1 of 150

Web Security

Week 8 - Transport Layer Security

Old Dominion University

Department of Computer Science

CS 495/595 Spring 2022

Michael L. Nelson <mln@cs.odu.edu>

2022-03-14

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

2 of 150

#irony

2

$ date

Thu Mar 18 12:44:28 EDT 2021

$ git push origin main

fatal: unable to access 'https://github.com/phonedude/cs595-s21.git/': SSL certificate problem: Invalid certificate chain

$ # temp fix

$ git -c http.sslVerify=false push origin main

Counting objects: 5, done.

Delta compression using up to 8 threads.

Compressing objects: 100% (3/3), done.

Writing objects: 100% (3/3), 658 bytes | 0 bytes/s, done.

Total 3 (delta 2), reused 0 (delta 0)

remote: Resolving deltas: 100% (2/2), completed with 2 local objects.

To https://github.com/phonedude/cs595-s21.git

9c0cc91..3d95cfa main -> main

$

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

3 of 150

Ancient laptop = out of data CAs

3

more on this later…

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

4 of 150

“HTTP” is not secure

  • More and more, when we say “HTTP” we really mean “HTTPS”
  • HTTP semantics (GET, POST, etc.) do not change, but in HTTPS all HTTP traffic “rides on top of” a secure layer

4

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

5 of 150

5

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

6 of 150

6

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

7 of 150

7

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

8 of 150

8

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

9 of 150

9

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

10 of 150

10

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

11 of 150

11

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

12 of 150

12

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

13 of 150

13

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

14 of 150

14

The passive attacker can just squirrel away your login info for later use.

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

15 of 150

15

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

16 of 150

16

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

17 of 150

17

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

18 of 150

18

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

19 of 150

19

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

20 of 150

20

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

21 of 150

21

The active attacker is controlling what you see right now.

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

22 of 150

What is the threat model?

  • Network attackers control network infrastructure like routers or DNS servers
  • Network attackers may eavesdrop, inject, block, or modify packets
  • Potential network attackers occur anywhere there is an untrusted router or ISP
    • Wireless networks at cafes or hotels
    • Border gateways between countries

22

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

23 of 150

Goal: Secure communications

  • Secure communication requires three properties
    • Privacy: No eavesdropping
    • Integrity: No tampering
    • Authentication: No impersonation

23

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

24 of 150

24

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

25 of 150

25

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

26 of 150

26

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

27 of 150

27

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

28 of 150

28

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

29 of 150

29

Properties 1 & 2: Even if Eve is recording the requests & responses, they're encrypted so share can't read them. Requests & responses have not been tampered with.

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

30 of 150

30

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

31 of 150

31

Property 3: Bi-directional authentication between client & example.com

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

32 of 150

Transport Layer Security (TLS)

  • Hypertext Transfer Protocol Secure (HTTPS) keeps browsing safe by securely connecting the browser with the website server
  • HTTPS relies on Transport Layer Security (TLS) encryption to secure connections
  • TLS is used with web traffic, email, instant messaging, voice over IP (VoIP), and many other protocols
    • When TLS is used with HTTP, we call it HTTPS

32

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

33 of 150

TLS is the successor to SSL,

but the terms are often used interchangeably

33

https://en.wikipedia.org/wiki/Transport_Layer_Security

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

34 of 150

34

Protects against passive attackers, but not active attackers.

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

35 of 150

35

This example will use small numbers for g, a, b, etc. but in practice these numbers will large enough to be computationally intimidating for factoring

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

36 of 150

36

g = 3, G = {30, 31, 32, 33, 34, …, 3q-1}

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

37 of 150

37

a = 2

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

38 of 150

38

b = 5

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

39 of 150

39

A = 32 = 9

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

40 of 150

40

B = 35 = 243

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

41 of 150

41

59049 = 32 * 35 = 310

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

42 of 150

42

59049 = 2432

59049 = 3b*2

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

43 of 150

43

59049 = 95

59049 = 3a*5

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

44 of 150

44

the client publicly sent the server "9",

the server publicly sent the client "243",

and now they've both agreed to use "59049"

anyone listening who heard "9" & "243" can't easily arrive at "59049"

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

45 of 150

Two more (simplified) explanations

45

https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

46 of 150

Anonymous key exchange

  • Problem: Client doesn't know with which server it performed key exchange
    • It's possible that the client securely derived a key with the network attacker instead of the intended server!
  • While the communication is technically private (secure against eavesdropping), it lacks authentication
    • Key idea: Without authentication, you can't actually have privacy

46

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

47 of 150

47

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

48 of 150

48

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

49 of 150

49

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

50 of 150

50

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

51 of 150

51

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

52 of 150

52

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

53 of 150

53

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

54 of 150

54

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

55 of 150

55

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

56 of 150

56

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

57 of 150

57

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

58 of 150

58

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

59 of 150

59

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

60 of 150

60

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

61 of 150

61

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

62 of 150

62

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

63 of 150

63

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

64 of 150

How do we get authentication?

