| Starije izmjene na obje strane
Starija izmjena
Novija izmjena
|
Starija izmjena
|
racfor_wiki:mrezna_forenzika:sigurnost_https_protokola [2020/01/05 13:17]
dsaric [Security issues] |
racfor_wiki:mrezna_forenzika:sigurnost_https_protokola [2024/12/05 12:24] (trenutno)
|
| ====== Security of HTTPS protocol ====== | ====== HTTPS protocol security ====== |
| |
| ===== Abstract ===== | ===== Abstract ===== |
| Example of HTTP response from the Web server: | Example of HTTP response from the Web server: |
| |
| {{:racfor_wiki:mrezna_forenzika:http_resp.png?direct&600 }} | {{:racfor_wiki:mrezna_forenzika:http_resp.png?direct&600}} |
| |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>In the example response numerical status code value 200 can be seen which represent successful transmission. Response headers further describe the session. After the empty line the body can be seen, it is HTML (Hypertext Markup Language) code used to display the Web page.</font> | <font 10pt/Arial,sans-serif;;inherit;;inherit>In the example response numerical status code value 200 can be seen which represent successful transmission. Response headers further describe the session. After the empty line the body can be seen, it is HTML (Hypertext Markup Language) code used to display the Web page.</font> |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>TLS and its depreciated predecessor SSL are cryptographic protocols designed to provide security over a computer network. They are widespread for use in web browsing, email and others. SSL/TLS works by binding the identities of websites and companies to cryptographic key pairs via digital documents known as X.509 certificates. Each key pair consists of a private key and a public key. The private key is kept secure, and the public key can be widely distributed via a certificate.</font> | <font 10pt/Arial,sans-serif;;inherit;;inherit>TLS and its depreciated predecessor SSL are cryptographic protocols designed to provide security over a computer network. They are widespread for use in web browsing, email and others. SSL/TLS works by binding the identities of websites and companies to cryptographic key pairs via digital documents known as X.509 certificates. Each key pair consists of a private key and a public key. The private key is kept secure, and the public key can be widely distributed via a certificate.</font> |
| |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>Relationship between public and private key is based on symmetric cryptography and it allows that encrypted data with a public key are easily decrypted with private key. That way only systems who know the private key can understand the sent data.</font> | <font 10pt/Arial,sans-serif;;inherit;;inherit>Relationship between public and private key is based on symmetric and asymmetric cryptography and it allows that encrypted data with a public key are easily decrypted with private key. That way only systems who know the private key can understand the sent data.</font> |
| |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>It should be noted that HTTPS URLs begin with https:// and use port 433 by default, HTTP URLs begin with http:// and the default port is 80.</font> | <font 10pt/Arial,sans-serif;;inherit;;inherit>It should be noted that HTTPS URLs begin with https:// and use port 433 by default, HTTP URLs begin with http:// and the default port is 80.</font> |
| <font 10.0pt/inherit;;inherit;;inherit>Figure</font><font 10.0pt/inherit;;inherit;;inherit>1</font><font 10.0pt/inherit;;inherit;;inherit>Example of a valid certificate taken from Google Chrome</font> | <font 10.0pt/inherit;;inherit;;inherit>Figure</font><font 10.0pt/inherit;;inherit;;inherit>1</font><font 10.0pt/inherit;;inherit;;inherit>Example of a valid certificate taken from Google Chrome</font> |
| |
| <font 10.0pt/inherit;;inherit;;inherit>**Establishing HTTPS connection** is different than with HTTP as there is a handshake with the SSL/TSL layer that HTTP doesn’t have, figure below showcases the handshake the best. The HTTP protocol doesn’t have TLS handshake.</font> | <font 10.0pt/inherit;;inherit;;inherit>**Establishing HTTPS connection** is different than with HTTP as there is a handshake with the SSL/TSL layer that HTTP doesn’t have, figure below showcases the handshake the best.</font> |
| |
| {{:racfor_wiki:mrezna_forenzika:slika2_tls_handshake.png?direct&600}} | {{:racfor_wiki:mrezna_forenzika:slika2_tls_handshake.png?direct&600}} |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>This way anyone who has the public key of used certificate authority can verify authenticity of server’s key pair.</font> | <font 10pt/Arial,sans-serif;;inherit;;inherit>This way anyone who has the public key of used certificate authority can verify authenticity of server’s key pair.</font> |
