8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

1/156

Moxie Marlinspike

Institute For Disruptive Studies

More Tricks For Defeating SSL In

Practice

Moxie Marlinspike

moxie@thoughtcrime.org

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

2/156

Moxie Marlinspike

Institute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

3/156

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

4/156

Moxie Marlinspike

Institute For Disruptive Studies

In the past, I've talked about

BasicConstraints...

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

5/156

Moxie Marlinspike

Institute For Disruptive Studies

Certificate Chaining

VeriSign

paypal.com

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

6/156

Moxie Marlinspike

Institute For Disruptive Studies

Certificate Chaining

VeriSign

IntermediateCA

paypal.com

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

7/156

Moxie Marlinspike

Institute For Disruptive Studies

Certificate Chaining

VeriSign

IntermediateCA

paypal.com

IntermediateCA

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

8/156

Moxie Marlinspike

Institute For Disruptive Studies

How do we verify these things?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

9/156

Moxie Marlinspike

Institute For Disruptive Studies

What they say:

Verify that the name of the leaf node is thesame as the site you're connecting to.

Verify that the leaf certificate has not expired.

Check the signature.

If the signing CA is in our list of trusted rootCAs, stop. Otherwise, move one up the chain

and repeat.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

10/156

Moxie Marlinspike

Institute For Disruptive Studies

Here Be Dragons

Very tempting to use asimple recursivefunction.

Everyone focuses on thesignature validation.

The result of a naveattempt at validation is a

chain that is complete,but nothing more.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

11/156

Moxie Marlinspike

Institute For Disruptive Studies

What if...VeriSign

IntermediateCA

thoughtcrime.org

IntermediateCA

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

12/156

Moxie Marlinspike

Institute For Disruptive Studies

What if...VeriSign

IntermediateCA

thoughtcrime.org

IntermediateCA

paypal.com

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

13/156

Moxie Marlinspike

Institute For Disruptive Studies

What they say:

Verify that the name of the leaf node is thesame as the site you're connecting to.

Verify that the leaf certificate has not expired.

Check the signature.

If the signing CA is in our list of trusted rootCAs, stop. Otherwise, move one up the chain

and repeat.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

14/156

Moxie Marlinspike

Institute For Disruptive Studies

Something must be wrong, but...

All the signatures are valid.

Nothing has expired.

The chain is in tact.

The root CA is embedded in the browser andtrusted.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

15/156

Moxie Marlinspike

Institute For Disruptive Studies

But we just created a valid certificate

for PayPal, and we're not PayPal?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

16/156

Moxie Marlinspike

Institute For Disruptive Studies

The missing piece...

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

17/156

Moxie Marlinspike

Institute For Disruptive Studies

...is a somewhat obscure field.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

18/156

Moxie Marlinspike

Institute For Disruptive Studies

Back In The Day

Most CAs didn't explicitly set basicConstraints:CA=False

Whether the field was there or not, most SSL

implementations didn't bother to check it. Anyonewith a valid leaf node certificate could

create and sign a leaf node certificate for anyotherdomain.

When presented with a complete chain, IE,Outlook, Konqueror, OpenSSL, and othersconsidered it valid...

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

19/156

Moxie Marlinspike

Institute For Disruptive Studies

And then in 2002...

Microsoft did something particularly annoying,so I blew this up by publishing it.

Microsoft claimed that it was impossible to

exploit. So I also published the tool that exploits it.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

20/156

Moxie Marlinspike

Institute For Disruptive Studies

sslsniff

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

21/156

Moxie Marlinspike

Institute For Disruptive Studies

sslsniff

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

22/156

Moxie Marlinspike

Institute For Disruptive Studies

sslsniff

sslsniff

Intercept a connection fromthe client side.

Generate a certificate for thesite it is connecting to.

Sign it with any random validleaf node certificate.

Pass that certificate chain tothe client.

Make a normal SSLconnection to the server.

Pass data between client andserver, decrypting and

encrypting on each end.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

23/156

sslsniff post-disclosure

You'd be surprised who still doesn't check basicconstraints.

Even when people got warning dialogs in browsers

that had been fixed, most of the time they'd just clickthrough them.

Still useful as a general MITM tool for SSL.

The folks who did the MD5 hash collision stuff used

sslsniff to hijack connections once they'd gotten a CA cert. There are other uses yet, to be disclosed another day

(and today!).

