PROXY2: HTTPS PINS AND NEEDLES

2015/05/09すみだセキュリティ勉強会 2015#1

@INAZ2

ABOUT ME

• @inaz2

• Security engineer & Python programmer

• Girl idol freak

• Blog: ももいろテクノロジー

• http://inaz2.hatenablog.com/

2

HTTPS EVERYWHERE [GOOGLE I/O 2014]

• http://lanyrd.com/2014/io14/sdcgyb/

3

HTTPS = HTTP OVER SSL/TLS [RFC 2818]

• http://lanyrd.com/2014/io14/sdcgyb/

4

SSL/TLS AUTHENTICATION

• Certificate Authority (CA) issues the signed certificate for subject’s public key

• Clients trust some root CAs beforehand

• Clients verify the chain of certificates until it reaches the trusted root CA

5

Client Server CA Root CA

Verify each signature by issuer’s public key

Private key

Public key

signature = ENCRYPT(HASH(certificate content), privkey)

sign

SSL/TLS ENCRYPTION

• A client generate a session key (e.g. AES key)

• The client and the server share the session key

• By the key exchange algorithm (e.g. RSA or ECDHE)

• After all, the payload is encrypted by the session key

6

Client Server

Payload

Session key(shared by each other)

WE CANNOT SEE HTTPS PAYLOADS AS IS

• In Wireshark 1.12.4

7

DECRYPTING HTTPS PAYLOADS IN WIRESHARK

• Register the destination server’s private key

• Need to own the server

• If I have Google’s private key, I will be in the jail

• Only works when RSA key exchange is used

• Ineffective against ECDHE key exchange (because of forward secrecy)

8

SSLKEYLOGFILE ENVIRONMENT VARIABLE

• Make the browsers write session keys in a file

• Configure Wireshark to use the file for decrypting

• Don’t have to own the server & works with any key exchange algorithms

9

ANOTHER WAY… HTTPS PROXY

• Intercept HTTPS connection by Man-in-the-Middle

• The proxy terminates HTTPS connection and reconnects to the opposite

• The proxy can decrypt the payload by its private key

10

Client Proxy w/ CA Internet sites

HTTPS HTTPS

I’ll trust the proxy!

Decrypt all traffic!

Hello, proxy.

FIDDLER, BURP PROXY, OWASP ZAP ETC.

• Useful proxies for web vulnerability testing

• All supports HTTPS

• Programmable to some extent

• But GUI• Basically they require user interactions

11

THERE’S A NEED FOR THE TOOL WITHOUT CLICKING

12

PROXY2

SONG 2 BY BLUR

• https://www.youtube.com/watch?v=SSbBvKaM6sk

• “I got my head checkedBy a jumbo jetIt wasn't easyBut nothing isNo”

14

PROXY2

• https://github.com/inaz2/proxy2

• HTTP/HTTPS proxy in a single python script

• A successor of SimpleHTTPProxy [sumidasec 2013/12]

• Built on top of Python standard libraries (BaseHTTPServer, httplib, ssl etc.)

• HTTPS features depend on OPENSSL(1)

• Fully programmable by implementing handler functions in Python

• Trace HTTPS payloads

• Modify HTTPS payloads

• Save HTTPS payloads or stats to the storage

15

NEED TO TRUST IT AS A PRIVATE CA

• Execute “setup_https_intercept.sh” and run proxy2

• Configure the browser’s proxy setting

• Then access to http://proxy2.test/

16

TRACE HTTPS PAYLOADS

• Implemented and enabled by default

• Print headers and POST data with color

• Pretty-output query parameters, Cookies and JSON data

• Show the title of a HTML document

• Decode the credential of basic auth

17

SERVER, X-POWERED-BY, VIA

• http://hhvm.com/blog/7205/wikipedia-on-hhvm

18

SERVER, X-POWERED-BY, VIA

• http://hhvm.com/blog/7205/wikipedia-on-hhvm

19

Nginx/1.6.2 with HHVM/3.3.13 reverse proxies (Varnish Cache)

?

20

X-REQUEST-ID, X-RUNTIME, X-SERVED-BY

21

X-REQUEST-ID, X-RUNTIME, X-SERVED-BY

22

The request 1f03c5 was responded by the server e68303

and it took 6.5 milliseconds

PRIVATE API ENDPOINT

• Content-Type seems wrong

23

GMAIL LOGIN

24

GMAIL LOGIN

25

YOUTUBE’S SPF (STRUCTURED PAGE FRAGMENTS)

• https://youtube.github.io/spfjs/

26

YOUTUBE’S SPF (STRUCTURED PAGE FRAGMENTS)

• https://youtube.github.io/spfjs/

27

MODIFY HTTPS PAYLOADS

• Change the User-Agent

28

29

30

SWAP A HTTPS CONTENT

• Rewrite a request path

31

32

THIS WEBSITE IS SECURED BY SSL?

• Yes, if you never trust any private CAs or compromised CAs

• Why was Superfish a big topic?

• A private CA was preinstalled in many Lenovo laptops

• All HTTPS payloads were decrypted without notice

• The same private key was embedded and its passphrase was weak

• Cracked in a moment

• As a result, anyone could be the CA and issue the certificate for any domains

• Malwares may install a private CA silently

• Certificate pinning doesn’t block it because it’s a PRIVATE CA

• http://inaz2.hatenablog.com/entry/2015/02/25/024431

33

END-TO-END ENCRYPTION

• Web Cryptography API

• Run crypto algorithms on web browsers

• http://www.w3.org/TR/2014/CR-WebCryptoAPI-20141211/

• Intel AES-NI and Intel Secure Key (RDRAND)

• CPU instructions for AES calculation and random number generation

• https://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/

• https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide

34

RECAP

• Trusted HTTPS proxy can trace/modify all HTTPS payloads

• Useful for both web developers and security engineers

• Happy hacking

35

REFERENCES

• The HTTPS-Only Standard

• https://https.cio.gov/

• ImperialViolet - Decrypting SSL packet dumps

• https://www.imperialviolet.org/2012/06/25/wireshark.html

• Proxy War [OWASP DAY 2014/11]

• http://www.slideshare.net/zaki4649/proxy-war-42161988

• 自堕落な技術者の日記 : W3C Web Cryptography APIとの果てしなき戦い(第1回) - livedoor Blog（ブログ）

• http://blog.livedoor.jp/k_urushima/archives/1758899.html

36

THANK YOU!@INAZ2

CreditsClip arts: http://www.clker.com/English Reviewing: @domiryuu