Sadržaj

HTTPS protocol security

Abstract

Users trust HTTPS protocol to transfer their passwords and personal data securely. Furthermore, advanced users, like software engineers, even though more knowledgeable about HTTPS protocol, don't consider the safety risks when developing a web application.

The aim of this paper is covering how HTTPS extends the HTTP protocol and showing flaws of HTTPS protocol. Understanding flaws of HTTPS protocol can help users in protecting their data, web developers in building secure web servers and computer forensic experts in analyzing the protocol. This paper mostly covers the exploits of TLS/SSL.

Keywords: cryptography, HTTP, HTTPS, SSL, TLS, IP, WWW, security, cryptographic attacks, MITM, BEAST, POODLE, Heartbleed

Introduction

Every user of World Wide Web today is using the HTTPS protocol. HyperText Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). As of December 2019, 45% of websites use HTTPS as default [1] and it accounts for 80 % of all websites loaded, as measured by Firefox Telemetry [2].

With that popularity comes a responsibility put on HTTPS by its users. Users trust HTTPS to transfer their passwords and personal data securely. Furthermore, advanced users, like software engineers, even though more knowledgeable about HTTPS protocol, don't consider the safety risks when developing a web application. They usually rely on framework they are using to keep them safe.

Even though a lot of time has been spent on developing a more secure HTTP protocol there are still flaws in HTTPS protocol. Abuse of HTTPS flaws can give a hacker access to user's sensitive data, it can also bring damage to the web applications.

The aim of this paper is covering how HTTPS extends the HTTP protocol and showing flaws of HTTPS protocol. Understanding flaws of HTTPS protocol can help users in protecting their data, web developers in building secure web servers and computer forensic experts in analyzing the protocol. This paper mostly covers the exploits of TLS/SSL as other attacks are covered in previous papers in the course computer forensics.

Overview of HTTP protocol

The Hypertext Transfer Protocol (HTTP) is a protocol of application layer and is a foundation of data communication for the World Wide Web. It defines how messages are formatted and transmitted, also it defines the actions Web server and clients should take in response to various commands.

HTTP functions as a request-response protocol in client-server computing model. For example, when a user enters an URL (e.g. http://info.cern.ch) in his browser, this sends an HTTP command to a Web server directing it to get a requested Web page. Communication begins with the client’s request for a resource on a Web server. If the request is valid the server returns the requested resource.

Client’s request consists of:

The request begins with the HTTP method to indicate the desired action to be performed on the identified resource. Methods are GET, POST, PUT, OPTIONS, PUT, DELETE, TRACE and CONNECT. The most used method is a GET method. GET requests a representation of specified resource. It is only used to retrieve data and it should never have any other effect. For the list of all methods and their use check sources [6] and [5].

An empty line is a delimiter between a header and a body. Optional body is used to send user data to the server (e.g. user data for logging in to a Web site).

Example of a HTTP request to http://info.cern.ch:

In this example we can see user issued a GET request on / (root) of the host, also it was made with HTTP/1.1 protocol. Under the request line we can see request headers, which in HTTP/1.1 are all optional. This example request has no body, if there was a body it would be separated with an empty line followed by the body. It should be noted that an empty line after header is always included, signaling the end of header.

Web server’s response consist of:

Status code consist of a numeric status code (e.g. 404) and a textual reason (e.g. “Not found”). Status code and header fields enable the user agent to handle the response of the Web server. The standard also allows the Web developer to change the textual reason to better describe them. That is the reason it is not advisable for user agent to parse textual reason and make decisions based on them. Standard differentiates five groups of status codes:

Example of HTTP response from the Web server:

<font 10pt/Arial,sans-serif;;inherit;;inherit>In the example response numerical status code value 200 can be seen which represent successful transmission. Response headers further describe the session. After the empty line the body can be seen, it is HTML (Hypertext Markup Language) code used to display the Web page.</font>

