More Tricks For Defeating SSL In Practice

More Tricks For Defeating SSL InPracticeMoxie Marlinspikemoxie@thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

In the past, I've talked aboutBasicConstraints...Moxie MarlinspikeInstitute For Disruptive Studies

Certificate ChainingVeriSignIntermediateCAIntermediateCApaypal.comMoxie MarlinspikeInstitute For Disruptive Studies

How do we verify these things?Moxie MarlinspikeInstitute For Disruptive Studies

What they say:●●●●Verify that the name of the leaf node is thesame as the site you're connecting to.Verify that the leaf certificate has not expired.Check the signature.If the signing CA is in our list of trusted rootCAs, stop. Otherwise, move one up the chainand repeat.Moxie MarlinspikeInstitute For Disruptive Studies

Here Be Dragons●●●Very tempting to use asimple recursivefunction.Everyone focuses on thesignature validation.The result of a naïveattempt at validation is achain that is complete,but nothing more.Moxie MarlinspikeInstitute For Disruptive Studies

VeriSignWhat if...IntermediateCAIntermediateCAthoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

VeriSignWhat if...IntermediateCAIntermediateCAthoughtcrime.orgpaypal.comMoxie MarlinspikeInstitute For Disruptive Studies

What they say:●●●●Verify that the name of the leaf node is thesame as the site you're connecting to.Verify that the leaf certificate has not expired.Check the signature.If the signing CA is in our list of trusted rootCAs, stop. Otherwise, move one up the chainand repeat.Moxie MarlinspikeInstitute For Disruptive Studies

Something must be wrong, but...●●●●All the signatures are valid.Nothing has expired.The chain is in tact.The root CA is embedded in the browser andtrusted.Moxie MarlinspikeInstitute For Disruptive Studies

But we just created a valid certificatefor PayPal, and we're not PayPal?Moxie MarlinspikeInstitute For Disruptive Studies

The missing piece...Moxie MarlinspikeInstitute For Disruptive Studies

...is a somewhat obscure field.Moxie MarlinspikeInstitute For Disruptive Studies

Back In The Day●●●●Most CAs didn't explicitly set basicConstraints:CA=FalseWhether the field was there or not, most SSLimplementations didn't bother to check it.Anyone with a valid leaf node certificate couldcreate and sign a leaf node certificate for anyother domain.When presented with a complete chain, IE,Outlook, Konqueror, OpenSSL, and othersconsidered it valid...Moxie MarlinspikeInstitute For Disruptive Studies

And then in 2002...●●●Microsoft did something particularly annoying,so I blew this up by publishing it.Microsoft claimed that it was impossible toexploit.So I also published the tool that exploits it.Moxie MarlinspikeInstitute For Disruptive Studies

sslsniffMoxie MarlinspikeInstitute For Disruptive Studies

sslsniffMoxie MarlinspikeInstitute For Disruptive Studies

sslsniffsslsniff●Intercept a connection fromthe client side.●Generate a certificate for thesite it is connecting to.●Sign it with any random validleaf node certificate.●Pass that certificate chain tothe client.●Make a normal SSLconnection to the server.●Pass data between client andserver, decrypting andencrypting on each end.Moxie MarlinspikeInstitute For Disruptive Studies

Lately, I've been talking aboutSSL Stripping...Moxie MarlinspikeInstitute For Disruptive Studies

iefMoxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

SSL can be useful, but how it's deployedmattersMoxie MarlinspikeInstitute For Disruptive Studies

In the context of web browsing●●SSL is almost never encountered directly.Nobody types:https://...Moxie MarlinspikeInstitute For Disruptive Studies

In the context of web browsing●It is either encountered as a result of:●●A 302 redirect from an HTTP URL to an HTTPSURL.An HTTPS link that a user clicks on from an HTTPpage.– (Think, “My Cart,” “Checkout,” “Login,” etc...)Moxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

We Can Attack SSLBefore We Even Get ThereMoxie MarlinspikeInstitute For Disruptive Studies

sslsniffMoxie MarlinspikeInstitute For Disruptive Studies

sslstripMoxie MarlinspikeInstitute For Disruptive Studies

sslstrip●Watch HTTP traffic go by.●Switch to ●and keep a map of what you've changed.●Switch Location: https:// to Location: http://●and keep a map of what you've changed.sslstripMoxie MarlinspikeInstitute For Disruptive Studies

sslstrip●Watch HTTP traffic go by.●When we see an HTTP request for a URL that we'vestripped, proxy that out as HTTPS to the server.●Watch the HTTPS traffic go by, log everything that wewant, and keep a map of all relative, CSS, and JSlinks that go by.sslstripMoxie MarlinspikeInstitute For Disruptive Studies

How Does It Look?