| |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>Figure 3 Authentification of a server [22]</font> | {{:racfor_wiki:mrezna_forenzika:slika3_authentific.png?direct&600}} |
| |
| | <font 10pt/Arial,sans-serif;;inherit;;inherit>Figure 3 Authentification of a server [22]</font> |
| |
| ===== Security issues ===== | ===== Security issues ===== |
| HTTPS protocol has established itself as a secure and robust protocol for use on the World Wide Web. Researches are continuously working on making HTTPS protocol and its underlying OSI layers more secure. New cryptographic exploits are patched with every new release. This section covers several known types of attack on HTTPS. Mostly focusing on security issues of TLS/SSL layer. | HTTPS protocol has established itself as a secure and robust protocol for use on the World Wide Web. Researches are continuously working on making HTTPS protocol and its underlying OSI layers more secure. New cryptographic exploits are patched with every new release. This section covers several known types of attack on HTTPS. Mostly focusing on security issues of TLS/SSL layer. |
| |
| A **man in the middle (MITM) attack** is a collection of cryptographic attacks where a perpetrator secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. Protocol that are stateless, like HTTP and HTTPS, are especially susceptible to this attack.Figure 4 explains the attack the best. | A **man in the middle (MITM) attack** is a collection of cryptographic attacks where a perpetrator secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. Protocol that are stateless, like HTTP and HTTPS, are especially susceptible to this attack.Figure 4 explains the attack the best. |
| |
| {{:racfor_wiki:mrezna_forenzika:slika4_mitm.png?direct&600}} | {{:racfor_wiki:mrezna_forenzika:slika4_mitm.png?direct&600}} |
| Figure 4 MITM attack [23] | Figure 4 MITM attack [23] |
| |
| A **downgrade attack** is a collection of cryptographic attacks on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g. an encrypted connection) in favor of an older, lower-quality mode of operation (e.g. cleartext) that is typically provided for backward compatibility with older systems. These types of attacks are often implemented as a part of a man in the middle attack. | A **downgrade attack** is a collection of cryptographic attacks on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g. an encrypted connection) in favor of an older, lower-quality mode of operation (e.g. cleartext) that is typically provided for backward compatibility with older systems. These types of attacks are often implemented as a part of a man in the middle attack. |
| |
| Downgrade attack have been a consistent problem with SSL/TLS family of protocols. In 2014, an example of such flaw was discovered in a popular library for SSL/TLS called OpenSSL where the attacker could negotiate the use of lower version of TLS between the client and a server. | Downgrade attack have been a consistent problem with SSL/TLS family of protocols. In 2014, an example of such flaw was discovered in a popular library for SSL/TLS called OpenSSL where the attacker could negotiate the use of lower version of TLS between the client and a server. |
| |
| **SSL stripping** is a one of man in the middle **attacks** on a HTTPS connection. Most common method used for SSL stripping is creating a hotspot on attacking device. Many attackers establish fake hotspots with names like legitimate hotspot names, for example “McDonald’s WiFi” instead of “McDonald’s”. Unaware, the user connects to the malicious hotspot. Once the user connects to the server, the attacker uses his control over the hotspot and attacks the user. Attacker intercepts the HTTP requests from the user and convers them to HTTP S for the server, he is basically acting as a bridge between them. After a successful attack victim’s information is transferred in plain text format and can be easily intercepted by anyone, including the attacker. | **SSL stripping** is a one of man in the middle **attacks** on a HTTPS connection. Most common method used for SSL stripping is creating a hotspot on attacking device. Many attackers establish fake hotspots with names like legitimate hotspot names, for example “McDonald’s WiFi” instead of “McDonald’s”. Unaware, the user connects to the malicious hotspot. Once the user connects to the server, the attacker uses his control over the hotspot and attacks the user. Attacker intercepts the HTTP requests from the user and convers them to HTTP S for the server, he is basically acting as a bridge between them. After a successful attack victim’s information is transferred in plain text format and can be easily intercepted by anyone, including the attacker. |
