Postcards from the Post-HTTP World: Amplification of HTTPS

Vulnerabilities in the Web Ecosystem

Kerwin Sun

“Our results are disquieting: 898 websites are fully compromisable, allowing for script injection, while 977 websites present low integrity pages that the attacker can tamper with.

2

Presentation BreakdownIntroduction

- Problem- Research Goals and Contributions- Background

Solution- Methodology- Results- Discussion

Criticisms- Structure- Ecological validity- Sampling validity- Other limitations

3

1.Introduction

Problem!!!

5

Modern Web Ecosystem becoming very complex- Increase in number of Dependencies- Increase in number of Subdomains

Complexity amplifies vulnerabilities of all websites in the system

- Vulnerabilities propagate through tree- Dependencies and subdomains may be

vulnerable- Communication channels may be vulnerable

Literature in space is limited and outdated- Does not explore true feasibility and viability of

attacks- Does not consider client side mitigation

Research Goals and Contributions

6

Review existing attacks on TLS- Investigate which attacks are still possible

modern clients- Characterize and define attacks as attack trees

(condition analysis)Build and run analysis platform

- Implement checks/conditions defined by attack tree

- Scan top 10,000 websites - Scan auditional 90,816 incoming

dependencies/subdirectories Identify capacity of damage

- Run checks for attacks enabled by TLS vulnerability

- Identify implications of security vulnerability

Background

7

Handshake Protocol- Hello -> Server Hello -> Key exchange -> Cipher

Exchange Finish- Shared Key material = Pre Master Secret (PMS)

Key exchange- RSA key exchange- Static Diffie-Hellman key exchange – (EC)DH - Ephemeral Diffie-Hellman key exchange –

(EC)DHEConfidentiality and integrity

- Provided at the Transport Layer using Record protocol

- Use Keys generated during handshake protocol

2.Solution

Methodology - Known Attacks

9

Protocol version downgrade - Force client side to downgrade TLS version and expose vulnerabilityRSA decryption oracles - Vulnerability in padding scheme in “PKC #1 1.5” algorithm used in PMS exchangeRSA signature oracles - Fast decryption oracles can compute rsa signature and impersonate servers Heartbleed - Long term decryption of server private key, uses side channels

Methodology - Insecure Channels

10

Categorize attacks by which security property they break. 3 different channel states in order of severity. Partially leaky:

- Channel exposing side channel - Attacker able to gain information over time

Leaky: - Vulnerable to MITM attack- Vulnerable to confidentiality attacks- Attacker able to decrypt all dataflow

Tainted: - Attacker able to decrypt all dataflow- Also arbitrarily modify data packets

Attack tree = Condition tree which enable specific attacks to take place

Methodology - Analysis Platform

11

Tool designed for dynamic security analysis

(1) Access website

(2) Collect Dom (subresource/cookies)

(3) Enumerate Subdomain

(4) Run tools to identify cryptographic vulnerabilities

(5) Maps results to attack tree conditions

ResultsWhat did they find???

12

Results

13

Of the 10,000 domains and 90,816 subresources scanned:

- TLS vulnerability present in 5,574 (5,5%) domains- 4,818 allow for establishing tainted channels- 733 allow for establishing leaky channels- 912 allow for establishing partially leaky

channels

5,574Vulnerabilities present

14

Security RisksPage Integrity:

- Inclusion of malicious scripts.

- Stealing of user information.

- Session hijacking.

Authentication Credentials:

- Interception and decryption of web traffic.

- Stealing access credentials.

- Attack gain access to web database.

Web Tracking- Tracking user

information.- Track user

activity/location- Building profile

of target user.

15

2.Criticisms

Praise

17

Looks at only attacks which are practical (with modern browsers)Implementation is comprehensive, attack trees documented and reusableDetailed exploration of security risksMethodology well documentedGood cross referenced sourcesRecommends suggestion of possible security fixes

18

Ethical Limitations

19

Exclusively Public tool Unintrusive scans usedPublished vulnerabilities No attack narrative performed

Result weaknesses

20

Results don't clearly show scale of affected ecosystemResults not comprehensively presented Results measurement assumes all websites of same size

Structure/Presentation issues

21

Structure is unclear and inconsistent Title names are repeated but change meaningSeparation of sections unclear Tables not refered or referred retroactively Some grammatical errors

Other weaknesses

22

Focus on HTTPS/TLS implementation No investigation on how web ecosystem affects other vulnerabilities No investigation into dynamic interaction with other vulnerabilitiesThreat model is static and assumptions are made Computation resource feasibility no explored

THANK YOU FOR LISTENING“The most disquieting aspect here is that just a single vulnerable tracker may significantly harm user privacy at scale, as long as it is popular enough to be included on many different websites”

23