How Does It Look?

How Does It Look?

How Does It Look?

the evolution of positive/negativefeedback helps make this successfulMoxie MarlinspikeInstitute For Disruptive Studies

The sites themselves confuse us.

Some sites provide no visible difference.

Some sites provide no visible difference.

Secure Or Stripped?

Other Little Tricks:

Where can we go from here?Moxie MarlinspikeInstitute For Disruptive Studies

Where do we need to go from here?Moxie MarlinspikeInstitute For Disruptive Studies

What's with certificates, anyways?X509CertificateVersionSerial NumberIssuerValidity (not before X or after Y)SubjectPublicKeySignatureAlgorithmSignatureMoxie MarlinspikeInstitute For Disruptive Studies

What's with certificates, anyways?X509CertificateVersionSerial NumberIssuerValidity (not before X or after Y)SubjectPublicKeySignatureAlgorithmSignatureMoxie MarlinspikeInstitute For Disruptive Studies

What's with certificates, anyways?X509CertificateVersionSerial NumberIssuerValidity (not before X or after Y)SubjectPublicKeySignatureAlgorithmSignatureMoxie MarlinspikeInstitute For Disruptive Studies

What's with certificates, anyways?X509CertificateVersionSerial NumberIssuerValidity (not before X or after Y)SubjectPublicKeySignatureAlgorithmSignatureMoxie MarlinspikeInstitute For Disruptive Studies

What's with certificates, anyways?X509CertificateVersionSerial NumberIssuerValidity (not before X or after Y)SubjectPublicKeySignatureAlgorithmSignatureMoxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

The Big Three● Secrecy● Authenticity● IntegrityMoxie MarlinspikeInstitute For Disruptive Studies

SSL/TLS Handshake BeginningsClientHelloServerHello, ServerCertificateMoxie MarlinspikeInstitute For Disruptive Studies

SSL Handshake BeginningsX509CertificateVersionSerial NumberIssuerValiditySubjectPublicKeySignatureAlgorithmSignatureMoxie MarlinspikeInstitute For Disruptive Studies

The Problems For Us BeginAttackerClientHelloServerHello,ServerCertificate?Moxie MarlinspikeInstitute For Disruptive Studies

Let's start by looking back once more.Moxie MarlinspikeInstitute For Disruptive Studies

In 2000, things were different.Moxie MarlinspikeInstitute For Disruptive Studies

Notaries!Moxie MarlinspikeInstitute For Disruptive Studies

Identification!Moxie MarlinspikeInstitute For Disruptive Studies

Phone Calls!Moxie MarlinspikeInstitute For Disruptive Studies

Actual people involved...Moxie MarlinspikeInstitute For Disruptive Studies

That is a bygone eraMoxie MarlinspikeInstitute For Disruptive Studies

These days it's all about:online domain validationMoxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

PKCS #10CertificateRequestVersionSubjectPublicKeyAttributesMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10CertificateRequestVersionSubjectPublicKeyAttributesMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10CertificateRequestVersionSubjectPublicKeyAttributeswww.bankofamerica.comMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10CertificateRequestVersionSubjectPublicKeyAttributeswww.bankofamerica.comMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10CertificateRequestVersionSubjectPublicKeyAttributeswww.bankofamerica.comWHOIS LookupMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10CertificateRequestVersionSubjectPublicKeyAttributeswww.bankofamerica.comWHOIS LookupEmail admin@bankofamerica.comMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10CertificateRequestVersionSubjectPublicKeyAttributeswww.bankofamerica.comMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10CertificateRequestVersionSubjectPublicKeyAttributeswww.bankofamerica.comMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10CertificateRequestVersionSubjectPublicKeyAttributescertificate.authorities.are.a.total.ripoff.bankofamerica.comMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10CertificateRequestVersionSubjectPublicKeyAttributescertificate.authorities.are.a.total.ripoff.bankofamerica.comMoxie MarlinspikeInstitute For Disruptive Studies