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

24/156

Moxie Marlinspike

Institute For Disruptive Studies

Lately, I've been talking about

SSL Stripping...

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

25/156

Moxie Marlinspike

Institute For Disruptive Studies

brief

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

26/156

Moxie Marlinspike

Institute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

27/156

Moxie Marlinspike

Institute For Disruptive Studies

SSL can be useful, but how it's deployed

matters

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

28/156

Moxie Marlinspike

Institute For Disruptive Studies

In the context of web browsing

SSL is almost never encountered directly.

Nobody types:

https://...

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

29/156

Moxie Marlinspike

Institute For Disruptive Studies

In the context of web browsing

It is either encountered as a result of:

A 302 redirect from an HTTP URL to an HTTPSURL.

An HTTPS link that a user clicks on from an HTTPpage.

(Think, My Cart, Checkout, Login, etc...)

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

30/156

Moxie Marlinspike

Institute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

31/156

Moxie Marlinspike

Institute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

32/156

Moxie Marlinspike

Institute For Disruptive Studies

We Can Attack SSL

Before We Even Get There

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

33/156

Moxie Marlinspike

Institute For Disruptive Studies

sslsniff

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

34/156

Moxie Marlinspike

Institute For Disruptive Studies

sslstrip

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

35/156

Moxie MarlinspikeInstitute For Disruptive Studies

sslstrip

sslstrip

Watch HTTP traffic go by. Switch to and keep a map of what you've changed. Switch Location: https:// to Location: http:// and keep a map of what you've changed.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

36/156

H D I L ?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

37/156

How Does It Look?

H D I L ?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

38/156

How Does It Look?

H D I L ?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

39/156

How Does It Look?

H D It L ?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

40/156

How Does It Look?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

41/156

Moxie MarlinspikeInstitute For Disruptive Studies

the evolution of positive/negative

feedback helps make this successful

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

42/156

The sites themselves confuse us

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

43/156

The sites themselves confuse us.

S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

44/156

Some sites provide no visible difference.

S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

45/156

Some sites provide no visible difference.

Secure Or Stripped?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

46/156

Secure Or Stripped?

O L T

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

47/156

Other Little Tricks:

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

48/156

Moxie MarlinspikeInstitute For Disruptive Studies

Where can we go from here?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

49/156

Moxie MarlinspikeInstitute For Disruptive Studies

Where do we needto go from here?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

50/156

Moxie MarlinspikeInstitute For Disruptive Studies

What's with certificates, anyways?

X509Certificate

Version

Serial Number

Issuer

Validity (not before X or after Y)

Subject

PublicKeySignatureAlgorithm

Signature

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

51/156

Moxie MarlinspikeInstitute For Disruptive Studies

What's with certificates, anyways?

X509Certificate

Version

Serial Number

Issuer

Validity (not before X or after Y)

Subject

PublicKeySignatureAlgorithm

Signature

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

52/156

Moxie MarlinspikeInstitute For Disruptive Studies

What's with certificates, anyways?

X509Certificate

Version

Serial Number

Issuer

Validity (not before X or after Y)

Subject

PublicKeySignatureAlgorithm

Signature

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

53/156

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

54/156

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

55/156

Moxie MarlinspikeInstitute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

56/156

Moxie MarlinspikeInstitute For Disruptive Studies

The Big Three

Secrecy

Authenticity Integrity

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

57/156

Moxie MarlinspikeInstitute For Disruptive Studies

SSL/TLS Handshake Beginnings

ClientHello

ServerHello, ServerCertificate

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

58/156

Moxie MarlinspikeInstitute For Disruptive Studies

SSL Handshake Beginnings

X509Certificate

Version

Serial Number

IssuerValidity

Subject

PublicKey

SignatureAlgorithm

Signature

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

59/156

Moxie MarlinspikeInstitute For Disruptive Studies

The Problems For Us Begin

ClientHello

ServerHello,

ServerCertificate?

Attacker

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

60/156

Moxie MarlinspikeInstitute For Disruptive Studies

Let's start by looking back once more.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

61/156

Moxie MarlinspikeInstitute For Disruptive Studies

In 2000, things were different.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

62/156

Moxie MarlinspikeInstitute For Disruptive Studies

Notaries!

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

63/156

Moxie MarlinspikeInstitute For Disruptive Studies

Identification!

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

64/156

Moxie MarlinspikeInstitute For Disruptive Studies

Phone Calls!