| |
| {{:racfor_wiki:mrezna_forenzika:slika5_sslstrip.png?direct&600}} | {{:racfor_wiki:mrezna_forenzika:slika5_sslstrip.png?direct&600}} |
| This results in a breach in the integrity and confidentiality of personal information such as login credentials, bank accounts, sensitive business data, etc. Users can combat this attack by using Strict Transport Security (HSTS) and by always checking that they are using HTTPS in their browsers. | This results in a breach in the integrity and confidentiality of personal information such as login credentials, bank accounts, sensitive business data, etc. Users can combat this attack by using Strict Transport Security (HSTS) and by always checking that they are using HTTPS in their browsers. |
| |
| Cryptographic **attack ****FREAK** (Factoring RSA Export Keys), discovered in 2014, is a type of downgrade attack which relied on using weak RSA encryption keys shorter than 512 bits. These weak RSA encryption keys are a product of espionage from U.S. government. During the 1990s, U.S. government set up rules for the export of encryption systems. These rules limited the strength of the RSA encryption keys to a maximum of 512 bits in any Secure Socket Layer (SSL) implementations targeted for export. The key length of maximum 512 bits made the protocol easily hackable by NSA (National Security Agency), but not by the agencies with lesser computing power. In 2014, when FREAK was discovered, affected 37 % of HTTPS websites [19]. Shortly after discovery shortcoming were patched in most browsers. | Cryptographic **attack ****FREAK** (Factoring RSA Export Keys), discovered in 2014, is a type of downgrade attack which relied on using weak RSA encryption keys shorter than 512 bits. These weak RSA encryption keys are a product of espionage from U.S. government. During the 1990s, U.S. government set up rules for the export of encryption systems. These rules limited the strength of the RSA encryption keys to a maximum of 512 bits in all Secure Socket Layer (SSL) implementations targeted for export. The key length of maximum 512 bits made the protocol easily hackable by NSA (National Security Agency), but not by the agencies with lesser computing power. In 2014, when FREAK was discovered, affected 37 % of HTTPS websites [19]. Shortly after discovery shortcoming were patched in most browsers. |
| |
| Another type of attack is a **BEAST ****attack**. BEAST is short for Browser Exploit Against SSL/TLS. This vulnerability is an attack against the confidentiality of a HTTPS connection in a negligible amount of time. That is, it provides a way to extract the unencrypted plaintext from an encrypted session. This type of attack was remedied in TLSv1.1. | Another type of attack is a **BEAST ****attack**. BEAST is short for Browser Exploit Against SSL/TLS. This vulnerability is an attack against the confidentiality of a HTTPS connection in a negligible amount of time. That is, it provides a way to extract the unencrypted plaintext from an encrypted session. This type of attack was remedied in TLSv1.1. |
| Figure 6 CBC mode encryption [25] | Figure 6 CBC mode encryption [25] |
| |
| The **POODLE ****attack** (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages similar to the BEAST attack. To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above. Thus, the authors of the paper on POODLE attacks also encourage browser and server implementation of TLS_FALLBACK_SCSV, which will make downgrade attacks impossible. | The **POODLE ****attack** (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages similar to the BEAST attack. To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above. Thus, the authors of the paper on POODLE attacks also encourage browser and server implementation of TLS_FALLBACK_SCSV, which will make downgrade attacks impossible. |
| |
| The **Heartbleed** bug is a serious **vulnerability** specific to the implementation of SSL/TLS in the popular OpenSSL cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness, reported in April 2014, allows attackers to steal private keys from servers that should normally be protected. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret private keys associated with the public certificates used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. The vulnerability is caused by a buffer over-read bug in the OpenSSL software, rather than a defect in the SSL or TLS protocol specification. | The **Heartbleed** bug is a serious **vulnerability** specific to the implementation of SSL/TLS in the popular OpenSSL cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness, reported in April 2014, allows attackers to steal private keys from servers that should normally be protected. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret private keys associated with the public certificates used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. The vulnerability is caused by a buffer over-read bug in the OpenSSL software, rather than a defect in the SSL or TLS protocol specification. |
