PBP-oakland-public
Download
Report
Transcript PBP-oakland-public
Shuo Chen†, Ziqing Mao† ‡, Yi-Min Wang†, Ming Zhang†
†Microsoft
Research
‡Purdue
University
May 20th, 2009
IEEE Symposium on Security and Privacy, May 2009
1
HTTPS: end-to-end secure protocol for web traffic.
Adversary assumption: MITM (man-in-the-middle).
browser
proxy
Internet
HTTPS server
SSL tunnel
Are today’s browser implementations consistent with
this assumption?
IEEE Symposium on Security and Privacy, May 2009
2
Key finding
A class of browser vulnerabilities (demo) proxy
can defeat end-to-end security promised by HTTPS
Vulnerabilities exist in all major browsers
Industry outreach
Technical work finished in summer 2007
Paper withheld until this conference
Worked with all vendors to address the issues
IEEE Symposium on Security and Privacy, May 2009
3
Browser
PBP
HTTPS server
Rendering modules
HTTP/HTTPS
HTTP/HTTPS
Unencrypted
TCP/IP
TCP/IP
SSL tunnel, encrypted
IEEE Symposium on Security and Privacy, May 2009
4
Key issue: browsers load unencrypted content from
proxy in the HTTPS context of the victim server
Attack 1: Proxy’s error response
Attack 2: Proxy’s redirection
Attack 3: HTTP-intended pages that are HTTPS loadable
Attack 4: Visual context (GUI behavior, no script)
IEEE Symposium on Security and Privacy, May 2009
5
Proxy’s error page: e.g., 502-server-not-found, other 4xx/5xx response;
Script in error page runs in https://bank.com.
browser
PBP
Bank
server
https://bank.com
502:Server
not found
https://bank.com
<iframe src=
“https://bank.com”>
IEEE Symposium on Security and Privacy, May 2009
6
bank.com server
browser
PBP
<script src=“https://js.
bank.com/foo.js”>
https://bank.com
https://js.bank.com
HTTP 302: redirection
to https://evil.com
evil.com server
Script will run in the context
of https://bank.com
IEEE Symposium on Security and Privacy, May 2009
7
Many websites provide both HTTP and HTTPS
services
What’s wrong with HPIHSL pages?
sensitive
HPIHSL
Sensitive pages, e.g. checkout HTTPS only
Non-sensitive pages, e.g., merchandise Intended
for HTTP access
However, non-sensitive pages are often accessible
through HTTPS as well!.
Non-sensitive
They often import scripts through HTTP
The scripts will run in the HTTPS context.
HTTP scripts
IEEE Symposium on Security and Privacy, May 2009
8
Browsers warn about HTTP resource in HTTPS contexts, don’t they?
The detection logic is only to determine the address bar’s appearance
Address bar only concerns top level page, so …
IEEE Symposium on Security and Privacy, May 2009
9
Using an HTTPS iframe in an HTTP top level page.
Top level: HTTP
Hidden iframe:
HTTPS for an
HPIHSL page
IEEE Symposium on Security and Privacy, May 2009
10
Very easy to find HPIHSL pages that import scripts
The paper shows 12 websites having this problem.
These HTTPS domains are not trustworthy.
They cover a wide range
Online shopping sites
Banks, credit card companies
Open source projects management site
Top computer science departments
Even the home domain of a leading certificate authority
IEEE Symposium on Security and Privacy, May 2009
11
In attack 1, script in proxy’s error page runs in the
HTTPS context. (all browsers)
This attack
No script, only static HTML
Due to GUI behavior
IE, Opera and Chrome display a certificate on the GUI as long as it
is in the certificate cache.
IEEE Symposium on Security and Privacy, May 2009
12
Schedule a one-second timer for refreshing the page.
<head>
<meta HTTP-EQUIV=“Refresh” CONTENT=“1; URL=https://www.paypal.com”>
</head>
the phishing page (5xx)
Before the timer is expired, cache a PayPal certificate
<img src=“https://www.paypal.com/a.jpg” style=“display:none”>
A perfect GUI spoofing attack
Fresh browser, single tab, address bar input
IEEE Symposium on Security and Privacy, May 2009
13
IEEE Symposium on Security and Privacy, May 2009
14
Proxies are used in many environments
Corporate and university networks
Hospitals, hotels
Third-party free proxies
Due to PBP issues, security of HTTPS
communication depends on proxy’s integrity
Is proxy infected by viruses, hijacked by attackers
or configured by malicious insiders?
IEEE Symposium on Security and Privacy, May 2009
15
All these attacks work as long as
(1) Attacker can sniff your machine at the link layer
For HTTPS, you need to assume this.
(2) The browser has its proxy capability ON
WPAD: Web Proxy Auto Discovery
PAC script: Proxy Auto Config script
Manual configuration
IEEE Symposium on Security and Privacy, May 2009
16
Our test bed
Proxy required for web traffic to the Internet
WPAD (default), PAC-script-config or manual-config
Tested on Ethernet
Tested on open wireless network
GET /wpad.dat
GET /wpad.dat
return goodProxy_cfg
return PBP_cfg
attacker
IEEE Symposium on Security and Privacy, May 2009
17
IE 8 (since Firefox
beta 2)
3.0.10
Fixed
Fixed
Error-response
issue
Redirection issue N/A
Fixed
Safari
3.2.2 Opera since Chrome
(or before)
Dec. 2007
1.0.154.53
Fixed
Fixed
Fixed
Fixed
Fixed
N/A
HPIHSL issue
fix suggested Fix proposed
for
next
version
Acknowledged
Acknowledged Acknowledged
Cached
certificate issue
Fixed
N/A
Fixed
Future PBP issues
N/A
Fixed
Besides point fixes, how can we systematically prevent (or find) these bugs?
IEEE Symposium on Security and Privacy, May 2009
18
Not a fundamental “solution”
HTTPS security should not depend on the network.
However, it is worthwhile to have mitigations
Some issues not patched
New issues found in the future
Mitigations
Wireless router: use WPA (WiFi Protected Access)
Corporate network: deploy IPSec on many types of
servers
Not only web servers, but DNS, DHCP, PAC servers
Travelling employees: secure-VPN to your corporate
networks
IEEE Symposium on Security and Privacy, May 2009
19
The PBP adversary
Targeting the rendering modules
Encrypted/unencrypted contents confused
Rendering
modules
HTTP/HTTPS
Developers of rendering modules need
to deal with MITM
TCP/IP
HTTPS layer not masking MITM for rendering modules.
Beyond HTTPS
Other end-to-end protocols: Kerberos, IPSec, etc
E.g., HTTP over IPSec, using Kerberos authentication
What do you want to achieve if a proxy is in between?
IEEE Symposium on Security and Privacy, May 2009
20
HTTPS is flawed.
We argue that many proxies are not secure
enough to tunnel HTTPS.
We advocate link layer security.
In addition to browser issues, we also show
issues in WPAD, etc.
IEEE Symposium on Security and Privacy, May 2009
21
http://research.microsoft.com/en-us/projects/occur/
A free web service for timestamping research ideas
Why: some research contributions cannot be published
immediately, e.g., due to responsible disclosure policy.
What: OCCUR gives your idea a timestamp from VeriSign
Details: search for “Microsoft OCCUR” or ask me offline
IEEE Symposium on Security and Privacy, May 2009
22