New Tricks For Defeating SSL In

Practice
Moxie Marlinspike
moxie@thoughtcrime.org

The ack Stor!

SSL "n# $ertificate $haining


%ou pro&a&l! know what the! #o...

More specificall!...

$" $ertificate
Site
$ertificate
Embedded in browser.
All powerful.
Certifies that a site certificate is
authentic.
Identifies a particular URL
Is known to be authentic based
on CA Certificate's signature.

$" $ertificate
Site
$ertificate
Embedded in browser.
All powerful.
Certifies that an intermediate
CA is authentic.
Identifies a particular URL
Is known to be authentic based
on CA Certificate's signature.
Interme#iate
$"
Not embedded in browser.
till sort of all!powerful.
Certifies that a site certificate is
authentic.

$ertificate $hains $an e ' (
Root CA
Intermediate
Intermediate
Intermediate
Leaf

)ow #o we *ali#ate these things+

"lmost e*er!one tells !ou the
same stor!.

,hat the! sa!-
.erif! that the leaf no#e has the name of the site
!ou/re connecting to.
.erif! that the leaf no#e hasn/t expire#.
$heck the signature.
If the signing certificate is in our list of root $"/s0
stop.
1therwise0 mo*e one up the chain an# repeat.

)ere e Dragons
.er! tempting to use a
simple recursi*e
function.
2*er!one focuses on the
signature *ali#ation.
The result of a na3*e
attempt at *ali#ation is
a chain that is complete0
&ut nothing more.

,hat if...
Root CA
Intermediate
Intermediate
Leaf
"blueanarch#
.org$

,hat if...
Root CA
Intermediate
Intermediate
Leaf
"blueanarch#
.org$
Leaf
"pa#pal.com$

,hat the! sa!-
.erif! that the leaf no#e has the name of the site
!ou/re connecting to.
.erif! that the leaf no#e hasn/t expire#.
$heck the signature.
If the signing certificate is in our list of root $"/s0
stop.
1therwise0 mo*e one up the chain an# repeat.

Something must &e wrong0 &ut...
"ll the signatures are *ali#.
Nothing has expire#.
The chain is in tact.
The root $" is em&e##e# in the &rowser an#
truste#.

ut we 4ust create# a *ali#
certificate for Pa!Pal0 an# we/re not
Pa!Pal+

The missing piece...

...is a somewhat o&scure fiel#.

ack In The Da!
Most $"/s #i#n/t explicitl! set &asic$onstraints-
$"5F"LS2
" lot of we& &rowsers an# other SSL
implementations #i#n/t &other to check it0 whether
the fiel# was there or not.
Anyone with a *ali# leaf no#e certificate coul#
create an# sign a leaf no#e certificate for any
other #omain.
,hen presente# with the complete chain0 I20
6on7ueror0 1penSSL0 an# others consi#ere# it
*ali#.

"n# then in 8998...
Microsoft #i# something particularl! anno!ing0 an#
I &lew this up &! pu&lishing it.
Microsoft claime# that it was impossi&le to exploit.
So I also pu&lishe# a tool that exploits it.

sslsniff

sslsniff
s
s
l
s
n
i
f
f

sslsniff
s
s
l
s
n
i
f
f
Intercepts %&&' traffic.
(enerates a certificate for the
site the client is connecting
to.
igns that with whate)er
certificate #ou specif#.
'ro*ies data through.
+akes normal %&&'
connection to the ser)er.
ends and recei)es data
as if it's a normal client.
Client ide, er)er ide,

sslsniff
s
s
l
s
n
i
f
f
-ack before people started checking -asicConstraints,
All #ou had to do was pass sslsniff a )alid leaf node certificate for an# domain.
It would automaticall# generate a certificate for the domain the client was connecting to
on the fl#.
It would sign that certificate with the leaf node.
IE. /on0ueror. etc... wouldn't notice the difference.

sslsniff post:#isclosure
%ou/# &e surprise# who still #oesn/t check &asic
constraints.
2*en when people got warning #ialogs in &rowsers
that ha# &een fixe#0 most of the time the!/# 4ust
click through them.
Still useful as a general MITM tool for SSL.
The folks who #i# the MD; hash collision stuff
use# sslsniff to hi4ack connections once the!/#
gotten a $" cert.
There are other uses !et0 to &e #isclose# another
#a!.

Surel! we can #o &etter.

The things !ou learn in T. stu#ios.

The things !ou learn in T. stu#ios.

The things !ou learn in T. stu#ios.

The things !ou learn in T. stu#ios.
It's a button. so if #ou mouse!o)er it. the link isn't displa#ed
in the browser bar at the bottom.
&he best #ou could do would be to )iew the page source.
but that's problematic in browsers like 1irefo* that issue a
second re0uest to the ser)er for the source.
&his button posts to an %&&' link. but there's no wa# to
know that.

Still pre*alent to#a!...

Still pre*alent to#a!...