SubjectsDistinguishedNameCountryStateLocaleOrganizationOrganizational UnitCommon NameMoxie MarlinspikeInstitute For Disruptive Studies

SubjectsDistinguishedNameCountryStateLocaleOrganizationOrganizational UnitCommon Name●●●The X.509 standard isa total nightmare.Three revisions,twenty years.Parts of the standardhave literally been“lost” and then later“found” again.Moxie MarlinspikeInstitute For Disruptive Studies

SubjectsDistinguishedNameCountryStateLocaleOrganizationOrganizational UnitCommon Name●●The original vision for theDN was that each DN wouldfit into some global DirectoryInformation Tree.In practice, the standard isweak, everyone doeseverything differently, andthe global DIT nevermaterialized.Moxie MarlinspikeInstitute For Disruptive Studies

SubjectsDistinguishedNameCountryStateLocaleOrganizationOrganizational UnitCommon Name●“There is nothing in any of thesestandards that would prevent mefrom including a 1 gigabit MPEGmovie of me playing with my catas one of the RDN components ofthe DN in my certificate.”-- Bob Jueneman on IETF-PKIXMoxie MarlinspikeInstitute For Disruptive Studies

SubjectsDistinguishedNameCountryStateLocaleOrganizationOrganizational UnitCommon Namewww.bankofamerica.comMoxie MarlinspikeInstitute For Disruptive Studies

CNcommonName ::=SEQUENCE { { 2 5 4 3 }, StringType( SIZE( 1...64 ) ) }●IA5String:●●●0x16 – ID0x05 – Length (5 Chars)0x76, 0x61, 0x6c, 0x75, 0x65 – v, a, l, u, eMoxie MarlinspikeInstitute For Disruptive Studies

CN Encoding●Essentially, the CN field is represented as aPASCAL String.0xe w w w . p a y p a l . c o m●This is different from how C strings arerepresented.w w w . p a y p a l . c o m \0Moxie MarlinspikeInstitute For Disruptive Studies

PKCS #10 SubjectDistinguishedNameCountryStateLocaleOrganizationOrganizational Unit thoughtcrime.orgCommon Namewww.paypal.comMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10 SubjectCommon Namewww.thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10 SubjectCommon Nameverisign.eats.children.thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10 SubjectCommon Nameiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii.thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10 SubjectCommon Namewww.paypal.com\0.thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10 Certificate SigningRequestCertificateRequestVersionSubjectPublicKeyAttributeswww.paypal.com\0.thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

PKCS #10 Certificate SigningRequestCertificateRequestVersionSubjectPublicKeyAttributeswww.paypal.com\0.thoughtcrime.orgWHOIS LookupAnd contact... me!Moxie MarlinspikeInstitute For Disruptive Studies

Our Original ScenarioAttackerClientHelloServerHello,ServerCertificate[www.paypal.com\0.thoughtcrime.org]Moxie MarlinspikeInstitute For Disruptive Studies

Our Original ScenarioX509CertificateVersionSerial NumberIssuerValiditySubjectPublicKeySignatureAlgorithmSignatureMoxie MarlinspikeInstitute For Disruptive Studies

Our Original Scenariochar *destination = getDomainWeAreConnectingTo();char *commonName = getCommonNameFromCertificate();bool everythingIsOk = (strcmp(destination, commonName) == 0);Moxie MarlinspikeInstitute For Disruptive Studies

In memory, though...char *destinationw w w . p a y p a l . c o m \0w w w . p a y p a l . c o m \0 . t h o u.g h t c r i m e . o r g \0char *commonNameMoxie MarlinspikeInstitute For Disruptive Studies

In memory, though...char *destinationw w w . p a y p a l . c o m \0w w w . p a y p a l . c o m \0 . t h o u.g h t c r i m e . o r g \0char *commonNameMoxie MarlinspikeInstitute For Disruptive Studies

In the eyes of most SSLimplementations, this certificate iscompletely valid for www.paypal.comMoxie MarlinspikeInstitute For Disruptive Studies

What are “most” SSL implementations?●●●●Web Browsers●Firefox, IE, Chrome, Lynx, Curl,Mail Clients●Thunderbird, Outlook, EvolutionChat Clients●Pidgin, AIM, irssi, centericqSSL VPNs●AEP, Citrix, etc...Moxie MarlinspikeInstitute For Disruptive Studies

A First Cut: updated sslsniffsslsniffIff “null prefix attack” certificateis availableMoxie MarlinspikeInstitute For Disruptive Studies

How does it look?Moxie MarlinspikeInstitute For Disruptive Studies

How does it look?Moxie MarlinspikeInstitute For Disruptive Studies

How does it look?Moxie MarlinspikeInstitute For Disruptive Studies

How does it look?Moxie MarlinspikeInstitute For Disruptive Studies

DisadvantagesMoxie MarlinspikeInstitute For Disruptive Studies

1) Targeted attacks are kind of lame.Moxie MarlinspikeInstitute For Disruptive Studies

Maybe there's another trick in heresomewhere...Moxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

Universal Wildcard*\0.thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

Universal Wildcard*~.thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

Other Weird Stuff●(www.paypal.com|mail.google.com|www.etrade.com|www.bankofamerica.com|www.wachovia.com|www.pnc.com|www.wellsfargo.com)\0.thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

And... your remote exploit.● 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));● 145 register int t,p2,p1 = 1;● 146 int cp;● 147● 148 while(1) {● 149 for(cp=1;exp[cp] != ')';cp++)● 150 if(exp[cp] == '\\')● 151 ++cp;● 152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {● 153 if(exp[p1] == '\\')● 154 e2[p2++] = exp[p1++];● 155 e2[p2] = exp[p1];● 156 }● 157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}● 158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {● 159 PORT_Free(e2);● 160 return MATCH;● 161 }● 162 ...Moxie MarlinspikeInstitute For Disruptive Studies

And... your remote exploit.● 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));● 145 register int t,p2,p1 = 1;● 146 int cp;● 147● 148 while(1) {● 149 for(cp=1;exp[cp] != ')';cp++)● 150 if(exp[cp] == '\\')● 151 ++cp;● 152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {● 153 if(exp[p1] == '\\')● 154 e2[p2++] = exp[p1++];● 155 e2[p2] = exp[p1];● 156 }● 157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}● 158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {● 159 PORT_Free(e2);● 160 return MATCH;● 161 }● 162 ...Moxie MarlinspikeInstitute For Disruptive Studies

And... your remote exploit.● 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));● 145 register int t,p2,p1 = 1;● 146 int cp;● 147● 148 while(1) {● 149 for(cp=1;exp[cp] != ')';cp++)● 150 if(exp[cp] == '\\')● 151 ++cp;● 152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {● 153 if(exp[p1] == '\\')● 154 e2[p2++] = exp[p1++];● 155 e2[p2] = exp[p1];● 156 }● 157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}● 158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {● 159 PORT_Free(e2);● 160 return MATCH;● 161 }● 162 ...Moxie MarlinspikeInstitute For Disruptive Studies

And... your remote exploit.● 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));● 145 register int t,p2,p1 = 1;● 146 int cp;● 147● 148 while(1) {● 149 for(cp=1;exp[cp] != ')';cp++)● 150 if(exp[cp] == '\\')● 151 ++cp;● 152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {● 153 if(exp[p1] == '\\')● 154 e2[p2++] = exp[p1++];● 155 e2[p2] = exp[p1];● 156 }● 157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}● 158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {● 159 PORT_Free(e2);● 160 return MATCH;● 161 }● 162 ...Moxie MarlinspikeInstitute For Disruptive Studies

And... your remote exploit.(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.comMoxie MarlinspikeInstitute For Disruptive Studies

And... your remote exploit.(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.comMoxie MarlinspikeInstitute For Disruptive Studies

And... your remote exploit.(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.comMoxie MarlinspikeInstitute For Disruptive Studies

And... your remote exploit.(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com✔No signed signature required!✔Possible to sneak non-ASCII characters past the NSS filters.✔This yields something exploitable in Firefox, Thunderbird, Evolution, Pidgin, and AIM.Moxie MarlinspikeInstitute For Disruptive Studies

A Second Cut: sslsniff withwildcard supportsslsniff●Perform MITM if “null termination attack” cert is available.●Or perform MITM with “universal wildcard” cert if client is NSS.Moxie MarlinspikeInstitute For Disruptive Studies

