April 28, 2019 at 17:07Potential attacks on HTTPS and how to defend against them
Half of the sites use HTTPS , and their number is steadily increasing. The protocol reduces the risk of traffic interception, but does not preclude attack attempts per se. About some of them - POODLE, BEAST, DROWN and others - and methods of protection, we will tell in our material. / Flickr / Sven Graeme / CC BY-SA
For the first time, the POODLE attack became known in 2014. A vulnerability in the SSL 3.0 protocol was discovered by security specialist Bodo Möller with colleagues from Google.
Its essence is as follows: a hacker forces the client to make an SSL 3.0 connection, emulating disconnected communications. Then it searches for special message tags in the traffic encrypted in CBC mode. Using a series of fake queries, an attacker can reconstruct the contents of data that interests him, such as cookies.
SSL 3.0 is an obsolete protocol. But the question of its security is still relevant. Clients use it to avoid server compatibility issues. According to some reports, almost 7% of the 100 thousand most popular sites still support SSL 3.0. There are also modifications of POODLE, the purpose of which is more modern TLS 1.0 and TLS 1.1. This year , new Zombie POODLE and GOLDENDOODLE attacks have appeared that bypass TLS 1.2 protection (they are still associated with CBC encryption).
How to protect yourself.In the case of the original POODLE, you need to disable SSL 3.0 support. However, in this case, there is a risk of compatibility issues. An alternative solution may be the TLS_FALLBACK_SCSV mechanism - it ensures that data exchange over SSL 3.0 will be carried out only with older systems. Attackers will no longer be able to initiate a downgrade of the protocol. A way to protect against Zombie POODLE and GOLDENDOODLE is to disable CBC support in applications based on TLS 1.2. The cardinal decision will be the transition to TLS 1.3 - the new version of the protocol does not use CBC encryption.
One of the very first attacks on SSL and TLS 1.0, discovered in 2011. Like POODLE, BEAST uses CBC encryption features. Attackers deploy a JavaScript agent or Java applet on the client machine that spoofs messages when transmitting data via TLS or SSL. Since attackers know the contents of “fake” packets, they can use them to decrypt the initialization vector and read other messages to the server, such as cookies for authentication.
To date, a number of network tools are still vulnerable to BEAST vulnerabilities : proxies and applications to protect local Internet gateways.
How to protect yourself. The attacker needs to send requests regularly to decrypt the data. In VMwarerecommend reducing the duration of SSLSessionCacheTimeout - from five minutes (default recommendation) to 30 seconds. This approach will complicate the implementation of plans for attackers, although it will have some negative effect on productivity. In addition, you need to understand that soon the BEAST vulnerability may become a thing of its own accord - since 2020, the largest browsers have stopped supporting TLS 1.0 and 1.1. In any case, less than 1.5% of all browser users work with these protocols.
This is a cross-protocol attack using errors in the implementation of SSLv2 with 40-bit RSA keys. An attacker listens to hundreds of TLS connections of a target and sends special packets to a server with SSLv2 using the same private key. Using the Bleichenbacher attack , a hacker can decrypt one of about a thousand TLS client sessions.
DROWN first became known in 2016 - then a third of the world's servers were exposed to it. To date, it has not lost relevance. Of the 150,000 most popular sites, 2% still support SSLv2 and vulnerable encryption mechanisms.
How to protect yourself.It is necessary to install patches proposed by cryptographic library developers that disable SSLv2 support. For example, two such patches were introduced for OpenSSL (in 2016 these were updates 1.0.1s and 1.0.2g). Also, updates and instructions for disabling the vulnerable protocol were published in Red Hat , Apache , Debian .
You can check if you need to update your system using a special utility - it was developed by information security experts who discovered DROWN. You can read more about recommendations related to protection against this type of attack in a post on the OpenSSL website .
One of the largest vulnerabilities in software is Heartbleed . It was discovered in 2014 in the OpenSSL library. At the time of the error announcement, the number of vulnerable websites was estimated at half a million - approximately 17% of the protected resources on the network.
The attack is implemented through the small Heartbeat TLS extension module. The TLS protocol requires that data be transmitted continuously. In the event of prolonged downtime, a break occurs and the connection must be re-established. To cope with the problem, servers and clients artificially “noise” the channel ( RFC 6520, p. 5), passing a packet of random length. If it turned out to be the largest package, then vulnerable versions of OpenSSL read memory outside the allocated buffer. Any data could be in this area, including private encryption keys and information about other connections.