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

65/156

Moxie MarlinspikeInstitute For Disruptive Studies

Actual people involved...

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

66/156

Moxie MarlinspikeInstitute For Disruptive Studies

That is a bygone era

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

67/156

Moxie MarlinspikeInstitute For Disruptive Studies

These days it's all about:

online domain validation

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

68/156

Moxie MarlinspikeInstitute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

69/156

Moxie MarlinspikeInstitute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

70/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10

CertificateRequest

Version

Subject

PublicKey

Attributes

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

71/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10

CertificateRequest

Version

Subject

PublicKey

Attributes

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

72/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10

CertificateRequest

Version

Subject

PublicKey

Attributes

www.bankofamerica.com

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

73/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10

CertificateRequest

Version

Subject

PublicKey

Attributes

www.bankofamerica.com

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

74/156

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

75/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10

CertificateRequest

Version

Subject

PublicKey

Attributes

www.bankofamerica.com

WHOIS Lookup

Email admin@bankofamerica.com

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

76/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10

CertificateRequest

Version

Subject

PublicKey

Attributes

www.bankofamerica.com

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

77/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10

CertificateRequest

Version

Subject

PublicKey

Attributes

www.bankofamerica.com

CS

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

78/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10

CertificateRequest

Version

Subject

PublicKey

Attributes

certificate.authorities.are.a.total.ripoff.bankofamerica.com

PKCS

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

79/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10

CertificateRequest

Version

Subject

PublicKey

Attributes

certificate.authorities.are.a.total.ripoff.bankofamerica.com

S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

80/156

Moxie Marlinspike

Institute For Disruptive Studies

Subjects

DistinguishedName

Country

State

Locale

Organization

Organizational Unit

Common Name

S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

81/156

Moxie Marlinspike

Institute For Disruptive Studies

Subjects

DistinguishedName

Country

State

Locale

Organization

Organizational Unit

Common Name

The X.509 standard isa total nightmare.

Three revisions,

twenty years. Parts of the standard

have literally beenlost and then laterfound again.

S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

82/156

Moxie Marlinspike

Institute For Disruptive Studies

Subjects

DistinguishedName

Country

State

Locale

Organization

Organizational Unit

Common Name

The original vision for theDN was that each DN wouldfit into some global DirectoryInformation Tree.

In practice, the standard isweak, everyone doeseverything differently, andthe global DIT nevermaterialized.

S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

83/156

Moxie Marlinspike

Institute For Disruptive Studies

Subjects

DistinguishedName

Country

State

Locale

Organization

Organizational Unit

Common Name

There is nothing in any of thesestandards that would prevent mefrom including a 1 gigabit MPEGmovie of me playing with my catas one of the RDN components ofthe DN in my certificate.

-- Bob Jueneman on IETF-PKIX

S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

84/156

Moxie Marlinspike

Institute For Disruptive Studies

Subjects

DistinguishedName

Country

State

Locale

Organization

Organizational Unit

Common Name www.bankofamerica.com

CN

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

85/156

Moxie Marlinspike

Institute For Disruptive Studies

CN

commonName ::=SEQUENCE { { 2 5 4 3 }, StringType( SIZE( 1...64 ) ) }

IA5String:

0x16 ID

0x05 Length (5 Chars)

0x76, 0x61, 0x6c, 0x75, 0x65 v, a, l, u, e

CN E

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

86/156

Moxie Marlinspike

Institute For Disruptive Studies

CN Encoding

Essentially, the CN field is represented as aPASCAL String.

This is different from how C strings arerepresented.

0xe w w w . p a y p a l . c o m

w w w . p a y p a l . c o m \0

PKCS # S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

87/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10 Subject

DistinguishedName

Country

State

Locale

Organization

Organizational Unit

Common Name www.paypal.com

thoughtcrime.org

PKCS # S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

88/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10 Subject

www.thoughtcrime.org

Common Name

PKCS # S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

89/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10 Subject

verisign.eats.children.thoughtcrime.org

Common Name

PKCS # S

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

90/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10 Subject

iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii.thoughtcrime.org

Common Name

PKCS # S t

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

91/156

Moxie Marlinspike

Institute For Disruptive Studies

PKCS #10 Subject

www.paypal.com\0.thoughtcrime.org

Common Name

PKCS #10 Certificate Signing

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

92/156

Moxie Marlinspike

Institute For Disruptive Studies

Request

CertificateRequest

Version

SubjectPublicKey

Attributes

www.paypal.com\0.thoughtcrime.org

PKCS #10 Certificate Signing

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

93/156

Moxie Marlinspike

Institute For Disruptive Studies

Request

CertificateRequest

Version

SubjectPublicKey

Attributes

www.paypal.com\0.thoughtcrime.org

WHOIS Lookup

And contact... me!