A Second Cut: updated sslsniffsslsniff●●●●Watches network and fingerprints clients forlevel of vulnerability.Every NSS client's communication isintercepted – either with a specific “nulltermination” certificate, or with the “universalwildcard” certificate.Every non-NSS client that is vulnerable isintercepted with a “null termination” certificate ifavailable for the destination host.Non-vulnerable clients are left alone to avoiddetection.Moxie MarlinspikeInstitute For Disruptive Studies

What do we have to worry about?Moxie MarlinspikeInstitute For Disruptive Studies

What do we have to worry about?1) Certificate Revocationt would be unfortunate if some bitter CertificateAuthority decided to revoke my universalwildcard certificates or any of my nullterminationcertificates.2) UpdatesIt would be unfortunate if some bitter SSLimplementation decided to start paying attentionto how ASN.1 is formatted.Moxie MarlinspikeInstitute For Disruptive Studies

What do we have to worry about?1) Certificate Revocation● It would be unfortunate if some bitter CertificateAuthority decided to revoke our universalwildcard certificates or any of our nullterminationcertificates.2) Updates● It would be unfortunate if some bitter SSLimplementation decided to start paying attentionto how ASN.1 is formatted.Moxie MarlinspikeInstitute For Disruptive Studies

What do we have to worry about?1) Certificate Revocation●●●These days, it's all about Online Certificate StatusProtocol (OCSP).Whenever a SSL stack sees a new certificate, it makesa quick request to the OCSP URL that the signing CAembedded in it.The SSL stack receives a signed response from theOCSP provider indicating whether the certificate hasbeen revoked or not.Moxie MarlinspikeInstitute For Disruptive Studies

Moxie MarlinspikeInstitute For Disruptive Studies

Defeating OCSPOCSPResponse ::= SEQUENCE {}responseStatusresponseBytesOCSPResponseStatus,[0] EXPLICIT ResponseBytes OPTIONALMoxie MarlinspikeInstitute For Disruptive Studies

Defeating OCSPOCSPResponse ::= SEQUENCE {}responseStatusresponseBytesOCSPResponseStatus,[0] EXPLICIT ResponseBytes OPTIONALResponseBytes ::= SEQUENCE {}responseType OBJECT IDENTIFIER,responseOCTET STRINGBasicOCSPResponse ::= SEQUENCE {tbsResponseDataResponseData,signatureAlgorithm AlgorithmIdentifier,signatureBIT STRING,certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }Moxie MarlinspikeInstitute For Disruptive Studies

Defeating OCSPOCSPResponse ::= SEQUENCE {}responseStatusresponseBytesOCSPResponseStatus,[0] EXPLICIT ResponseBytes OPTIONALResponseBytes ::= SEQUENCE {}responseType OBJECT IDENTIFIER,responseOCTET STRINGBasicOCSPResponse ::= SEQUENCE {tbsResponseDataResponseData,signatureAlgorithm AlgorithmIdentifier,signatureBIT STRING,certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }Moxie MarlinspikeInstitute For Disruptive Studies

Defeating OCSPOCSPResponse ::= SEQUENCE {}responseStatusresponseBytesOCSPResponseStatus,[0] EXPLICIT ResponseBytes OPTIONALResponseBytes ::= SEQUENCE {}responseType OBJECT IDENTIFIER,responseOCTET STRINGBasicOCSPResponse ::= SEQUENCE {tbsResponseDataResponseData,signatureAlgorithm AlgorithmIdentifier,signatureBIT STRING,certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }Moxie MarlinspikeInstitute For Disruptive Studies

Defeating OCSPOCSPResponse ::= SEQUENCE {}responseStatusresponseBytesOCSPResponseStatus,[0] EXPLICIT ResponseBytes OPTIONALResponseBytes ::= SEQUENCE {}responseType OBJECT IDENTIFIER,responseOCTET STRINGBasicOCSPResponse ::= SEQUENCE {tbsResponseDataResponseData,signatureAlgorithm AlgorithmIdentifier,signatureBIT STRING,certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }Moxie MarlinspikeInstitute For Disruptive Studies

