https and the lock icon n.
Skip this Video
Loading SlideShow in 5 Seconds..
HTTPS and the Lock Icon PowerPoint Presentation
Download Presentation
HTTPS and the Lock Icon

HTTPS and the Lock Icon

205 Views Download Presentation
Download Presentation

HTTPS and the Lock Icon

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. HTTPS and the Lock Icon Borrowed from Dan Boneh

  2. Goals for this lecture • Brief overview of HTTPS: • How the SSL/TLS protocol works (very briefly) • How to use HTTPS • Integrating HTTPS into the browser • Lots of user interface problems to watch for 2

  3. Threat Model: Network Attacker • Network Attacker: • Controls network infrastructure: Routers, DNS • Passive attacker: only eavesdrops on net traffic • Active attacker: eavesdrops, injects, blocks, and modifies packets • Examples: • Wireless network at Internet Café • Internet access at hotels (untrusted ISP) 3

  4. SSL/TLS overview Public-key encryption: • Bob generates (SKBob, PKBob ) • Alice: using PKBob encrypts messages and only Bob can decrypt Alice Bob m Enc m Dec c c SKBob PKBob 4

  5. Certificates • How does Alice (browser) obtain PKBob? BrowserAlice CA Server Bob choose (SK,PK) PK and proof “I am Bob” check proof SKCA PKCA PKCA issue Cert with SKCA : verify Cert Bob’s key is PK Bob’s key is PK Bob uses Cert for an extended period (e.g. one year) 5

  6. Certificates: example • Important fields: 6

  7. Certificates on the web • Subject’s CommonName can be: • An explicit name, e.g. , or • A wildcard cert, e.g. • *.stanford.eduor cs* • matching rules: • “*” must occur in leftmost component, does not match “.” • example: *.a.commatches but not • (as in RFC 2818: “HTTPS over TLS”) 7

  8. Certificate Authorities Browsers acceptcertificates from alarge number of CAs Top level CAs ≈ 60 Intermediate CAs ≈ 1200 8

  9. Brief overview of SSL/TLS server browser client-hello cert server-hello + server-cert (PK) SK key exchange (several options) rand. k client-key-exchange: E(PK, k) k Finished HTTP data encrypted with KDF(k) Most common: server authentication only 9

  10. HTTPS in the Browser

  11. The lock icon: SSL indicator • Intended goal: • Provide user with identity of page origin • Indicate to user that page contents were not viewed or modified by a network attacker • In reality: • Origin ID is not always helpful • example: Stanford HR is hosted at • Many other problems (next few slides) 11

  12. When is the (basic) lock icon displayed • All elements on the page fetched using HTTPS • (with some exceptions) • For all elements: • HTTPS cert issued by a CA trusted by browser • HTTPS cert is valid (e.g. not expired) • CommonName in cert matches domain in URL 12

  13. The lock UI: Extended Validation (EV) Certs • Harder to obtain than regular certs • requires human lawyer at CA to approve cert request • Designed for banks and large e-commerce sites • Helps block “semantic attacks”: • note: HTTPS-EV and HTTPS are in the same origin

  14. HTTPS and login pages: how not to do it • Users often land on login page over HTTP: • Type site’s HTTP URL into address bar, or • Google links to the HTTP page View source: <form method="post" action="" 14

  15. HTTPS and login pages: guidelines • General guideline: • Response to should be Redirect:

  16. Problems with HTTPS and the Lock Icon

  17. 1. HTTP  HTTPS upgrade • Common use pattern: • browse site over HTTP; move to HTTPS for checkout • connect to bank over HTTP; move to HTTPS for login • Easy attack: prevent the upgrade (ssl_strip) [Moxie’08] • <a href=https://…>  <a href=http://…> • Location: https://...  Location: http://... (redirect) • <form action=https://… >  <form action=http://…> HTTP SSL webserver attacker 17

  18. Tricks and Details • Tricks: drop-in a clever fav icon (older browsers) • Details: • Erase existing session and force user to login: • ssl_strip injects “Set-cookie” headers to delete existing session cookies in browser. • Number of users who detected HTTP downgrade: 0  18

