1 / 39

SSLstrip , Slowloris & Scary SSL Attacks Sam Bowne

SSLstrip , Slowloris & Scary SSL Attacks Sam Bowne. Contact. Sam Bowne Computer Networking and Information Technology City College San Francisco Email: sbowne@ccsf.edu Web: samsclass.info. Topics. sslstrip – Steals passwords from mixed-mode Web login pages

mira-vang
Download Presentation

SSLstrip , Slowloris & Scary SSL Attacks Sam Bowne

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SSLstrip,Slowloris& Scary SSL AttacksSam Bowne

  2. Contact • Sam Bowne • Computer Networking and Information Technology • City College San Francisco • Email: sbowne@ccsf.edu • Web: samsclass.info

  3. Topics sslstrip – Steals passwords from mixed-mode Web login pages Slowloris – Denial of Service – Stops Apache Web servers Scary SSL Attacks--ways to completely fool browsers

  4. sslstrip

  5. The 15 Most Popular Web 2.0 Sites 1. YouTube HTTPS 2. Wikipedia HTTP 3. Craigslist HTTPS 4. Photobucket HTTP 5. Flickr HTTPS 6. WordPress MIXED 7. Twitter MIXED 8. IMDB HTTPS

  6. The 15 Most Popular Web 2.0 Sites • 9. Digg HTTP • 10. eHow HTTPS • 11. TypePad HTTPS • 12. topix HTTP • 13. LiveJournal Obfuscated HTTP • 14. deviantART MIXED • 15. Technorati HTTPS • From http://www.ebizmba.com/articles/user-generated-content

  7. Password Stealing Mediumssltrip EasyWall of Sheep Hard Spoofing Certificates

  8. Mixed Mode HTTP Page with an HTTPS Logon Button

  9. sslstrip Proxy Changes HTTPS to HTTP To Internet HTTPS Attacker: sslstrip Proxyin the Middle HTTP TargetUsingFacebook

  10. Ways to Get in the Middle

  11. Physical Insertion in a Wired Network To Internet Attacker Target

  12. Configuring Proxy Server in the Browser

  13. ARP Poisoning • Redirects Traffic at Layer 2 • Sends a lot of false ARP packets on the LAN • Can be easily detected • DeCaffienateID by IronGeek • http://k78.sl.pt

  14. ARP Request and Reply • Client wants to find Gateway • ARP Request: Who has 192.168.2.1? • ARP Reply: • MAC: 00-30-bd-02-ed-7b has 192.168.2.1 ARP Request ARP Reply Client Gateway Facebook.com

  15. ARP Poisoning Attacker ARP Replies: I am the Gateway Forwarded & Altered Traffic Traffic to Facebook Client Gateway Facebook.com

  16. Demonstration

  17. slowloris

  18. HTTP GET

  19. Send Incomplete HTTP Requests Apache has a queue of approx. 256 requests Each one waits approx. 400 seconds by default for the request to complete So less than one packet per second is enough to occupy them all Low-bandwidth DoS--no collateral damage!

  20. OSI Model

  21. Demonstration

  22. iClicker Questions

  23. Power failures brought down servers at 365 Main last year. What OSI Model was that attack in? • Layer 1 • Layer 2 • Layer 3 • Layer 4 • Layer 5 or higher

  24. Which type of website is the most dangerous? • HTTP • Mixed: HTTP with HTTPS elements • HTTPS

  25. What precaution protects you best when using a public Wi-Fi hotspot? • Open Access • WEP • WPA • VPN • 802.1x

  26. What precaution seems best against SlowLoris? • Do nothing and ignore it • Adjust Apache timeouts • Use a load-balancer • Add a module to Apache • Something else

  27. What sort of logins do users of your Website use? • Plaintext • Mixed-mode • HTTPS with a CA • Self-signed SSL • Something else

  28. What plans do you have to use IPv6? • I don't care about IPv6 at all • I'll implement IPv6, but not for years • Planning to implement it within a year • Planning to implement it sooner than a year • I am already using IPv6

  29. Scary SSL Attacks

  30. Man in the Middle To Internet HTTPS Attacker: Cain: Fake SSL Certificate HTTPS TargetUsinghttps://gmail.com

  31. Warning Message

  32. Certificate Errors • The message indicates that the Certificate Authority did not validate the certificate • BUT a lot of innocent problems cause those messages • Incorrect date settings • Name changes as companies are acquired

  33. Most Users Ignore Certificate Errors Link SSL-1 on my CNIT 125 page

  34. Fake SSL With No Warning Impersonate a real Certificate Authority Use a Certificate Authority in an untrustworthy nation Trick browser maker into adding a fraudulent CA to the trusted list Use a zero byte to change the effective domain name Wildcard certificate

  35. Impersonating Verisign • Researchers created a rogue Certificate Authority certificate, by finding MD5 collisions • Using more than 200 PlayStation 3 game consoles • Link SSL-2

  36. Countermeasures • Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in certificates issued after January, 2009 • Earlier, vulnerable certificates would be replaced only if the customer requested it • Link SSL-4 • FIPS 140-1 (from 2001) did not recognize MD5 as suitable for government work • Links SSL-5, SSL-6, SSL-7

  37. CA in an Untrustworthy Nation Link SSL-8

  38. Unknown Trusted CAs An unknown entity was apparently trusted for more than a decade by Mozilla Link SSL-9

  39. Zero Byte Terminates Domain Name • Just buy a certificate for Paypal.com\0.evil.com • Browser will see that as matching paypal.com • Link SSL-10

More Related