Monday 5 January 2015

Defeating HSTS and other acronyms

Defeating HTTP Strict Transport Security

This tutorial covers attacks on HTTP Strict Transport Security, sometimes known as STS or HSTS. Yes that's right, we have so many acronyms we're now nesting them. Macronyms to the intellectual elite.

A history lesson

To understand what HSTS is you need to understand the history of MITM (Man In The Middle) attacks on digital communications. In the beginning there was HTTP, The browser (Alice) could communicate with the web server (Bob).

Alice <------> Bob

However an adversary Eve could perform a MITM attack on connection by telling Alice that she is Bob, and telling Bob she is Alice, both Bob and Alice send their communications to Eve who logs the information, potentially modifies it and then lets it pass on to the real destination, both Bob and Alice are non the wiser.

Alice <------> Eve <------> Bob

To secure communications HTTPS was invented, a secure version of HTTP which simply layered HTTP inside an SSL connection, this did 3 things, it provided Secrecy, Integrity and Authenticity.

SSL works using public key cryptography, Alice and Bob both have a public and private key, the public keys are shared first, messages from Alice are signed and encrypted with Bobs public key and only Bobs private key can decrypt them, and vice versa. Now Eve cannot read the communications, she can see the exchange of public keys across the wire however she cannot decrypt the message without somehow discovering the private keys first.

This worked well for some time, until Moxie Marlinspike did us all a favour, he educated us.

SSL Strip

SSL strip is an attack on HTTPS connections written by Moxie, his thesis is that most HTTPS connections on the internet are not initiated by the user typing "HTTPS" into the address bar, but rather encountered by a HTTPS link provided in an existing HTTP context or by the web server redirecting HTTP requests to HTTPS ones.

SSL Strip simply monitors the plain text HTTP connections, any responses from the web server back to the client that includes HTTPS hyper-links are re-written to be HTTP, and any redirect responses the server sends are also re-written from HTTPS to HTTP, internally SSL Strip keeps track of what it has modified. The client is forced to communicate with SSL Strip in HTTP but SSL Strip faithfully presents a HTTPS connection to the web server using its own public/private key pair.

This forces all communications to use regular HTTP connections between Alice and Eve where the data is sent in the clear and can be logged or modified. In practice SSL Strip is deadly, few people notice they're browsing a normally secure website with SSL disabled.

Alice <---HTTP---> Eve <---HTTPS---> Bob

HSTS

HSTS was created as a solution to attacks like SSL Strip. It introduces a new header inside HTTP communications called Strict-Transport-Security, the server includes this header which tells the browser to only use SSL connections on the specified domain in future and for how long, if the browser supports HSTS headers correctly it will create a new policy to always use SSL until the expiry date elapses.

This creates only 2 points of attack for adversaries. 

1) The host name and underlying DNS system to verify it, if secure DNS isn't used then domains can spoofed and pointed to attackers servers.
2) The expiry time of the policy, after the expiry time has been reached the browser reverts to normal behaviour which is to connect over regular HTTP unless specified otherwise.

Both of these vectors have been exploited recently.

SSL Strip 2

Leonardo Nve presented a talk at Blackhat Asia 2014 where he introduced an improved version of Moxies original tool SSL Strip. SSL Strip 2 performs MITM attacks on DNS requests forcing requests from the browser to be sent directly to the attacker.
 

NTP and time shifting with Delorean

Network Time Protocol (NTP) is a widely used protocol for synchronizing time across a network, most major Operating Systems implement some form of NTP to keep the system time as accurate as possible, there are several revisions of NTP including ones which implement secure time updates with cryptographically signed messages (v4 onwards) however no major operating systems currently support this out of the box making almost everyone vulnerable to MITM attacks on time updates.

Each operating system behaves differently with regards to when time updates occur and with what frequency, as well as a maximum delta change from the current time/date that is allowed in a single update. Step in Jose Selvi with new MITM tool called Delorean which focuses on MITM attacks on NTP, you can find his whitepaper here.

Using Delorean and time shifting the Operating Systems internal clock, any software that relies on the internal clock such as the browsers checking for expired policies can now be fooled by adversaries. Forcing the internal clock to the expiration date of the policy and then modifying all future HTTP request to remove the HSTS value from the header will prevent the browser from forcing SSL usage and all existing SSL downgrade attacks will work as normal.





3 comments:

  1. Hi Frosty,

    How you would implement an attack using Delorean to shift the victim's OS's internal clock with SSLStrip2 and dns2proxy? Could you show me how this could be implemented?

    By the way, are you belgian?

    Thanks

    ReplyDelete
    Replies
    1. I've not tried this attack myself yet, I've been too busy.

      It was shown off at Blackhat Europe last year, you can find the presentation notes here: https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security.pdf

      The tool is Delorean and it can be found here: https://github.com/PentesterES/Delorean and you can find the documentation if you run the python script with the -h parameter.

      I'd also keep an eye on youtube for his blackhat video with more information, it can take a while but normally the video presentations make it online.

      I'm not Belgian, I'm from the UK.

      Delete
  2. By the way, nice article. A good summary of SSL vulnerabilities.

    Cheers,

    Protoxyde

    ReplyDelete