There are some generali<a&le attacks
here.

rowsers Then "n# Now...

Then- " Positi*e Fee#&ack S!stem
" num&er of in#icators #eplo!e# to #esignate that
a page is secure.
" proliferation of little lock icons.
=>L &ars that turn gol#.

Then- "n example from Firefox 8

Then- "n example from Firefox 8

Then- "n example from Firefox 8

Then- "n example from Firefox 8

Now- " Negati*e Fee#&ack S!stem
Less emphasis on sites &eing secure.
The proliferation of little locks has &een tone#
#own.
Firefox/s gol# &ar is gone.
More emphasis on alerting users to pro&lems.
" ma<e of hoops that users ha*e to 4ump through
in or#er to access sites with certificates that aren/t
signe# &! a $".

Now- "n example from Firefox (

Now- "n example from Firefox (

Now- "n example from Firefox (

Now- "n example from Firefox (

Now- "n example from Firefox (

Now- "n example from I2

$onclusions
If we trigger the negati*e fee#&ack0 we/re
screwe#.
If we fail to trigger the positi*e fee#&ack0 it/s not
so &a#.

)ow is SSL use#+

No&o#! t!pes https-??
@or http-?? for that matterA

People generall! encounter SSL
in onl! two wa!s-
$licking on links.
Through (98/s.

,hich means that people onl!
encounter SSL through )TTP...

First cut- " #ifferent kin# of MITM
s
s
l
s
n
i
f
f
Normall# we attack the L connection...

First cut- " #ifferent kin# of MITM
s
s
l
s
t
r
i
p
2hat if we attacked the %&&' connection instead...

>emem&er-
SSL is normall! encountere# in one of two wa!s.
! clicking on links.
Through (98 re#irects.
,e can attack &oth of those points through a
)TTP MITM.

" First $ut >ecipe- sslstrip
s
s
l
s
t
r
i
p
2atch %&&' traffic go b#.
witch 3a href45https,66...57 to 3a href45http,66...57 and keep a map of
what's changed.
witch Location, https,66... to Location, http,66... and keep a map of what's
changed.

" First $ut >ecipe- sslstrip
s
s
l
s
t
r
i
p
2atch %&&' traffic go b#.
2hen we see an %&&' re0uest for a URL that we')e stripped. pro*# that
out as %&&' to the ser)er.
2atch the %&&' traffic go b#. log e)er#thing if we want. and keep a map
of the relati)e links. C links. and 8a)acript links that go b#.

" First $ut >ecipe- sslstrip
s
s
l
s
t
r
i
p
&he ser)er ne)er knows the difference. E)er#thing looks secure on their
end.
&he client doesn't displa# an# of the disastrous warnings that we want to
a)oid.
2e see all the traffic.
&he Result,

)ow #oes it look+

Secure Site

Secure Site

Secure Site

Secure Site

,hat else can we #o+
,e/*e manage# to a*oi# the negati*e fee#&ack0
&ut some positi*e fee#&ack woul# &e goo# too.
People seem to like the little lock icon thing0 so it/#
&e nice if we coul# get that in there too.

" B.; $ut- sslstrip
s
s
l
s
t
r
i
p
Let's do e)er#thing the same. but now watch out for fa)icon re0uests as
well.
If we see a fa)icon re0uest for a URL that we')e stripped. we'll send back a
fa)icon of our choosing instead.
A new trick,

,hat shoul# our fa*icon &e+
%ou guesse# it-

1nce again0 a secure site-

1nce again0 a secure site-

,e/re #oing prett! goo#.

,e/*e a*oi#e# the negati*e fee#&ack of
#eath.

,e can #o a su&tle MITM *ia )TTP.

"n# if we want we can throw in a little lock
icon.

Some sites pro*i#e no *isi&le
#ifference.

Some sites pro*i#e no *isi&le
#ifference.

The sites themsel*es confuse us.

The sites themsel*es confuse us.

" Few Cotchas
$ontent enco#ings that are #ifficult to parse
@compress0 g<ip0 etc...A
Secure cookies won/t get sent o*er )TTP that/s
&een strippe# of SSL.
$ache# pages that #on/t gi*e us a chance to swap
out their links.

" Few Cotchas
$ontent enco#ings that are #ifficult to parse
@compress0 g<ip0 etc...A
Secure cookies won/t get sent o*er )TTP that/s
&een strippe# of SSL.
$ache# pages that #on/t gi*e us a chance to swap
out their links.
" Simple Solution
Strip all that stuff too.
6ill the secure &it on Set:$ookie statements0 strip
the content enco#ings we #on/t like from client
re7uests0 an# strip if:mo#ifie#:since hea#ers too.

"nother pro&lem- sessions
The most interesting stuff to log are P1STs that
woul# ha*e &een sent *ia SSL.
Particularl!0 usernames?passwor#s.
Sessions often cause us to miss the login step0
which is unfortunate.
Sure0 we can get the session cookie0 &ut that/s
small change.