  • Goal: If the client could authenticate the server it is performing key exchange with, then it could securely derive a shared key with that (and only that) server
  • Solution: Use public-key cryptography for authentication
    • Remember signing from lecture 2 on cookies?
    • Let's review

64

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

65 of 150

Review: Signature schemes

  • Triple of algorithms (G, S, V)
    • G() → (pk, sk) - generator returns public key and secret key
    • S(sk, x) → t - signing returns a tag t for input x
    • V(pk, x, t) → accept|reject - checks validity of tag t for given input x
  • Algorithm properties
    • Correctness property: V(pk, x, S(sk, x)) = accept should always be true
    • Security property: V(pk, x, t) = accept should almost never be true when x and t are chosen by the attacker

65

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

66 of 150

66

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

67 of 150

67

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

68 of 150

68

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

69 of 150

69

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

70 of 150

70

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

71 of 150

71

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

72 of 150

72

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

73 of 150

73

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

74 of 150

74

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

75 of 150

75

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

76 of 150

76

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

77 of 150

77

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

78 of 150

78

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

79 of 150

79

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

80 of 150

80

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

81 of 150

81

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

82 of 150

How does the client get the

server’s public key?

  • Idea: Build in every website's public key into the browser
    • Would be a huge list, constantly changing, cannot connect to server if list is out-of-date
  • Idea: Server can send the public key to the client during the key exchange
    • Back to the same problem as anonymous key exchange!
    • What's to stop an active network attacker from sending their own public key in the exchange?

82

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

83 of 150

83

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

84 of 150

Certificate authorities (CAs)

  • A certificate authority (CA) is an entity that issues digital certificates
  • A certificate certifies that a named subject is the owner of a specific public key
    • "I, CERTIFICATE_AUTHORITY, certify that SUBJECT_NAME is the owner of public key PUBLIC_KEY"

84

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

85 of 150

Who does your browser trust?

85

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

86 of 150

86

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

87 of 150

Common name rules

  • Subject's CommonName can be:
    • an explicit name, e.g. cs.odu.edu
    • a wildcard cert, e.g. *.odu.edu or cs*.odu.edu
  • Matching rules
    • The * must occur in the leftmost subdomain component
    • The * does not match . characters
    • Example: *.odu.edu matches cs.odu.edu but not memgator.cs.odu.edu

87

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

88 of 150

88

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

89 of 150

89

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

90 of 150

90

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

91 of 150

91

No "USERTrust RSA Certification Authority"

in the list

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

92 of 150

Firefox has its own CA list, all other popular browsers use the system CA list

92

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

93 of 150

93

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

94 of 150

94

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

95 of 150

95

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

96 of 150

HTTPS requirements for lock icon

  • All elements on the page must be fetched using HTTPS
  • For all elements
    • HTTPS certificate must be issued by a CA trusted by browser
    • HTTPS certificate must not be expired
    • HTTPS certificate CommonName or SubjectAlternativeName must match the URL

96

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

97 of 150

Transitivity of trust:

“A friend of mine” vs. “A friend of ours”

97

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

98 of 150

98

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

99 of 150

99

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

100 of 150

100

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

101 of 150

101

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

102 of 150

102

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

103 of 150

103

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

104 of 150

104

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

105 of 150

105

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

106 of 150

106

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

107 of 150

107

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

108 of 150

108

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

109 of 150

109

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

110 of 150

110

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

111 of 150

111

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

112 of 150

112

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

113 of 150

113

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

114 of 150

TLS 1.3

  • TLS 1.3 is the latest version of TLS which replaces TLS 1.2, which replaced TLS 1.1, 1.0, SSL 3.0, 2.0, 1.0.
  • Goal: "provide privacy and reliability between two communicating applications"
  • Two phase protocol
    • Handshake protocol: Establish a shared secret key using public-key cryptography
    • Record protocol: Transmit data using the negotiated key

114

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

115 of 150

115

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

116 of 150

TLS 1.3 properties

  • Nonces: Prevent replay of an old session
  • Forward secrecy: server compromise does not expose old sessions
  • Some identity protection: certificates are sent encrypted
  • One-sided authentication: Client authenticates the server using the server's certificate
    • TLS has support for mutual authentication ("client certificates") but it is rarely used