<font 10pt/Arial,sans-serif;;inherit;;inherit>Definition of HTTP presumes an underlying and reliable transport layer protocol, because of that TCP (Transport Control Protocol) is often used. On the other hand, HTTP can be adapted to work on unreliable protocols such as UDP (User Datagram Protocol). For the network layer HTTP usually uses the Internet Protocol. Most used HTTP version is 1.1, but now HTTP/2.0 is also developed which is more efficient, more secure and faster.</font>

Overview of HTTPS protocol

<font 10pt/Arial,sans-serif;;inherit;;inherit>In HTTPS, the communication protocol based on HTTP, is encrypted using Transport Layer Security (TLS) or using its predecessor Secure Sockets Layer (SSL). The HTTPS is therefore also often referred to as HTTP over TLS or HTTP over SSL.</font>

<font 10pt/Arial,sans-serif;;inherit;;inherit>TLS and its depreciated predecessor SSL are cryptographic protocols designed to provide security over a computer network. They are widespread for use in web browsing, email and others. SSL/TLS works by binding the identities of websites and companies to cryptographic key pairs via digital documents known as X.509 certificates. Each key pair consists of a private key and a public key. The private key is kept secure, and the public key can be widely distributed via a certificate.</font>

<font 10pt/Arial,sans-serif;;inherit;;inherit>Relationship between public and private key is based on symmetric and asymmetric cryptography and it allows that encrypted data with a public key are easily decrypted with private key. That way only systems who know the private key can understand the sent data.</font>

<font 10pt/Arial,sans-serif;;inherit;;inherit>It should be noted that HTTPS URLs begin with https: and use port 433 by default, HTTP URLs begin with http: and the default port is 80.</font>

<font 10.0pt/inherit;;inherit;;inherit>Certificate authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. From April 2016 Let’s Encrypt, a non-profit CA, provides free and automated service that delivers basic SSL/TLS certificates to websites. Free and automated service for certificates made the transition to HTTPS as easy as clicking one button.</font>

Figure 1 Example of a valid certificate taken from Google Chrome

<font 10.0pt/inherit;;inherit;;inherit>Figure</font><font 10.0pt/inherit;;inherit;;inherit>1</font><font 10.0pt/inherit;;inherit;;inherit>Example of a valid certificate taken from Google Chrome</font>

<font 10.0pt/inherit;;inherit;;inherit>Establishing HTTPS connection is different than with HTTP as there is a handshake with the SSL/TSL layer that HTTP doesn’t have, figure below showcases the handshake the best.</font>

<font 10pt/Arial,sans-serif;;inherit;;inherit>Figure 2 HTTPS handshake [21]</font>

<font 10pt/Arial,sans-serif;;inherit;;inherit>SSL/TLS encrypts:</font>

<font 10pt/Arial,sans-serif;;inherit;;inherit>SSL/TLS does not encrypt:</font>

<font 10pt/Arial,sans-serif;;inherit;;inherit>Certification of a server is very simple. Server wanting to be authenticated creates a Certificate Signing Request with its key pair to the certificate authority. Certificate authority encrypts the request with its private key and send it back.</font>

<font 10pt/Arial,sans-serif;;inherit;;inherit>This way anyone who has the public key of used certificate authority can verify authenticity of server’s key pair.</font>

<font 10pt/Arial,sans-serif;;inherit;;inherit>Figure 3 Authentification of a server [22]</font>

Security issues

HTTPS protocol has established itself as a secure and robust protocol for use on the World Wide Web. Researches are continuously working on making HTTPS protocol and its underlying OSI layers more secure. New cryptographic exploits are patched with every new release. This section covers several known types of attack on HTTPS. Mostly focusing on security issues of TLS/SSL layer.

A man in the middle (MITM) attack is a collection of cryptographic attacks where a perpetrator secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. Protocol that are stateless, like HTTP and HTTPS, are especially susceptible to this attack.Figure 4 explains the attack the best.

Figure 4 MITM attack [23]

A downgrade attack is a collection of cryptographic attacks on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g. an encrypted connection) in favor of an older, lower-quality mode of operation (e.g. cleartext) that is typically provided for backward compatibility with older systems. These types of attacks are often implemented as a part of a man in the middle attack.