Our Original Scenario

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

94/156

Moxie Marlinspike

Institute For Disruptive Studies

Our Original Scenario

ClientHello

ServerHello,

ServerCertificate[www.paypal.com\0.thoughtcrime.org]

Attacker

Our Original Scenario

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

95/156

Moxie Marlinspike

Institute For Disruptive Studies

Our Original Scenario

X509Certificate

VersionSerial Number

Issuer

Validity

Subject

PublicKeySignatureAlgorithm

Signature

Our Original Scenario

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

96/156

Moxie Marlinspike

Institute For Disruptive Studies

Our Original Scenario

char *destination = getDomainWeAreConnectingTo();

char *commonName = getCommonNameFromCertificate();

bool everythingIsOk = (strcmp(destination, commonName) == 0);

In memory though

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

97/156

Moxie Marlinspike

Institute For Disruptive Studies

In memory, though...

w w w . p a y p a l . c o m \0

char *destination

w w w . p a y p a l . c o m \0 . t h o u g h t c r i m e . o r g \0.

char *commonName

In memory though

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

98/156

Moxie Marlinspike

Institute For Disruptive Studies

In memory, though...

w w w . p a y p a l . c o m \0

char *destination

w w w . p a y p a l . c o m \0 . t h o u g h t c r i m e . o r g \0.

char *commonName

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

99/156

Moxie Marlinspike

Institute For Disruptive Studies

In the eyes of most SSL

implementations, this certificate iscompletely validfor www.paypal.com

What are most SSL implementations?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

100/156

Moxie Marlinspike

Institute For Disruptive Studies

What are most SSL implementations?

Web Browsers Firefox, IE, Chrome, Lynx, Curl,

Mail Clients

Thunderbird, Outlook, Evolution Chat Clients

Pidgin, AIM, irssi, centericq

SSL VPNs AEP, Citrix, etc...

A First Cut: updated sslsniff

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

101/156

Moxie Marlinspike

Institute For Disruptive Studies

A First Cut: updated sslsniff

sslsniff

Iff null prefix attack certificateis available

How does it look?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

102/156

Moxie Marlinspike

Institute For Disruptive Studies

How does it look?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

103/156

Moxie Marlinspike

Institute For Disruptive Studies

How does it look?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

104/156

Moxie Marlinspike

Institute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

105/156

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

106/156

Moxie Marlinspike

Institute For Disruptive Studies

Disadvantages

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

107/156

Moxie Marlinspike

Institute For Disruptive Studies

1) Targeted attacks are kind of lame.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

108/156

Moxie Marlinspike

Institute For Disruptive Studies

Maybe there's another trick in here

somewhere...

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

109/156

Moxie Marlinspike

Institute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

110/156

Moxie Marlinspike

Institute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

111/156

Moxie Marlinspike

Institute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

112/156

Moxie Marlinspike

Institute For Disruptive Studies

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

113/156

Moxie Marlinspike

Institute For Disruptive Studies

Universal Wildcard

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

114/156

Moxie Marlinspike

Institute For Disruptive Studies

Universal Wildcard

*\0.thoughtcrime.org

Universal Wildcard

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

115/156

Moxie Marlinspike

Institute For Disruptive Studies

Universal Wildcard

*~.thoughtcrime.org

Other Weird Stuff

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

116/156

Moxie Marlinspike

Institute For Disruptive Studies

Other Weird Stuff

(www.paypal.com|mail.google.com|www.etrade.com|www.bankofamerica.com|www.wachovia.com|www.pnc.com|www.wellsfargo.com)\0.thoughtcrime.org

And... your remote exploit. 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));

145 register int t p2 p1 1

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

117/156

Moxie Marlinspike

Institute For Disruptive Studies

145 register int t,p2,p1 = 1;

146 int cp;

147

148 while(1) {

149 for(cp=1;exp[cp] != ')';cp++)

150 if(exp[cp] == '\\')

151 ++cp;

152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {

153 if(exp[p1] == '\\') 154 e2[p2++] = exp[p1++];

155 e2[p2] = exp[p1];

156 }

157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}

158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {

159 PORT_Free(e2);

160 return MATCH;

161 }

162 ...