116

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

117 of 150

HTTPS adoption

  • Survey of top 100 non-Google sites on the Internet, which account for 25% of website traffic worldwide
  • Sites that default to HTTPS
    • 96 / 100 (2019)
    • 97 / 100 (2022)
  • • Sites that work on HTTPS
    • 90 / 100 (2019)
    • 100 / 100 (2022)

117

https://transparencyreport.google.com/https/overview?hl=en

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

118 of 150

Percentage of pages loaded over HTTPS in Chrome by platform

118

https://transparencyreport.google.com/https/overview?hl=en

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

119 of 150

Encrypted traffic across Google sites

119

https://transparencyreport.google.com/https/overview?hl=en

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

120 of 150

Why not 100%

(it’s been stuck at ~95% since ~2018)

  • Old excuses (not true anymore)
    • Crypto is slow
    • Ad networks do not support HTTPS
  • "Mobile devices account for the vast majority of unencrypted end user traffic that originates from a given set of surveyed Google services. Some older devices cannot support modern encryption, standards, or protocols. Unfortunately, these devices may no longer support software updates and, as a result, may never support encryption"

120

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

121 of 150

“Secure” is now the assumed default, with “not secure” the alert message

121

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

122 of 150

TLS certificate chains

  • How many CAs are there?
    • Top-level CAs = ~60
    • Intermediate CAs = ~1200
  • If any single CA is compromised, security of all websites on the Internet could be compromised – yikes!

122

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

123 of 150

123

https://threatpost.com/russia-issues-its-own-tls-certs/178891/

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

124 of 150

124

https://www.computerworld.com/article/2510951/hackers-spied-on-300-000-iranians-using-fake-google-certificate.html

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

125 of 150

125

https://www.cyberscoop.com/trustico-digicert-ssl-certificates-revoked/

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

126 of 150

126

https://www.theregister.com/2011/05/24/comodo_reseller_hacked/

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

127 of 150

Comodo reseller hack

  • The attackers registered fraudulent certificates for gmail.com, google.com, login.yahoo.com, login.skype.com, addons.mozilla.com, and login.live.com
  • Quote from Comodo president and CEO
    • "So as a summary: its an SQL attack (fairly common) on a company in Brazil who sells some of our products.” he wrote in an email. “Nothing to report really."

127

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

128 of 150

128

https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

129 of 150

HTTP attack: TLS strip

  • This attack is commonly known as "ssl strip"
  • Most servers which support HTTPS implement an HTTP to HTTPS redirect
  • When user omits the scheme (i.e., protocol), the browser assumes “http://”
  • What if the attacker intercepts the first unencrypted HTTP request?
    • Then they can man-in-the-middle all the traffic to rewrite the HTML to keep the user on the HTTP version of the site

129

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

130 of 150

130

$ curl -ILs cnn.com | grep "^HTTP\|Location"

HTTP/1.1 301 Moved Permanently

Location: http://www.cnn.com/

HTTP/1.1 301 Moved Permanently

Location: https://www.cnn.com/

HTTP/1.1 200 OK

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

131 of 150

131

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

132 of 150

132

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

133 of 150

133

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

134 of 150

134

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

135 of 150

135

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

136 of 150

136

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

137 of 150

137

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

138 of 150

138

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

139 of 150

139

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

140 of 150

140

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

141 of 150

141

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

142 of 150

142

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

143 of 150

143

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

144 of 150

144

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

145 of 150

145

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

146 of 150

146

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

147 of 150

HTTP strict transport security (HSTS)

  • To defend against the TLS Strip attack, the server tells the browser "no matter what protocol the user specifies, always use HTTPS"
  • Strict-Transport-Security: max-age=31536000
    • Use HTTP header to force browser to use HTTPS for one year!
  • Downside: "Trust on first use model" means that first visit to a site is still not secure against man-in-the-middle!
  • Should clearing history also clear the HSTS list? Privacy vs. security

147

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

https://tools.ietf.org/html/rfc6797

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

148 of 150

HSTS preload list

  • Browsers offer to hardcode sites which want to always be HTTPS only
  • Strict-Transport-Security: max-age=63072000 includeSubDomains; preload
  • Must send includeSubDomains and preload options
  • Difficult/impossible to remove a domain once hardcoded into the browser itself
  • Certain TLDs added the whole TLD to the preload list (e.g., .dev)

148

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

149 of 150

149

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

150 of 150

Uncovered issues

  • Public Key Pinning (HPKP)
  • Certificate Transparency
  • DNS Certification Authority Authorization (DNS CAA)

150

ODU CS 495/595 Web Security Spring 2022 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh