TLS Interception considered harmful (Chaos Communication Camp 2015)
- 2. ABOUT ME Hanno Böck, https://hboeck.de/ Freelance journalist (often Golem.de) Fuzzing free software (Core Infrastructure Initiative)
- 3. TLS VULNERABILITIES BEAST, CRIME, Lucky13, FREAK, SKIP, POODLE, Heartbleed, Logjam, MACE, ...
- 4. BEAST Exploits known issue in CBC mode of TLS 1.0 / SSL 3.0. Fix: Use TLS 1.1/1.2. Workaround: 1/n-1 record splitting.
- 5. CRIME Compression leaks information about encrypted data. Solution: Disable compression.
- 6. LUCKY THIRTEEN TLS does MAC-then-Pad-then-Encrypt. Timing sidechannel: separating MAC errors from padding errors. Workaround: Timing safe implementation (difficult). Solution: TLS 1.2 with Authenticated Encryption (only AES-GCM).
- 7. POODLE SSLv3 allows arbitrary content in padding. Solution for SSLv3: Don't use it. Solution for TLS: Check padding (must be zeros).
- 8. FORWARD SECRECY Create a temporary key for each connection. Protects from later key leakage. Hardly any reason not to use FS.
- 9. LESSONS LEARNED Security bugs in the protocol. Only TLS 1.2 using AES-GCM with Forward Secrecy considered safe. TLS 1.0 with mitigations required for legacy support, complicated.
- 10. CERTIFICATE AUTHORITIES Hundreds of CAs and sub-CAs. Each can issue certs for all domains. System is only as secure as the worst CA.
- 11. CERTIFICATE AUTHORITIES Misissuance of certificate happens often: Comodo, Türktrust, CNNIC, IndiaCCA, Diginotar, ANSSI, ...
- 12. SOLUTIONS Many proposals (Sovereign keys, TACK, Convergence, DANE, ...). Most of them never got deployed widely.
- 13. HTTP PUBLIC KEY PINNING (HPKP) First widely deployed mitigation for CA failures (Chrome and Firefox). Browsers also contain list of pre-pinned hosts.
- 14. CERTIFICATE TRANSPARENCY Public log of all certificates. Promising, but only partly deployed yet. Chrome has preliminary support.
- 15. CONCLUSION Mitigations for Certificate Authority problems are finally coming. Proper certificate verification requires knowledge about current developments.
- 16. HTTPS USE IS GROWING ... and that's a good thing. Certificates no longer expensive (StartSSL, Wosign, Let's encrypt). HTTPS guarantees secrecy and integrity (often forgotten).
- 20. WEB TRAFFIC INTERCEPTION Products want to manipulate web traffic. "Enterprise" security products, Antiviruses, Parental control, Adblockers, Ad injection, ...
- 21. HTTPS MAN-IN-THE-MIDDLE PROXIES HTTPS guarantees secrecy and integrity(!). "Solution": Let's install a certificate in the user's browser and do a Man-in-the-Middle- attack.
- 22. SUPERFISH Analyzes images on webpages and provides matching ads. Preinstalled on many Lenovo Laptops.
- 23. SHARED CERTIFICATE All installations of Superfish used the same root certificate. Problem: Private key can be extracted.
- 25. KOMODIA SAN BUG Komodia products had another bug with Subject Alternative Name. Allows generic TLS interception for all products using Komodia.
- 26. LAVASOFT / AD-ADWARE "Lavasoft’s most recent release of Ad-Aware Web Companion (released on February 18th 2015) does not include this capability, but we are not yet able to confirm with certainty that the compromised component of the Komodia SSL Digestor has been removed." (Lavasoft Facebook page)
- 27. LAVASOFT / AD-ADWARE Or in other words: We have a severe security vulnerability and we're not really sure if we fixed it.
- 28. PRIVDOG Privdog is a startup founded by Melih Abdulhayoğlu (CEO of Comodo). It replaces "dangerous" ads with its own ads.
- 29. NO VERIFICATION OF CERTIFICATES Privdog does not use a shared cert (we'll get back to that later). But it did not verify certificates at all. By the way: It also sent home all URLs visited in clear text.
- 30. ANTIVIRUS APPLICATIONS INTERCEPTING TLS Analysis of Avira, Kaspersky, ESET. None as bad as Superfish/Privdog, but all of them lowered TLS security in one way or another.
- 31. KASPERSKY / FREAK FREAK vulnerability: OpenSSL bug allowed downgrade to export ciphers with 512 bit. Shortly after FREAK Kaspersky user warned about it in support forum. 1.5 months later it was still not fixed.
- 32. BREAKING HPKP Shouldn't Key Pinning prevent TLS interception from happening? Browsers compromised: Didn't want to break all TLS interception products. Manually installed certs override key pinning. No TLS interception software I tested checked key pinning header.
- 33. RESPONSIBILITY SHIFT If products intercept TLS they are responsible for certificate validation and TLS implementation quality. Are they qualified?
- 34. ADGUARD Regenerates cert, but always with same key. Chooses one out of 10 keys depending on CPU.
- 35. NETFILTER SDK Adguard relied on Netfilter SDK (file ProtocolFilters.dll). Shared key can be trivially extracted.
- 36. MEET PRIVDOG AGAIN PrivDog also uses shared key. It was completely broken in two different ways.
- 37. PROTOCOLFILTERS.DLL Coupoon, CashReminder, SavingsDownloader, Scorpion Saver, SavingsbullFilter, BRApp, NCupons, Nurjax, Couponarific, delshark, rrsavings, triosir, screentk, ...
- 40. SYMANTEC DESKTOP EMAIL ENCRYPTION The software formerly known as PGP. Only does TLS 1.0 without Forward Secrecy.
- 41. ENTERPRISE APPLIANCES Open question: How bad are they? Contact me if you have access.
- 42. "ENTERPRISE" TLS F5 "we don't accept handshakes between 256 and 512 bytes" bug POODLE TLS (F5, A10, Cisco, Check Point, Juniper, IBM) MACE: Missing MAC and Finished message check (Cisco, Fortinet, F5, Juniper)
- 43. ALTERNATIVES For many of the products that use TLS interception the question is whether they should exist at all. If you want to modify traffic with user's consent do it after the encryption (e. g. browser extension).
- 44. TAKEAWAYS "Potentially unwanted applications" are a severe securiy threat. It should be considered malpractice.
- 45. TAKEAWAYS TLS interception is dangerous. Nobody gets it right. Even security products fail. Don't mess with our TLS connections.