SSL/TLS And MITM Attacks

SSL/TLS and MITM attacksA case study in Network SecurityBy Lars Nybom & Alexander Wall

SSL/TLS – Background SSL/TLS – Secure Socket Layer/Transport LayerSecurity (rfc 2246)

SSL/TLS – Background SSL/TLS – Secure Socket Layer/Transport LayerSecurity (rfc 2246)Originally developed by Netscape.

SSL/TLS – Background SSL/TLS – Secure Socket Layer/Transport LayerSecurity (rfc 2246)Originally developed by Netscape.Used to deploy confidentiality, authenticity andintegrity between web client and web server.

SSL/TLS – How does it work?Based on public keycryptography andcertificate authority.

SSL/TLS - Components Tree structure where Certificate Authorities (CA)is nodes and Servers leafs.

SSL/TLS - Components Tree structure where Certificate Authorities (CA)is nodes and Servers leafs.Server certificate issued by CA one level above –meaning that it's signed by CA one level above.

SSL/TLS - Components Tree structure where Certificate Authorities (CA)is nodes and Servers leafs.Server certificate issued by CA one level above –meaning that it's signed by CA one level above.If Client doesn't trust Server identity he/she usesthe CA's public key to verify that the Servercertificate is legit.

SSL/TLS - Components Tree structure where Certificate Authorities (CA)is nodes and Servers leafs.Server certificate issued by CA one level above –meaning that it's signed by CA one level above.If Client doesn't trust Server identity he/she usesthe CA's public key to verify that the Servercertificate is legit.Root CA in top of tree – trusted by everyone.

SSL/TLS - Problem If there's a lot of intermediate CA's between theServer and Root CA, authenticity is weak.Server CA 1 CA 2 Root CA This allowed for older form of attack SSLSniff,where a MITM generates a bogus self-signedcertificate sent to Client while connectingnormally to Server.New attack SSLStrip.

MITM Man-In-The-Middle attack is virtuallytransparent to the victim.

ARP Spoofing In order to become ”in the middle” attacker needsto redirect the victims network traffic throughhis/hers computer – acting like a gateway.

ARP Spoofing In order to become ”in the middle” attacker needsto redirect the victims network traffic throughhis/hers computer – acting like a gateway.Every network interface has a MAC addressassociated with its IP.

ARP Spoofing In order to become ”in the middle” attacker needsto redirect the victims network traffic throughhis/hers computer – acting like a gateway.Every network interface has a MAC addressassociated with its IP.When a computer wants to communicate withanother computer within it's subnet it needs toknow that computers MAC address so it sends anARP query.

ARP Spoofing In a MITM attack the attacker sends out a falseARP reply telling the victim his/hers computer isthe computer the victim is looking for.

SSLStrip Client normally connects via HTTPS (SSL/TLS)to a Server because an user tries to GET/POSTinformation on a webpage by a link/button thatbegins with ”https://.” (i.e. Facebook, Gmail andHotmail)

SSLStrip Client normally connects via HTTPS (SSL/TLS)to a Server because an user tries to GET/POSTinformation on a webpage by a link/button thatbegins with ”https://.” (i.e. Facebook, Gmail andHotmail)SSLStrip rewrites all HTTPS addresses as HTTPaddresses and then saves traffic content.

SSLStrip – How does it look?

SSLStrip – How does it look?

Countermeasures Before logging on webpage make sure that addressin address bar begins with ”https://.”. If it doesn't,retype it so it does. (This only helps againstSSLStrip, not SSLSniff.)

Countermeasures Before logging on webpage make sure that addressin address bar begins with ”https://.”. If it doesn't,retype it so it does. (This only helps againstSSLStrip, not SSLSniff.)If the address begins with ”https://.” make surethat the certificate doesn't look fishy.

Countermeasures

SSL/TLS and MITM attacksThe End

SSL/TLS – Background SSL/TLS – Secure Socket Layer/Transport La