Believe It Or Not SSL Attacks
•Transferir como PPTX, PDF•
0 gostou•829 visualizações
A talk about attacks against SSL that have been uncovered in the last 3-4 years. This talk delves into about what exactly was attacked and how it was attacked and how SSL is still a pretty useful piece of technology. This was given at null Bangalore April Meeting.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Believe It Or Not SSL Attacks
Semelhante a Believe It Or Not SSL Attacks (20)
Mais de Akash Mahajan
Mais de Akash Mahajan (17)
Último
Último (20)
Believe It Or Not SSL Attacks
- 1. Believe it or not SSL attacks Akash Mahajan That Web Application Security Guy
- 2. HTTP + SSL/TLS = HTTPS
- 4. SSL/TLS O Encrypted Communication – Eavesdropping and Tampering O Secure Identification of a Network – Are you talking to the right server?
- 5. Attacking The Encryption Algorithm O Attack like the BEAST (Browser Exploit Against SSL/TLS ) target the underlying encryption. O Usually the encryption has held against attacks. Even BEAST requires injecting client side JavaScript to work O http://threatpost.com/en_us/blogs/new- attack-breaks-confidentiality-model-ssl- allows-theft-encrypted-cookies-091611
- 6. Attacking The Authenticity O The low hanging fruit. Most of the times when that sslstrip guy talks about SSL issues he talks about attacking the authenticity. O Why is the authenticity important? O How do you bypass it?
- 7. How is the authenticity maintained? O A implicitly trusted certificate will tell you that a server’s particular certificate is trust worthy or not. O When a server got a certificate trusted by a root CA they get added to a list. O If a server is removed from the trusted listed they get added to a revocation list.
- 8. Is your browser checking the revocation list? O Chrome relies on frequent updates for this. O Firefox ? O IE - Online Certificate List O Online Certificate Status Protocol
- 9. Bad Things can Happen O Comodo an affiliate of a root CA was hacked. O DigiNotar was hacked. O Hundreds of certificates for google, yahoo, mozilla, MS windows update were released. O SSL assumes that both end points aren’t evil
- 10. I hacked the internet and all I have is a t-shirt O Attack against the PKI because of MD5 O The attack was against Intermediate CAs O There were theoretical attacks against MD5 since 2004 O They found out that RapidSSL had issued 97% certificates with MD5 hash.
- 11. I hacked the internet and all I have is a t-shirt O Also the certificate serial number was sequential and time could be predicted O Used 200 PS3s to generate a certificate which had most parts from a legitimate cert but something different. O http://www.trailofbits.com/resources/creati ng_a_rogue_ca_cert_paper.pdf
- 13. SSLStrip attacks HTTP O Attacked correct attributes not being setup in Certificates O Now looks at HTTP traffic going by. O Has a valid certificate for a weird looking domain name whose puny code looks like /?
- 14. Akash Mahajan | That Web Application Security Guy O akashmahajan@gmail.com O @makash | akashm.com O http://slideshare.net/akashm O OWASP Bangalore Chapter Lead O Null Co-Founder and Community Manager
- 15. References O SSL Lock image from http://elie.im/blog/security/evolution-of-the-https-lock-icon- infographic/ O http://arstechnica.com/business/news/2011/09/new-javascript-hacking-tool-can- intercept-paypal-other-secure-sessions.ars O http://technet.microsoft.com/en-us/library/cc962078.aspx O https://freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate- authority-trust-model O http://arstechnica.com/security/news/2011/08/earlier-this-year-an-iranian.ars O http://arstechnica.com/security/news/2011/03/independent-iranian-hacker-claims- responsibility-for-comodo-hack.ars O http://en.wikipedia.org/wiki/Certificate_authority#cite_note-3 O http://vnhacker.blogspot.in/2011/09/beast.html O http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows- theft-encrypted-cookies-091611