The vulnerability was present in all versions of the library between 1.0.1 and 1.0.1f inclusive, as well as in a number of operating systems - Ubuntu until 12.04.4, CentOS older than 6.5, OpenBSD 5.3 and others. A complete list is on the Heartbleed website . Although patches against this vulnerability were released almost immediately after its discovery, the problem remains relevant until now. Back in 2017, nearly 200 thousand sites were affected by Heartbleed.
How to protect yourself. Need to update OpenSSLto version 1.0.1g or higher. You can also disable Heartbeat requests manually using the DOPENSSL_NO_HEARTBEATS option. After the upgrade, information security experts recommend re-issuing SSL certificates. Replacement is needed in case the data on the encryption keys still got to the hackers.
A managed node is installed between the user and the server with a legitimate SSL certificate that actively intercepts traffic. This node pretends to be a legitimate server, presenting a valid certificate, and it becomes possible to conduct a MITM attack.
According to a study by teams from Mozilla, Google and several universities, approximately 11% of secure connections on the network are “tapped”. This is the result of installing suspicious root certificates on users' computers.
How to protect yourself. Use the services of reliable SSL providers . You can check the "quality" of certificates using the Certificate Transparency service(CT). Cloud providers can also help with detecting wiretaps - already today some large companies offer specialized tools for monitoring TLS connections.
Another protection method will be the new ACME standard , which automates the receipt of SSL certificates. At the same time, he will add additional mechanisms for checking the site owner. We wrote more about him in one of our previous materials .
/ Flickr / Yuri Samoilov / CC BY
Despite a number of vulnerabilities, IT giants and information security experts are confident in the future of the protocol. The creator of WWW Tim Berners-Lee stands for the active implementation of HTTPS . According to him, over time, TLS will become more secure, which will significantly increase the security of connections. Berners-Lee even suggested that in the future there will be client certificates for authentication. They will help improve server protection from intruders.
It is also planned to develop SSL / TLS technology with the help of machine learning - smart algorithms will be responsible for filtering malicious traffic. In HTTPS connections, administrators have no way to find out the contents of encrypted messages, including detecting requests from malware. Already, neural networks are capable of filtering potentially dangerous packets with an accuracy of 90%. ( slide 23 presentations ).
Attacks on HTTPS are for the most part not related to problems in the protocol itself, but to support outdated encryption mechanisms. The IT industry is beginning to phase out previous generation protocols and is offering new tools for finding vulnerabilities. In the future, these tools will become more intelligent.
POODLE
For the first time, the POODLE attack became known in 2014. A vulnerability in the SSL 3.0 protocol was discovered by security specialist Bodo Möller with colleagues from Google.
Its essence is as follows: a hacker forces the client to make an SSL 3.0 connection, emulating disconnected communications. Then it searches for special message tags in the traffic encrypted in CBC mode. Using a series of fake queries, an attacker can reconstruct the contents of data that interests him, such as cookies.
SSL 3.0 is an obsolete protocol. But the question of its security is still relevant. Clients use it to avoid server compatibility issues. According to some reports, almost 7% of the 100 thousand most popular sites still support SSL 3.0. There are also modifications of POODLE, the purpose of which is more modern TLS 1.0 and TLS 1.1. This year , new Zombie POODLE and GOLDENDOODLE attacks have appeared that bypass TLS 1.2 protection (they are still associated with CBC encryption).
How to protect yourself.In the case of the original POODLE, you need to disable SSL 3.0 support. However, in this case, there is a risk of compatibility issues. An alternative solution may be the TLS_FALLBACK_SCSV mechanism - it ensures that data exchange over SSL 3.0 will be carried out only with older systems. Attackers will no longer be able to initiate a downgrade of the protocol. A way to protect against Zombie POODLE and GOLDENDOODLE is to disable CBC support in applications based on TLS 1.2. The cardinal decision will be the transition to TLS 1.3 - the new version of the protocol does not use CBC encryption.
BEAST
One of the very first attacks on SSL and TLS 1.0, discovered in 2011. Like POODLE, BEAST uses CBC encryption features. Attackers deploy a JavaScript agent or Java applet on the client machine that spoofs messages when transmitting data via TLS or SSL. Since attackers know the contents of “fake” packets, they can use them to decrypt the initialization vector and read other messages to the server, such as cookies for authentication.
To date, a number of network tools are still vulnerable to BEAST vulnerabilities : proxies and applications to protect local Internet gateways.
How to protect yourself. The attacker needs to send requests regularly to decrypt the data. In VMwarerecommend reducing the duration of SSLSessionCacheTimeout - from five minutes (default recommendation) to 30 seconds. This approach will complicate the implementation of plans for attackers, although it will have some negative effect on productivity. In addition, you need to understand that soon the BEAST vulnerability may become a thing of its own accord - since 2020, the largest browsers have stopped supporting TLS 1.0 and 1.1. In any case, less than 1.5% of all browser users work with these protocols.
Drown
This is a cross-protocol attack using errors in the implementation of SSLv2 with 40-bit RSA keys. An attacker listens to hundreds of TLS connections of a target and sends special packets to a server with SSLv2 using the same private key. Using the Bleichenbacher attack , a hacker can decrypt one of about a thousand TLS client sessions.
DROWN first became known in 2016 - then a third of the world's servers were exposed to it. To date, it has not lost relevance. Of the 150,000 most popular sites, 2% still support SSLv2 and vulnerable encryption mechanisms.
How to protect yourself.It is necessary to install patches proposed by cryptographic library developers that disable SSLv2 support. For example, two such patches were introduced for OpenSSL (in 2016 these were updates 1.0.1s and 1.0.2g). Also, updates and instructions for disabling the vulnerable protocol were published in Red Hat , Apache , Debian .
“A resource can be vulnerable to DROWN if its keys are used by a third-party server with SSLv2, for example, a mail server,” said Sergey Belkin , head of development department of IaaS provider 1cloud.ru . - This situation occurs if several servers use a common SSL certificate. In this case, disable SSLv2 support on all machines. "
You can check if you need to update your system using a special utility - it was developed by information security experts who discovered DROWN. You can read more about recommendations related to protection against this type of attack in a post on the OpenSSL website .
Heartbleed
One of the largest vulnerabilities in software is Heartbleed . It was discovered in 2014 in the OpenSSL library. At the time of the error announcement, the number of vulnerable websites was estimated at half a million - approximately 17% of the protected resources on the network.
The attack is implemented through the small Heartbeat TLS extension module. The TLS protocol requires that data be transmitted continuously. In the event of prolonged downtime, a break occurs and the connection must be re-established. To cope with the problem, servers and clients artificially “noise” the channel ( RFC 6520, p. 5), passing a packet of random length. If it turned out to be the largest package, then vulnerable versions of OpenSSL read memory outside the allocated buffer. Any data could be in this area, including private encryption keys and information about other connections.
The vulnerability was present in all versions of the library between 1.0.1 and 1.0.1f inclusive, as well as in a number of operating systems - Ubuntu until 12.04.4, CentOS older than 6.5, OpenBSD 5.3 and others. A complete list is on the Heartbleed website . Although patches against this vulnerability were released almost immediately after its discovery, the problem remains relevant until now. Back in 2017, nearly 200 thousand sites were affected by Heartbleed.
How to protect yourself. Need to update OpenSSLto version 1.0.1g or higher. You can also disable Heartbeat requests manually using the DOPENSSL_NO_HEARTBEATS option. After the upgrade, information security experts recommend re-issuing SSL certificates. Replacement is needed in case the data on the encryption keys still got to the hackers.
Certificate spoofing
A managed node is installed between the user and the server with a legitimate SSL certificate that actively intercepts traffic. This node pretends to be a legitimate server, presenting a valid certificate, and it becomes possible to conduct a MITM attack.
According to a study by teams from Mozilla, Google and several universities, approximately 11% of secure connections on the network are “tapped”. This is the result of installing suspicious root certificates on users' computers.
How to protect yourself. Use the services of reliable SSL providers . You can check the "quality" of certificates using the Certificate Transparency service(CT). Cloud providers can also help with detecting wiretaps - already today some large companies offer specialized tools for monitoring TLS connections.
Another protection method will be the new ACME standard , which automates the receipt of SSL certificates. At the same time, he will add additional mechanisms for checking the site owner. We wrote more about him in one of our previous materials .
/ Flickr / Yuri Samoilov / CC BY
HTTPS Prospects
Despite a number of vulnerabilities, IT giants and information security experts are confident in the future of the protocol. The creator of WWW Tim Berners-Lee stands for the active implementation of HTTPS . According to him, over time, TLS will become more secure, which will significantly increase the security of connections. Berners-Lee even suggested that in the future there will be client certificates for authentication. They will help improve server protection from intruders.
It is also planned to develop SSL / TLS technology with the help of machine learning - smart algorithms will be responsible for filtering malicious traffic. In HTTPS connections, administrators have no way to find out the contents of encrypted messages, including detecting requests from malware. Already, neural networks are capable of filtering potentially dangerous packets with an accuracy of 90%. ( slide 23 presentations ).
conclusions
Attacks on HTTPS are for the most part not related to problems in the protocol itself, but to support outdated encryption mechanisms. The IT industry is beginning to phase out previous generation protocols and is offering new tools for finding vulnerabilities. In the future, these tools will become more intelligent.