| |
| In February 2019 academics successfully used downgrade attack from TLSv1.3 to TLSv1.2 and using **Bleichenbacher’s ****attack** to decrypt RSA in TLSv1.2. The researches recommend moving away from RSA asymmetric encryption and using OAEP and ECEIS encryption systems.[17] | In February 2019 academics successfully used downgrade attack from TLSv1.3 to TLSv1.2 and using **Bleichenbacher’s ****attack** to decrypt RSA in TLSv1.2. The researches recommend moving away from RSA asymmetric encryption and using OAEP and ECEIS encryption systems.[17] |
| |
| As of 03 December 2019, **SSL Pulse**, a **global dashboard** for monitoring the quality of SSL/TLS support over time across 150,000 SSL- and TLS-enabled websites, based on Alexa’s list of the most popular sites in the world gave the ratio of affected websites. [26] | As of 03 December 2019, **SSL Pulse**, a **global dashboard** for monitoring the quality of SSL/TLS support over time across 150,000 SSL- and TLS-enabled websites, based on Alexa’s list of the most popular sites in the world gave the ratio of affected websites. [26] |
| |
| Only 17% of the sites support the latest TLSv1.3, 96% support the TLSv1.2. 63% of the sites still support TLSv1.0 which is being depreciated since June 2018. The BEAST Attack is no longer considered a valid threat for users of modern browsers. 41 % of sites use HTTPS/2 protocol. 56 sites or 0% of the sites are vulnerable to Heartbleed attack. 338 or 0.3% of the site surveyed are vulnerable to POODLE attack against TLS. 11% of the sites don’t have protocol downgrade defense. Majority of sites, 72% of the sites support secure 2048 bits for key exchange. while 1.1% of sites still support unsecure 512 bits for key exchange. | Only 17% of the sites support the latest TLSv1.3, 96% support the TLSv1.2. 63% of the sites still support TLSv1.0 which is being depreciated since June 2018. The BEAST Attack is no longer considered a valid threat for users of modern browsers. 41 % of sites use HTTPS/2 protocol. 56 sites or 0% of the sites are vulnerable to Heartbleed attack. 338 or 0.3% of the site surveyed are vulnerable to POODLE attack against TLS. 11% of the sites don’t have protocol downgrade defense. Majority of sites, 72% of the sites support secure 2048 bits for key exchange. while 1.1% of sites still support unsecure 512 bits for key exchange. |
| |
| This probably happened recently in France, where Google discovered a rogue certificate for google.com had been issued by French certificate authority ANSSI. The authority would have allowed the French government or whoever else had it to impersonate Google’s website, easily performing man-in-the-middle attacks. ANSSI claimed the certificate was only used on a private network to snoop on the network’s own users, not by the French government. Even if this were true, it would be a violation of ANSSI’s own policies when issuing certificates. | This probably happened recently in France, where Google discovered a rogue certificate for google.com had been issued by French certificate authority ANSSI. The authority would have allowed the French government or whoever else had it to impersonate Google’s website, easily performing man-in-the-middle attacks. ANSSI claimed the certificate was only used on a private network to snoop on the network’s own users, not by the French government. Even if this were true, it would be a violation of ANSSI’s own policies when issuing certificates. |
| | |
| | ===== Conclusion ===== |
| | |
| | HyperText Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). HTTP is one of the most used protocol in the world and is a backbone of the web. HTTPS uses TLS or SSL to encrypt transferred data over computer network. Using encryption over communication channel ensures a private connection. Meaning that no one else with access to this communication channel can't understand data transferred between server and client. A lot of flaws of HTTP are not fixed with HTTPS and they cannot be fixed with improving the protocol further. Rather the protection from exploits is a responsibility the host (web server) in the correct implementation of the protocol. For the implementation of a web server security it is important to know the flaws of HTTPS protocol and keep them in mind while developing. |