And... your remote exploit. 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));

145 register int t p2 p1 1;

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

118/156

Moxie Marlinspike

Institute For Disruptive Studies

145 register int t,p2,p1 = 1;

146 int cp;

147

148 while(1) {

149 for(cp=1;exp[cp] != ')';cp++)

150 if(exp[cp] == '\\')

151 ++cp;

152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {

153 if(exp[p1] == '\\') 154 e2[p2++] = exp[p1++];

155 e2[p2] = exp[p1];

156 }

157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}

158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {

159 PORT_Free(e2);

160 return MATCH;

161 }

162 ...

And... your remote exploit. 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));

145 register int t p2 p1 1;

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

119/156

Moxie Marlinspike

Institute For Disruptive Studies

145 register int t,p2,p1 = 1;

146 int cp;

147

148 while(1) {

149 for(cp=1;exp[cp] != ')';cp++)

150 if(exp[cp] == '\\')

151 ++cp;

152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {

153 if(exp[p1] == '\\') 154 e2[p2++] = exp[p1++];

155 e2[p2] = exp[p1];

156 }

157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}

158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {

159 PORT_Free(e2);

160 return MATCH;

161 }

162 ...

And... your remote exploit. 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));

145 register int t p2 p1 1;

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

120/156

Moxie Marlinspike

Institute For Disruptive Studies

145 register int t,p2,p1 = 1;

146 int cp;

147

148 while(1) {

149 for(cp=1;exp[cp] != ')';cp++)

150 if(exp[cp] == '\\')

151 ++cp;

152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {

153 if(exp[p1] == '\\') 154 e2[p2++] = exp[p1++];

155 e2[p2] = exp[p1];

156 }

157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}

158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {

159 PORT_Free(e2);

160 return MATCH;

161 }

162 ...

And... your remote exploit.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

121/156

Moxie Marlinspike

Institute For Disruptive Studies

(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

122/156

And... your remote exploit.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

123/156

Moxie Marlinspike

Institute For Disruptive Studies

(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com

And... your remote exploit.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

124/156

Moxie Marlinspike

Institute For Disruptive Studies

(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com

No signed signature required! Possible to sneak non-ASCII characters past the NSS filters. This yields something exploitable in Firefox, Thunderbird, Evolution, Pidgin, and AIM.

A Second Cut: sslsniff with

wildcard support

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

125/156

Moxie Marlinspike

Institute For Disruptive Studies

wildcard support

sslsniff

Perform MITM if null termination attack cert is available. Or perform MITM with universal wildcard cert if client is NSS.

A Second Cut: updated sslsniff

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

126/156

Moxie Marlinspike

Institute For Disruptive Studies

sslsniff

Watches network and fingerprints clients forlevel of vulnerability.

Every NSS client's communication isintercepted either with a specific nulltermination certificate, or with the universalwildcard certificate.

Every non-NSS client that is vulnerable isintercepted with a null termination certificate ifavailable for the destination host.

Non-vulnerable clients are left alone to avoiddetection.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

127/156

Moxie Marlinspike

Institute For Disruptive Studies

What do we have to worry about?

What do we have to worry about?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

128/156

Moxie Marlinspike

Institute For Disruptive Studies

1) Certificate Revocation

t would be unfortunate if some bitter CertificateAuthority decided to revoke my universalwildcard certificates or any of my null-

termination certificates.2) Updates

It would be unfortunate if some bitter SSL

implementation decided to start paying attentionto how ASN.1 is formatted.

What do we have to worry about?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

129/156

Moxie Marlinspike

Institute For Disruptive Studies

1) Certificate Revocation

It would be unfortunate if some bitter CertificateAuthority decided to revoke our universalwildcard certificates or any of our null-

termination certificates.2) Updates

It would be unfortunate if some bitter SSL

implementation decided to start paying attentionto how ASN.1 is formatted.

What do we have to worry about?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

130/156

Moxie Marlinspike

Institute For Disruptive Studies

1) Certificate Revocation These days, it's all about Online Certificate Status

Protocol (OCSP).

Whenever a SSL stack sees a new certificate, it makes

a quick request to the OCSP URL that the signing CAembedded in it.