Defeating OCSPOCSPResponse ::= SEQUENCE {}responseStatusresponseBytesOCSPResponseStatus,[0] EXPLICIT ResponseBytes OPTIONALResponseBytes ::= SEQUENCE {}responseType OBJECT IDENTIFIER,responseOCTET STRINGBasicOCSPResponse ::= SEQUENCE {tbsResponseDataResponseData,signatureAlgorithm AlgorithmIdentifier,signatureBIT STRING,certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }Moxie MarlinspikeInstitute For Disruptive Studies

Defeating OCSPOCSPResponse ::= SEQUENCE {}responseStatusresponseBytesOCSPResponseStatus,[0] EXPLICIT ResponseBytes OPTIONALOCSPResponseStatus ::= ENUMERATED {successful (0), --Response has valid confirmationsmalformedRequest (1), --Illegal confirmation requestinternalError (2), --Internal error in issuertryLater (3), --Try again later--(4) is not used}sigRequiredunauthorized(5), --Must sign the request(6) --Request unauthorizedMoxie MarlinspikeInstitute For Disruptive Studies

Defeating OCSPOCSPResponse ::= SEQUENCE {}responseStatusresponseBytesOCSPResponseStatus,[0] EXPLICIT ResponseBytes OPTIONALOCSPResponseStatus ::= ENUMERATED {successful (0), --Response has valid confirmationsmalformedRequest (1), --Illegal confirmation requestinternalError (2), --Internal error in issuertryLater (3), --Try again later--(4) is not used}sigRequiredunauthorized(5), --Must sign the request(6) --Request unauthorizedMoxie MarlinspikeInstitute For Disruptive Studies

Defeating OCSPOCSPResponse ::= SEQUENCE {}responseStatus OCSPResponseStatus = 3,responseBytes[0] EXPLICIT ResponseBytes OPTIONALMoxie MarlinspikeInstitute For Disruptive Studies

Defeating OCSPOCSPResponse ::= SEQUENCE {}responseStatus OCSPResponseStatus = 3,responseBytes[0] EXPLICIT ResponseBytes OPTIONALMoxie MarlinspikeInstitute For Disruptive Studies

PROPOSED STANDARDNetwork Working GroupM. MyersRequest for Comments: 2560VeriSignCategory: Standards TrackR. AnkneyCertCo3A. MalpaniValiCertS. GalperinMy CFOC. AdamsEntrust TechnologiesJune 1999X.509 Internet Public Key InfrastructureOnline Certificate Status Protocol - OCSPStatus of this MemoThis document specifies an Internet standards track protocol for theInternet community, and requests discussion and suggestions forimprovements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited.Copyright NoticeCopyright (C) The Internet Society (1999). All Rights Reserved.Moxie MarlinspikeInstitute For Disruptive Studies

A Third Cut: ocsp-aware sslsniffsslsniff●Watch network and fingerprints clients for level ofvulnerability.● Every NSS client's communication is intercepted –either with a specific “null termination” certificate, orwith the “universal wildcard” certificate.●●●Every non-NSS client that is vulnerable is interceptedwith a “null termination” certificate if available for thedestination host.Non-vulnerable clients are left alone to avoiddetection.Optionally watch for OCSP requests corresponding tocertificates we're using, and “tryLater” them to defeatOCSP.Moxie MarlinspikeInstitute For Disruptive Studies

What do we have to worry about?2) Updates●●●It used to be that people, you know, downloaded andinstalled updates.As software gets more complicated, it is inevitablyshipped with more bugs, and attackers are situated toexploit them on a larger scale.So some have felt the need to deploy self-updatingsoftware in order to fix problems rapidly.Moxie MarlinspikeInstitute For Disruptive Studies

What do we have to worry about?2) Updates●●●This is bad news for us, because by standing here andtalking to you about this stuff, it probably means thatSSL implementations are going to fix these problems.But their update mechanisms in themselves seem likekind of a dangerous idea, right?Maybe there's something we can do about our problem.Moxie MarlinspikeInstitute For Disruptive Studies

Firefox/Thunderbird: A Case Study●●When you install Firefox, it comes with a feature called“automatic update service,” which happens to be enabledby default.Here be dragons.Moxie MarlinspikeInstitute For Disruptive Studies