| | |
| | HTTPS protocol and its underlying security protocol TLS are continually being improved as more and more attacks are being discovered. A lot of mentioned flaws of HTTPS are patched in newer versions, but they must be considered as the older systems still run on flawed protocols. Furthermore, even newer systems under an uneducated user can be exploited with the right tools. |
| | |
| | HTTPS protocol is a perfect example that software developers can never say they developed a bug free code, rather a code without any bugs discovered. They should always strive to write a manageable code rather than a bug free one. |
| | |
| | |
| | ===== Sources ===== |
| | |
| | - [[https://letsencrypt.org/stats/|https://letsencrypt.org/stats/]] |
| | - [[https://statoperator.com/research/https-usage-statistics-on-top-websites/|https://statoperator.com/research/https-usage-statistics-on-top-websites/]] |
| | - [[http://nevena.lss.hr/recordings/fer/predmeti/racfor/2018/seminari/msimovic/seminar.pdf|http://nevena.lss.hr/recordings/fer/predmeti/racfor/2018/seminari/msimovic/seminar.pdf]] |
| | - [[http://nevena.lss.hr/recordings/fer/predmeti/racfor/2018/seminari/msimovic/video.mp4|http://nevena.lss.hr/recordings/fer/predmeti/racfor/2018/seminari/msimovic/video.mp4]] |
| | - [[https://tools.ietf.org/html/rfc2616|https://tools.ietf.org/html/rfc2616]] |
| | - [[https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods|https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods]] |
| | - [[https://en.wikipedia.org/wiki/List_of_HTTP_status_codes|https://en.wikipedia.org/wiki/List_of_HTTP_status_codes]] |
| | - [[https://www.upwork.com/hiring/development/the-http2-protocol-its-pros-cons-and-how-to-start-using-it/|https://www.upwork.com/hiring/development/the-http2-protocol-its-pros-cons-and-how-to-start-using-it/]] |
| | - [[https://en.wikipedia.org/wiki/Certificate_authority|https://en.wikipedia.org/wiki/Certificate_authority]] |
| | - [[https://www.ssl.com/faqs/what-is-https/|https://www.ssl.com/faqs/what-is-https/]] |
| | - [[https://www.youtube.com/watch?v=T4Df5_cojAs|https://www.youtube.com/watch?v=T4Df5_cojAs]] |
| | - [[https://en.wikipedia.org/wiki/Certificate_authority|https://en.wikipedia.org/wiki/Certificate_authority]] |
| | - [[https://en.wikipedia.org/wiki/Certificate_authority#/media/File:PublicKeyCertificateDiagram_It.svg|https://en.wikipedia.org/wiki/Certificate_authority#/media/File:PublicKeyCertificateDiagram_It.svg]] |
| | - [[https://www.cloudinsidr.com/content/known-attack-vectors-against-tls-implementation-vulnerabilities/|https://www.cloudinsidr.com/content/known-attack-vectors-against-tls-implementation-vulnerabilities/]] |
| | - [[https://tools.ietf.org/html/rfc7457|https://tools.ietf.org/html/rfc7457]] |
| | - [[https://www.venafi.com/blog/what-are-ssl-stripping-attacks|https://www.venafi.com/blog/what-are-ssl-stripping-attacks]] |
| | - [[https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/|https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/]] |
| | - [[https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art027|https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art027]] |
| | - [[https://threatpost.com/new-freak-attack-threatens-many-ssl-clients/111390/|https://threatpost.com/new-freak-attack-threatens-many-ssl-clients/111390/]] |
| | - [[https://www.youtube.com/watch?v=BbwC8f_aBMQ|https://www.youtube.com/watch?v=BbwC8f_aBMQ]] |
| | - [[https://www.researchgate.net/profile/Kanchana_Thilakarathna/publication/306187575/figure/fig1/AS:395752913293314@1471366255623/HTTPS-message-sequence-diagram-with-detailed-TLS-handshaking-steps.png|https://www.researchgate.net/profile/Kanchana_Thilakarathna/publication/306187575/figure/fig1/AS:395752913293314@1471366255623/HTTPS-message-sequence-diagram-with-detailed-TLS-handshaking-steps.png]] |
| | - [[https://en.wikipedia.org/wiki/Public_key_certificate#/media/File:PublicKeyCertificateDiagram_It.svg|https://en.wikipedia.org/wiki/Public_key_certificate#/media/File:PublicKeyCertificateDiagram_It.svg]] |
| | - [[https://www.imperva.com/learn/wp-content/uploads/sites/13/2017/09/man-in-the-middle-mitm-attack.png|https://www.imperva.com/learn/wp-content/uploads/sites/13/2017/09/man-in-the-middle-mitm-attack.png]] |
| | - [[https://www.venafi.com/sites/default/files/content/body/ssl-strip-2.png|https://www.venafi.com/sites/default/files/content/body/ssl-strip-2.png]] |
| | - [[https://upload.wikimedia.org/wikipedia/commons/thumb/8/80/CBC_encryption.svg/601px-CBC_encryption.svg.png|https://upload.wikimedia.org/wikipedia/commons/thumb/8/80/CBC_encryption.svg/601px-CBC_encryption.svg.png]] |
| | - [[https://www.ssllabs.com/ssl-pulse/|https://www.ssllabs.com/ssl-pulse/]] |
| |
| |
