilians-Universitaet Muenchen AC Camerfirma S.A. ComSign Hochschule fuer Wirtschaft und Umwelt Nuertingen-Geislingen