Date post: | 12-Apr-2017 |
Category: |
Technology |
Upload: | bsidesroc |
View: | 135 times |
Download: | 0 times |
The life and times of Hanz Ostmaster
By Hanz Ostmaster
Chaim Sanders Trustwave
Security Researcher Member of Spiderlabs Research Web Server Security Team Offer support, development, and consulting for ModSecurity Supports the OWASP Core Rule Set Work with Trustwave WAF
Rochester Institute of Technology Professor (Cryptography and Web Security)
Prior Security Consulting (Pentesting, Red-teaming, Code Review, etc) Governmental Consulting
Background
Crypto and you
Generally speaking the area of research regarding secret writing and methods for attacking these secret writings has been of interest Cryptography – Development of enciphered writings Cryptanalysis – Attacking of enciphered writing schemes
Why do I care? Since the mid 80’s we’ve seen cryptographic systems evolve from
tools of military interest to common usage within our daily lives. To counter this many (governmental) organizations that have
come to rely on their ability to in some way compromise crypto.
Asymmetric Crypto
There are many different areas of Cryptography
Asymmetric Crypto and this talk
One of the biggest uses of asymmetric crypto into todays infrastructure is for securing communication between webservers Why might this be of interest? How do we ensure speed?
Asymmetric crypto has two very nice features One is scale, as we previously discussed The other is that they often have support for digital signatures
What is a digital signature.
What is SSL
SSL stands for Secure Sockets Layer and it is a standard security technology for establishing an encrypted link between a server and a client
First SSL Certificate was created in 1994 by Netscape Communications
SSL Certificate issuers are called Certificate Authority or CA’s SSL allows sensitive information such as credit card numbers and
social security numbers to be transmitted securely Required by the Payment Card Industry (PCI) to have an SSL
Certificate Main component of SSL Certificates are keys which are the Public and
Private key
Design Requirements of Asymmetric System The main design requirement is that all parties trust
this Certificate Authority Additionally, the certificate authority must only
issue certificates to legitimate hosts The question becomes how does a CA like Symantec verify
that individuals are responsible for legitimatize hosts. This is the interest of todays talk.
Host verification
There are a number of different methods that ICANN has specified for allowing CA’s to verify users: HTTP Validation – Can be performed by uploading a special
text/html file into the root directory of the domain name. DNS-based validation - For this validation method you need
to create a certain CNAME record in the DNS settings of your domain.
Email Validation – Users will be validated by an email that belongs to the domain
Email based authentication
Until late 2015 the email addresses that were allowed to be specified by the CA. This might be an interesting problem Cert Vulnerability note 591120 (March 27th 2015) Multiple SSL certificate authorities use predefined email
addresses as proof of domain ownership 16 certificate authorities were listed as affected (others unknown)
What is the problem If an admin is not aware of sensitive email addresses and assigns
them this can lead to a certificate being issued for their domain
Problem Children
[email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
The Fix
Most documents including the Mozilla CA Certificate Inclusion Policy and the CA/Browser baseline requirement documents the addresses that can be used should be limited to those specified in RFC2142 MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS
The only exception is also the domain listed in the WHOIS contact This largely solved the underlying problem but every CA in
existence needs to update their policies otherwise the issue isn’t fixed
This is mostly a problem where people can choose their own email registration names or they are given based on a known theme. Hence the title.
The problem shown.
An exercise best left to the reader
Now all you would have to do is find a CA that still allows registering that email address and poof mail.rit.edu SSL cert.
With the update
What are these addresses
[email protected] Reserved for SMTP
[email protected] Reserved for DNS
[email protected] Reserved for Web
The new problem
Not everyone realizes that these addresses must be registered when setting up a webserver that will use SSL Or email that will use SSL, etc.
These email addresses are not well known. For instance hostmaster is no a widely recognized email address
A New Twist on a New Problem
If these are registered then we are fine. But is there a situation where we might still be able
to access other peoples email? Where individuals might forget about this concept?
Enter Bill Stackpole
Anonymous email access
Breaking the bank
Mailinator is actually the only one I haven’t broken yet. Well this isn’t strictly speaking true…
However often these are so simple where I can just search [email protected]
Other issues
Often these are slightly more secure and require that I be clever.
However… Often these systems will try and be intelligent about their
email address understand, but not about security For instance, spaces, dots, null characters, etc.
Just a few off my hit list
Recently in the news
General Fixes
Don’t allow email verification Communication among CAs would prevent this
It will also help security as a whole Pinning certificates