The SSL stack receives a signed response from theOCSP provider indicating whether the certificate has

been revoked or not.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

131/156

Moxie Marlinspike

Institute For Disruptive Studies

Defeating OCSP

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

132/156

Moxie Marlinspike

Institute For Disruptive Studies

OCSPResponse ::= SEQUENCE {

responseStatus OCSPResponseStatus,

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL

}

Defeating OCSP

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

133/156

Moxie Marlinspike

Institute For Disruptive Studies

OCSPResponse ::= SEQUENCE {

responseStatus OCSPResponseStatus,

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL

}

ResponseBytes ::= SEQUENCE {

responseType OBJECT IDENTIFIER,

response OCTET STRING

}

BasicOCSPResponse ::= SEQUENCE {

tbsResponseData ResponseData,

signatureAlgorithm AlgorithmIdentifier,

signature BIT STRING,

certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

Defeating OCSP

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

134/156

Moxie Marlinspike

Institute For Disruptive Studies

OCSPResponse ::= SEQUENCE {

responseStatus OCSPResponseStatus,

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL

}

ResponseBytes ::= SEQUENCE {

responseType OBJECT IDENTIFIER,

response OCTET STRING

}

BasicOCSPResponse ::= SEQUENCE {

tbsResponseData ResponseData,

signatureAlgorithm AlgorithmIdentifier,

signature BIT STRING,

certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

Defeating OCSP

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

135/156

Moxie Marlinspike

Institute For Disruptive Studies

OCSPResponse ::= SEQUENCE {

responseStatus OCSPResponseStatus,

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL

}

ResponseBytes ::= SEQUENCE {

responseType OBJECT IDENTIFIER,

response OCTET STRING

}

BasicOCSPResponse ::= SEQUENCE {

tbsResponseData ResponseData,

signatureAlgorithm AlgorithmIdentifier,

signature BIT STRING,

certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

Defeating OCSP

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

136/156

Moxie Marlinspike

Institute For Disruptive Studies

OCSPResponse ::= SEQUENCE {

responseStatus OCSPResponseStatus,

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL

}

ResponseBytes ::= SEQUENCE {

responseType OBJECT IDENTIFIER,

response OCTET STRING

}

BasicOCSPResponse ::= SEQUENCE {

tbsResponseData ResponseData,

signatureAlgorithm AlgorithmIdentifier,

signature BIT STRING,

certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

137/156

Defeating OCSP

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

138/156

Moxie Marlinspike

Institute For Disruptive Studies

OCSPResponse ::= SEQUENCE {

responseStatus OCSPResponseStatus,

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL

}

OCSPResponseStatus ::= ENUMERATED {

successful (0), --Response has valid confirmations

malformedRequest (1), --Illegal confirmation request

internalError (2), --Internal error in issuer

tryLater (3), --Try again later

--(4) is not used

sigRequired (5), --Must sign the request

unauthorized (6) --Request unauthorized

}

Defeating OCSP

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

139/156

Moxie Marlinspike

Institute For Disruptive Studies

OCSPResponse ::= SEQUENCE {

responseStatus OCSPResponseStatus,

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL

}

OCSPResponseStatus ::= ENUMERATED {

successful (0), --Response has valid confirmations

malformedRequest (1), --Illegal confirmation request

internalError (2), --Internal error in issuer

tryLater (3), --Try again later

--(4) is not used

sigRequired (5), --Must sign the request

unauthorized (6) --Request unauthorized

}

Defeating OCSP

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

140/156

Moxie Marlinspike

Institute For Disruptive Studies

OCSPResponse ::= SEQUENCE {

responseStatus OCSPResponseStatus = 3,

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL

}

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

141/156

PROPOSED STANDARD

Network Working Group M. MyersRequest for Comments: 2560 VeriSignCategory: Standards Track R. Ankney

CertCo

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

142/156

Moxie Marlinspike

Institute For Disruptive Studies

A. MalpaniValiCert

S. Galperin

My CFOC. Adams

Entrust TechnologiesJune 1999

X.509 Internet Public Key Infrastructure

Online Certificate Status Protocol - OCSP

Status of this Memo

This document specifies an Internet standards track protocol for theInternet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

3

A Third Cut: ocsp-aware sslsniff

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

143/156

Moxie Marlinspike

Institute For Disruptive Studies

sslsniff

Watch network and fingerprints clients for level ofvulnerability.

Every NSS client's communication is intercepted either with a specific null termination certificate, orwith the universal wildcard certificate.

Every non-NSS client that is vulnerable is interceptedwith a null termination certificate if available for thedestination host.