  19. 2. Semantic attacks on certs • International domains: • Rendered using international character set • Observation: chinese character set contains charsthat look like “/” and “?” and “.” and “=” • Attack: buy domain cert for * • setup domain called: • • note: single cert *.badguy.cnworks for all sites • Extended validation (EV) certs may help defeat this 19

  20. [Moxie’08]

  21. 3. Certificate Issuance Woes • Wrong issuance: 2011: Comodoand DigiNotar RAs hacked, issue certs for Gmail, Yahoo! Mail, … • Rogue CA: • 2009: Etisalat CA in UAE Signs software patch on behalf of RIM • PacketForensics: HTTPS MiTMfor law enforcement (see also ) ⇒ enables eavesdropping w/o a warning in user’s browser 21

  22. Man in the middle attack using rogue certs GET BadguyCert BankCert • Attacker proxies data between user and bank. Sees all traffic and can modify data at will. attacker bank ClientHello ClientHello ServerCert (Bank) ServerCert (rogue) (cert for Bank by a valid CA) SSL key exchange SSL key exchange k2 k1 k1 k2 HTTP data enc with k1 HTTP data enc with k2 22

  23. What to do? (many good ideas) • HTTP public-key pinning, TACK • Let a site declare CAs that can sign its cert (similar to HSTS) • on subsequent HTTPS, browser rejects certs for site issued by other CAs • TOFU: Trust on First Use • Certificate Transparency: [LL’12] • idea: CA’s must advertise a log of all certs. they issued • Browser will only use a cert if it is on the CA’s log • Efficient implementation using Merkle hash trees • Companies can scan logs to look for invalid issuance 23

  24. 4. Mixed Content: HTTP and HTTPS • Page loads over HTTPS, but contains content over HTTP • (e.g. <script src=“http://.../script.js> ) • Active network attacker can hijack session • Modifies script en-route to browser • Another way to embed content: • <script src=“//.../script.js> • served over the same protocol as embedding page • Can use for content served over HTTP or HTTPS 24

  25. Mixed Content: HTTP and HTTPS IE7: Chrome: No SSL lock in address bar: 25

  26. 5. Peeking through SSL • Network traffic reveals length of HTTPS packets • TLS supports up to 256 bytes of padding • AJAX-rich pages have lots and lots of interactions with the server • These interactions expose specific internal state of the page BAM! Chen, Wang, Wang, Zhang, 2010

  27. Peeking through SSL: an example Vulnerabilities in an online tax application No easy fix. Can also be used to ID Tor traffic 27

  28. 6. Origin Contamination: an example Solution: remove lock from top page after loading bottom page 28

  29. THE END

  30. Integrating SSL/TLS with HTTP  HTTPS webproxy webserver • Two complications • Web proxies • solution: browser sends • CONNECT domain-name • before client-hello (dropped by proxy) • Virtual hosting: • two sites hosted at same IP address. • solution in TLS 1.1: SNI(RFC 4366) • client_hello_extension: • implemented since FF2 and IE7 (vista) corporate network webserver client-hello server-cert ??? certCNN certFOX

  31. Why is HTTPS not used for all web traffic? • Slows down web servers • Breaks Internet caching • ISPs cannot cache HTTPS traffic • Results in increased traffic at web site • Incompatible with virtual hosting (older browsers) • May. 2013: IE6 ≈ 7% (

  32. The lock UI: helps users authenticate site uninformative

  33. A general UI attack: picture-in-picture Trained users are more likely to fall victim to this [JSTB’07] 33

  34. Problems with HTTPS and the Lock Icon • Upgrade from HTTP to HTTPS • Semantic attacks on certs • Forged certs • Mixed content • HTTP and HTTPS on the same page • Origin contamination • Weak HTTPS page contaminates stronger HTTPS page • Does HTTPS hide web traffic? 34

  35. Defense: Strict Transport Security (HSTS) webserver Strict-Transport-Security max-age=31⋅106; • Header tells browser to always connect over HTTPS • After first visit, subsequent visits are over HTTPS • self signed cert results in an error • STS flag deleted when user “clears private data” (chrome) • Compromise: security vs. privacy 35