Downgrade attack have been a consistent problem with SSL/TLS family of protocols. In 2014, an example of such flaw was discovered in a popular library for SSL/TLS called OpenSSL where the attacker could negotiate the use of lower version of TLS between the client and a server.

SSL stripping is a one of man in the middle attacks on a HTTPS connection. Most common method used for SSL stripping is creating a hotspot on attacking device. Many attackers establish fake hotspots with names like legitimate hotspot names, for example “McDonald’s WiFi” instead of “McDonald’s”. Unaware, the user connects to the malicious hotspot. Once the user connects to the server, the attacker uses his control over the hotspot and attacks the user. Attacker intercepts the HTTP requests from the user and convers them to HTTP S for the server, he is basically acting as a bridge between them. After a successful attack victim’s information is transferred in plain text format and can be easily intercepted by anyone, including the attacker.

Figure 5 SSL stripping attack [24]

This results in a breach in the integrity and confidentiality of personal information such as login credentials, bank accounts, sensitive business data, etc. Users can combat this attack by using Strict Transport Security (HSTS) and by always checking that they are using HTTPS in their browsers.

Cryptographic attack FREAK (Factoring RSA Export Keys), discovered in 2014, is a type of downgrade attack which relied on using weak RSA encryption keys shorter than 512 bits. These weak RSA encryption keys are a product of espionage from U.S. government. During the 1990s, U.S. government set up rules for the export of encryption systems. These rules limited the strength of the RSA encryption keys to a maximum of 512 bits in all Secure Socket Layer (SSL) implementations targeted for export. The key length of maximum 512 bits made the protocol easily hackable by NSA (National Security Agency), but not by the agencies with lesser computing power. In 2014, when FREAK was discovered, affected 37 % of HTTPS websites [19]. Shortly after discovery shortcoming were patched in most browsers.

Another type of attack is a BEAST attack. BEAST is short for Browser Exploit Against SSL/TLS. This vulnerability is an attack against the confidentiality of a HTTPS connection in a negligible amount of time. That is, it provides a way to extract the unencrypted plaintext from an encrypted session. This type of attack was remedied in TLSv1.1.

This attack relies on cipher block chaining (CBC) mode of block cipher. With this method attacker can get initialization vector for the next messages by just guessing one byte which takes on average only 128 retries. [18]

Figure 6 CBC mode encryption [25]

The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”) is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages similar to the BEAST attack. To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above. Thus, the authors of the paper on POODLE attacks also encourage browser and server implementation of TLS_FALLBACK_SCSV, which will make downgrade attacks impossible.

The Heartbleed bug is a serious vulnerability specific to the implementation of SSL/TLS in the popular OpenSSL cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness, reported in April 2014, allows attackers to steal private keys from servers that should normally be protected. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret private keys associated with the public certificates used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. The vulnerability is caused by a buffer over-read bug in the OpenSSL software, rather than a defect in the SSL or TLS protocol specification.

In February 2019 academics successfully used downgrade attack from TLSv1.3 to TLSv1.2 and using Bleichenbacher’s attack to decrypt RSA in TLSv1.2. The researches recommend moving away from RSA asymmetric encryption and using OAEP and ECEIS encryption systems.[17]

As of 03 December 2019, SSL Pulse, a global dashboard for monitoring the quality of SSL/TLS support over time across 150,000 SSL- and TLS-enabled websites, based on Alexa’s list of the most popular sites in the world gave the ratio of affected websites. [26]

Only 17% of the sites support the latest TLSv1.3, 96% support the TLSv1.2. 63% of the sites still support TLSv1.0 which is being depreciated since June 2018. The BEAST Attack is no longer considered a valid threat for users of modern browsers. 41 % of sites use HTTPS/2 protocol. 56 sites or 0% of the sites are vulnerable to Heartbleed attack. 338 or 0.3% of the site surveyed are vulnerable to POODLE attack against TLS. 11% of the sites don’t have protocol downgrade defense. Majority of sites, 72% of the sites support secure 2048 bits for key exchange. while 1.1% of sites still support unsecure 512 bits for key exchange.

