« Previous 1 2 3
Attacks on HTTPS Connections
Tapped in
Conclusions
The vulnerabilities presented in this article have led to a lack of confidence in encrypted connections, but they have effective countermeasures, as well, and the dangers can be controlled. The biggest problem is the existing certification system. Browsers and operating systems simply trust too many CAs on faith. If any one of them plays false, they are successfully attacked; if they don't work properly, valid but unauthorized certificates are created that make attacks much easier for a MitM.
Public key pinning and certificate pinning make it much more difficult for these attacks to be successful. Google, for example, has discovered wrongly issued certificates for its Google domains on many occasions using these methods, so the danger is absolutely real.
Infos
- Perfect forward secrecy: https://en.wikipedia.org/wiki/Forward_secrecy
- OWASP: "Certificate and Public Key Pinning": https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
- "EMET 4.0's Certificate Trust feature" by Elia Florio: https://blogs.technet.microsoft.com/srd/2013/05/08/emet-4-0s-certificate-trust-feature
- RFC 7469: Public Key Pinning extension for HTTP: https://tools.ietf.org/html/rfc7469
- OWASP: "HTTP Strict Transport Security": https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
- Moxie Marlinspike: sslstrip: https://moxie.org/software/sslstrip/
- "PSA: In Firefox 44 Nightly" by Richard Barnes: https://twitter.com/rlbarnes/status/656554266744586240
- RFC 6797: HTTP Strict Transport Security (HSTS): https://tools.ietf.org/html/rfc6797
- "CookieMonster nabs user creds from secure sites" by Dan Goodin: http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
- "Firesheep: Baaaaad News for the Unwary" by Brian Krebs: http://krebsonsecurity.com/2010/10/firesheep-baaaaad-news-for-the-unwary/
- RFC 7465: Prohibiting RC4 cipher suites: https://tools.ietf.org/html/rfc7465
« Previous 1 2 3