So let/s strip sessions too.
s
s
l
s
t
r
i
p
9:; for the same URL.
but with et!Cookie,
headers that e*pire all
the cookies we got
from the re0uest.
Re0uest
Re0uest Again
"ans!Cookies$

"n# a little less sketch!...
,hen we start a MITM against a network0 strip all
the traffic imme#iatel!0 &ut #on/t touch the
cookies for ; min @or some specifie# length of
timeA.
"s the cookies go &!0 make note of the acti*e
sessions.
"fter the time is up0 start killing sessions0 &ut onl!
new sessions that we ha*en/t seen &efore. These
shoul# &e the Dlong runningE sessions that won/t
&e seen as suspicious shoul# the! #isappear.
Sessions expire0 an# it/s not alwa!s clear when or wh!0
&ut the! #on/t usuall! expire right in the mi##le of an
acti*e session. So what we #o now-

Some >esults 1f This Trick+
login.!ahoo.com BBF
Cmail ;9
ticketmaster.com F8
rapi#share.com BF
)otmail B(
pa!pal.com G
linke#in.com G
face&ook.com (

In 8F )ours
BBH email accounts.
BI cre#it car# num&ers.
H pa!pal logins.
1*er (99 other miscellaneous secure logins.

Num&er of people that &alke#.
9

,here can we go from here+

$om&ining this techni7ue with homograph
attacks.
Sometimes the glph!s of #ifferent characters look
alike. Pa!PaI.com looks like pa!pal.com &ut is
reall! pa!pai.com
Ma#e more interesting &! IDN. It &ecame possi&le
to register a #omain with characters that appear
i#entical to the gl!phs of characters in the Latin
character set.
In 899;0 2ric Johanson registere#
pKLB9H8M!pal.com0 which uses the $r!llic /a/ look:
alike character an# #ispla!s as pa!pal.com
tandard homograph attack,

$om&ining this techni7ue with homograph
attacks.
The attack *ector has to &e targete#. !
registering pKLB9H8M!pal.com0 all we can attack
is pa!pal.com
Phishing is reall! 4ust too much work. It/# &e nicer
if we coul# 4ust MITM a network an# get whate*er
people are #oing.
The IDN stuff has &een fixe#. For TLDs like .com0
Firefox ren#ers the IDN characters as pun!co#e
&oth in the =>L &ar an# the status &ar.
2hat I don't like about the standard attack,

pKLB9H8M!pal.com to#a!

So how can we rein*ent this to attack
SSL+
,e can/t use .com or an! TLD that Firefox will
ren#er into pun!co#e.
,e want something that we can generali<e0 not
4ust a simple su&stitution for some particular
character in a #omain.
So0 what/s in most =>Ls+ . ? K +

one trick
>egister a #omain like i44k.cn
Cet a #omain:*ali#ate# SSL wil#car# cert for
N.i44k.cn
=se IDN:*ali# characters that look *er! similar to
/?/ an# /+/ to create false =>Ls.
MITM )TTP an# swap out the )TTPS links as usual.
ut this time0 instea# of 4ust stripping the )TTPS
links0 we swap them out for our own look:alikes.

one trick
https-??www.gmail.com?accounts?Ser*iceLogin
&ecomes
https-??www.gmail.com?accounts?Ser*iceLogin+Of.i44k.cn
The latter #oes not #ispla! as pun!co#e in the
status &ar or the =>L &ar.
,hen resol*e#0 it &ecomes www.google.xn::
comaccountsser*icelogin:;4Gpia.f.i44k.cn
,hen we MITM these connections0 we #o SSL on
&oth en#s0 &ut are a&le to present our own *ali#
N.i44k.cn cert to the client.

)ere ,e Co
s
s
l
s
t
r
i
p
9:; for the same URL.
but with et!Cookie,
headers that e*pire all
the cookies we got
from the re0uest.
Re0uest
Re0uest Again
"ans!Cookies$
'ro*# %&&' back. and
swap out all the %&&'
links for our own look!
alike %&&' links.
L re0uest for a look!
alike domain that we
control.
'ro*# data back from
the actual domain.

"n 2xample

"n 2xample

Nice thing a&out this...
)appens in real:time.
Cenerali<e#-
Targets whate*er secure sites people are
&rowsing to at an! moment.
Doesn/t re7uire multiple certificates or
restricting oursel*es to popular sites.
1nce we get a secure P1ST0 we can switch them
&ack to a normal traffic stream.

Lessons...
Lots of times the securit! of )TTPS comes #own
to the securit! of )TTP0 an# )TTP is not secure.
If we want to a*oi# the #ialogs of #eath0 start
with )TTP not )TTPS.
1nce we/*e got control of that0 we can #o all
kin#s of stuff to re:intro#uce the positi*e
in#icators people might miss.

1ther tricks...

sslstrip
http-??www.thoughtcrime.org