Firefox/Thunderbird: A Case StudyUpdate Server In The SkyTLS Connection to:aus2.mozilla.orgHello, do you have any updatesfor me? Here's my product, version,build ID, OS, locale, and channel.TLS Connection to:aus2.mozilla.orgAs a matter of fact, I do. Here'san unsigned blob of data – you'ddo well to install it.Moxie MarlinspikeInstitute For Disruptive Studies

Firefox/Thunderbird: A Case Study●●●Firefox and Thunderbird depend on their TLS connection to theupdate server to defend them against all possible attacks.Code is returned from the update server either as a binary diffagainst the distribution binary the client is running, or as acomplete image of the binary.By default, “minor” updates are downloaded and installedsilently – only prompting the user to restart their browser onceeverything is done.●The update server is the one who reports the version numberof the update, so it is effectively up to the server whether theimage it provides is installed silently or not.Moxie MarlinspikeInstitute For Disruptive Studies

Firefox/Thunderbird: A Case Study●●As vendors start to release patches for this vulnerability, the updatemechanisms themselves will be vulnerable.All we need is a universal wildcard cert, or alternately a null-terminationprefix cert for aus2.mozilla.org, and we can take control of the updatemechanism to deliver payloads of our choice.●This could be anything:– A rootkit that logs keystrokes.– Something that sends all traffic/email through a server of ourchoosing.– A completely legitimate image that just happens to include ourown CA certs.– Or, just to be confusing, a totally different web browser (“Thankyou for updating to Galeon 0.0.3!”) or even a completely differenttype of application – notepad.exe comes to mind.Moxie MarlinspikeInstitute For Disruptive Studies

Firefox/Thunderbird: A Case Study●●In order to patch your system effectively, you will not beable to trust anything that comes through automaticupdates.Or at this point, anything that has ever come throughautomatic updates (including addons).Moxie MarlinspikeInstitute For Disruptive Studies

A Fourth Cut: update-aware sslsniffsslsniff●●●●●●Watch network and fingerprints clients for level ofvulnerability.Every NSS client's communication is intercepted – eitherwith a specific “null prefix” certificate, or with the “universalwildcard” certificate.Every non-NSS client that is vulnerable is intercepted with a“null prefix” certificate if available for the destination host.Non-vulnerable clients are left alone to avoid detection.Optionally watch for OCSP requests corresponding tocertificates we're using, and “tryLater” them to defeat OCSP.Optionally watch for Firefox/Thunderbird update polls, andrespond with a “custom” build.Moxie MarlinspikeInstitute For Disruptive Studies

Postscript:Stripping NULL is no solution●●●Some SSL/TLS implementations (Safari,Opera) appear to strip '\0' from commonNamestrings before comparing.Thus:www.paypal.com\0.thoughtcrime.orgBecomes:www.paypal.com.thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies

Postscript:Stripping NULL is no solution●●These implementations are vulnerable to avariation of our attack.The key is that some Certificate Authorities arevulnerable to this attack internally.●●When presented withwww.paypal.com\0.thoughtcrime.org, some CAsinternally validate it as www.paypal.comBut the whole string(www.paypal.com\0.thoughtcrime.org) is what endsup in the subject of the cert they later issue.Moxie MarlinspikeInstitute For Disruptive Studies

Postscript:Stripping NULL is no solution●●●●So if we register a domain like sitekey.baWe can get a certificate forsitekey.ba\0nkofamerica.comThe CAs that are internally vulnerable to thisattack will validate that certificate againstsitekey.ba, which we own.When the cert is later presented to a SSLimplementation that strips \0, the certificate'scommon name becomes:sitekey.bankofamerica.comMoxie MarlinspikeInstitute For Disruptive Studies

Conclusion●●●●●●We have a MITM attack that will intercept communication foralmost all SSL/TLS implementations.In the case of NSS (Firefox, Thunderbird, Evolution, AIM,Pidgin) we only need a single certificate.We've defeated the OCSP protocol as implemented.We've hijacked the Mozilla auto-updates for both applicationsand extensions.We've got an exploitable overflow.In short, we've got your passwords, your communication, andcontrol over the software that runs on your computer.Moxie MarlinspikeInstitute For Disruptive Studies

sslsniff and sslstrip:http://www.thoughtcrime.orgmoxie@thoughtcrime.orgMoxie MarlinspikeInstitute For Disruptive Studies