Non-vulnerable clients are left alone to avoiddetection.

Optionally watch for OCSP requests corresponding tocertificates we're using, and tryLater them to defeatOCSP.

What do we have to worry about?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

144/156

Moxie Marlinspike

Institute For Disruptive Studies

2) Updates It used to be that people, you know, downloaded and

installed updates.

As software gets more complicated, it is inevitably

shipped with more bugs, and attackers are situated toexploit them on a larger scale.

So some have felt the need to deploy self-updatingsoftware in order to fix problems rapidly.

What do we have to worry about?

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

145/156

Moxie Marlinspike

Institute For Disruptive Studies

2) Updates This is bad news for us, because by standing here and

talking to you about this stuff, it probably means thatSSL implementations are going to fix these problems.

But their update mechanisms in themselves seem likekind of a dangerous idea, right?

Maybe there's something we can do about our problem.

Firefox/Thunderbird: A Case Study

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

146/156

Moxie Marlinspike

Institute For Disruptive Studies

When you install Firefox, it comes with a feature called

automatic update service, which happens to be enabledby default.

Here be dragons.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

147/156

Firefox/Thunderbird: A Case Study

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

148/156

Moxie Marlinspike

Institute For Disruptive Studies

Firefox and Thunderbird depend on their TLS connection to the

update server to defend them against all possible attacks. Code is returned from the update server either as a binary diff

against the distribution binary the client is running, or as acomplete image of the binary.

By default, minor updates are downloaded and installedsilently only prompting the user to restart their browser onceeverything is done.

The update server is the one who reports the version numberof the update, so it is effectively up to the server whether theimage it provides is installed silently or not.

Firefox/Thunderbird: A Case Study

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

149/156

Moxie Marlinspike

Institute For Disruptive Studies

As vendors start to release patches for this vulnerability, the update

mechanisms themselves will be vulnerable. All we need is a universal wildcard cert, or alternately a null-termination

prefix cert for aus2.mozilla.org, and we can take control of the updatemechanism to deliver payloads of our choice.

This could be anything:

A rootkit that logs keystrokes.

Something that sends all traffic/email through a server of ourchoosing.

A completely legitimate image that just happens to include our

own CA certs. Or, just to be confusing, a totally different web browser (Thank

you for updating to Galeon 0.0.3!) or even a completely differenttype of application notepad.exe comes to mind.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

150/156

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

151/156

Postscript:

Stripping NULL is no solution

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

152/156

Moxie Marlinspike

Institute For Disruptive Studies

Some SSL/TLS implementations (Safari,Opera) appear to strip '\0' from commonNamestrings before comparing.

Thus:

www.paypal.com\0.thoughtcrime.org

Becomes:

www.paypal.com.thoughtcrime.org

Postscript:

Stripping NULL is no solution

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

153/156

Moxie Marlinspike

Institute For Disruptive Studies

These implementations are vulnerable to avariation of our attack.

The key is that some Certificate Authorities arevulnerable to this attack internally.

When presented withwww.paypal.com\0.thoughtcrime.org, some CAsinternally validate it as www.paypal.com

But the whole string(www.paypal.com\0.thoughtcrime.org) is what endsup in the subject of the cert they later issue.

Postscript:

Stripping NULL is no solution

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

154/156

Moxie Marlinspike

Institute For Disruptive Studies

So if we register a domain like sitekey.ba We can get a certificate for

sitekey.ba\0nkofamerica.com

The CAs that are internally vulnerable to thisattack will validate that certificate againstsitekey.ba, which we own.

When the cert is later presented to a SSL

implementation that strips \0, the certificate'scommon name becomes:sitekey.bankofamerica.com

Conclusion

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

155/156

Moxie Marlinspike

Institute For Disruptive Studies

We have a MITM attack that will intercept communication foralmost all SSL/TLS implementations.

In the case of NSS (Firefox, Thunderbird, Evolution, AIM,Pidgin) we only need a single certificate.

We've defeated the OCSP protocol as implemented.

We've hijacked the Mozilla auto-updates for both applicationsand extensions.

We've got an exploitable overflow.

In short, we've got your passwords, your communication, andcontrol over the software that runs on your computer.

8/9/2019 Moxie-marlinspike-some Tricks for Defeating Ssl in Practice

156/156

sslsniff and sslstrip:

http://www.thoughtcrime.org

moxie@thoughtcrime.org