Security issues in the future can also come from the certificate authorities. Because there are so many certificate authorities, they’re all around the world, and any certificate authority can issue a certificate for any website, governments could compel certificate authorities to issue them an SSL certificate for a site they want to impersonate.

This probably happened recently in France, where Google discovered a rogue certificate for google.com had been issued by French certificate authority ANSSI. The authority would have allowed the French government or whoever else had it to impersonate Google’s website, easily performing man-in-the-middle attacks. ANSSI claimed the certificate was only used on a private network to snoop on the network’s own users, not by the French government. Even if this were true, it would be a violation of ANSSI’s own policies when issuing certificates.

Conclusion

HyperText Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). HTTP is one of the most used protocol in the world and is a backbone of the web. HTTPS uses TLS or SSL to encrypt transferred data over computer network. Using encryption over communication channel ensures a private connection. Meaning that no one else with access to this communication channel can't understand data transferred between server and client. A lot of flaws of HTTP are not fixed with HTTPS and they cannot be fixed with improving the protocol further. Rather the protection from exploits is a responsibility the host (web server) in the correct implementation of the protocol. For the implementation of a web server security it is important to know the flaws of HTTPS protocol and keep them in mind while developing.

HTTPS protocol and its underlying security protocol TLS are continually being improved as more and more attacks are being discovered. A lot of mentioned flaws of HTTPS are patched in newer versions, but they must be considered as the older systems still run on flawed protocols. Furthermore, even newer systems under an uneducated user can be exploited with the right tools.

HTTPS protocol is a perfect example that software developers can never say they developed a bug free code, rather a code without any bugs discovered. They should always strive to write a manageable code rather than a bug free one.

Sources

  1. https://letsencrypt.org/stats/
  2. https://statoperator.com/research/https-usage-statistics-on-top-websites/
  3. http://nevena.lss.hr/recordings/fer/predmeti/racfor/2018/seminari/msimovic/seminar.pdf
  4. http://nevena.lss.hr/recordings/fer/predmeti/racfor/2018/seminari/msimovic/video.mp4
  5. https://tools.ietf.org/html/rfc2616
  6. https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods
  7. https://en.wikipedia.org/wiki/List_of_HTTP_status_codes
  8. https://www.upwork.com/hiring/development/the-http2-protocol-its-pros-cons-and-how-to-start-using-it/
  9. https://en.wikipedia.org/wiki/Certificate_authority
  10. https://www.ssl.com/faqs/what-is-https/
  11. https://www.youtube.com/watch?v=T4Df5_cojAs
  12. https://en.wikipedia.org/wiki/Certificate_authority
  13. https://en.wikipedia.org/wiki/Certificate_authority#/media/File:PublicKeyCertificateDiagram_It.svg
  14. https://www.cloudinsidr.com/content/known-attack-vectors-against-tls-implementation-vulnerabilities/
  15. https://tools.ietf.org/html/rfc7457
  16. https://www.venafi.com/blog/what-are-ssl-stripping-attacks
  17. https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/
  18. https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art027
  19. https://threatpost.com/new-freak-attack-threatens-many-ssl-clients/111390/
  20. https://www.youtube.com/watch?v=BbwC8f_aBMQ
  21. https://www.researchgate.net/profile/Kanchana_Thilakarathna/publication/306187575/figure/fig1/AS:395752913293314@1471366255623/HTTPS-message-sequence-diagram-with-detailed-TLS-handshaking-steps.png
  22. https://en.wikipedia.org/wiki/Public_key_certificate#/media/File:PublicKeyCertificateDiagram_It.svg
  23. https://www.imperva.com/learn/wp-content/uploads/sites/13/2017/09/man-in-the-middle-mitm-attack.png
  24. https://www.venafi.com/sites/default/files/content/body/ssl-strip-2.png
  25. https://upload.wikimedia.org/wikipedia/commons/thumb/8/80/CBC_encryption.svg/601px-CBC_encryption.svg.png
  26. https://www.ssllabs.com/ssl-pulse/