Scribd Logo
Upload

Welcome to Scribd!

  • SSLstrip Slowloris ScarySSL

    Uploaded by

    nemanjan00
    76 views39 pages
    This document discusses several cyber attacks: - SSLstrip steals passwords from websites that use mixed HTTP and HTTPS by tricking users into submitting passwords through unencrypted HTTP. - Slowloris is a denial of service attack that uses incomplete HTTP requests to overwhelm and stop Apache web servers. - Scary SSL attacks completely fool browsers through techniques like impersonating certificate authorities, obtaining certificates from untrustworthy countries, and using zero bytes to alter domain names matched to certificates.

    Original Description:

    SSLstrip-Slowloris-ScarySSL

    Original Title

    SSLstrip-Slowloris-ScarySSL

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses several cyber attacks: - SSLstrip steals passwords from websites that use mixed HTTP and HTTPS by tricking users into submitting passwords through unencrypted HTTP. - Slowloris is a denial of service attack that uses incomplete HTTP requests to overwhelm and stop Apache web servers. - Scary SSL attacks completely fool browsers through techniques like impersonating certificate authorities, obtaining certificates from untrustworthy countries, and using zero bytes to alter domain names matched to certificates.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    76 views39 pages

    SSLstrip Slowloris ScarySSL

    Uploaded by

    nemanjan00
    This document discusses several cyber attacks: - SSLstrip steals passwords from websites that use mixed HTTP and HTTPS by tricking users into submitting passwords through unencrypted HTTP. - Slowloris is a denial of service attack that uses incomplete HTTP requests to overwhelm and stop Apache web servers. - Scary SSL attacks completely fool browsers through techniques like impersonating certificate authorities, obtaining certificates from untrustworthy countries, and using zero bytes to alter domain names matched to certificates.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 39

    SSLstrip,

    Slowloris
    & Scary SSL Attacks
    Sam Bowne

    Contact

    Sam Bowne
    Computer Networking and Information
    Technology
    City College San Francisco
    Email: sbowne@ccsf.edu
    Web: samsclass.info

    Topics

    sslstrip Steals passwords from mixedmode Web login pages

    Slowloris Denial of Service Stops


    Apache Web servers

    Scary SSL Attacks--ways to completely


    fool browsers

    sslstrip

    The 15 Most Popular Web 2.0


    Sites

    1. YouTube
    2. Wikipedia
    3. Craigslist
    4. Photobucket
    5. Flickr
    6. WordPress
    7. Twitter
    8. IMDB

    HTTPS
    HTTP
    HTTPS
    HTTP
    HTTPS
    MIXED
    MIXED
    HTTPS

    The 15 Most Popular Web 2.0


    Sites

    9. Digg
    10. eHow
    11. TypePad
    12. topix
    13. LiveJournal
    14. deviantART
    15. Technorati

    HTTP
    HTTPS
    HTTPS
    HTTP
    Obfuscated HTTP
    MIXED
    HTTPS

    From http://www.ebizmba.com/articles/usergenerated-content

    Password Stealing
    Medium
    ssltrip

    Easy
    Wall of Sheep
    MIXED,
    3

    HTTP, 5

    HTTPS,
    7

    Hard
    Spoofing Certificates

    Mixed Mode

    HTTP Page with an HTTPS Logon Button

    sslstrip Proxy Changes


    HTTPS
    to
    HTTP
    To
    Internet
    HTTPS

    HTTP
    Target
    Using
    Facebook

    Attacker:
    sslstrip
    Proxy
    in the
    Middle

    Ways to Get in the


    Middle

    Physical Insertion in a Wired


    Network
    To
    Internet

    Attacker

    Target

    Configuring Proxy Server in


    the Browser

    ARP Poisoning

    Redirects Traffic at Layer 2


    Sends a lot of false ARP packets on the
    LAN
    Can be easily detected
    DeCaffienateID by IronGeek

    http://k78.sl.pt

    ARP Request and Reply

    Client wants to find Gateway


    ARP Request: Who has 192.168.2.1?
    ARP Reply:

    MAC: 00-30-bd-02-ed-7b has 192.168.2.1

    ARP Request
    ARP Reply
    Client

    Gateway

    Facebook.com

    ARP Poisoning

    Attacker
    ARP Replies: I
    am the
    Gateway

    Forwarded &
    Altered Traffic
    Traffic to
    Facebook

    Client

    Gateway

    Facebook.com

    Demonstration

    slowloris

    HTTP GET

    Send Incomplete HTTP Requests

    Apache has a queue of approx. 256


    requests
    Each one waits approx. 400 seconds by
    default for the request to complete
    So less than one packet per second is
    enough to occupy them all
    Low-bandwidth DoS--no collateral
    damage!

    OSI Model
    OSI Model

    DoS Attack

    7 Application

    Slowloris Incomplete HTTP Requests

    6 Presentation
    5 Session
    4 Transport

    SYN Flood Incomplete TCP Handshakes

    3 Network
    2 Data Link
    1 Physical

    Cut a cable

    Demonstration

    iClicker Questions

    Power failures brought down servers at


    365 Main last year. What OSI Model
    was that attack in?
    A.
    B.
    C.
    D.
    E.

    Layer 1
    Layer 2
    Layer 3
    Layer 4
    Layer 5 or higher

    Which type of website is the most


    dangerous?
    A. HTTP
    B. Mixed: HTTP with HTTPS elements
    C. HTTPS

    What precaution protects you best when


    using a public Wi-Fi hotspot?
    A.
    B.
    C.
    D.
    E.

    Open Access
    WEP
    WPA
    VPN
    802.1x

    What precaution seems best against


    SlowLoris?
    A.
    B.
    C.
    D.
    E.

    Do nothing and ignore it


    Adjust Apache timeouts
    Use a load-balancer
    Add a module to Apache
    Something else

    What sort of logins do users of your


    Website use?
    A.
    B.
    C.
    D.
    E.

    Plaintext
    Mixed-mode
    HTTPS with a CA
    Self-signed SSL
    Something else

    What plans do you have to use IPv6?

    I don't care about IPv6 at all


    I'll implement IPv6, but not for years
    Planning to implement it within a year
    Planning to implement it sooner than a
    year
    E. I am already using IPv6
    A.
    B.
    C.
    D.

    Scary SSL Attacks

    Man in the Middle


    To
    Internet
    HTTPS

    HTTPS
    Target
    Using
    https://gmail.com

    Attacker:
    Cain: Fake
    SSL
    Certificate

    Warning Message

    Certificate Errors

    The message indicates that the Certificate


    Authority did not validate the certificate
    BUT a lot of innocent problems cause
    those messages
    Incorrect date settings
    Name changes as companies are acquired

    Most Users Ignore Certificate


    Errors

    Link SSL-1 on my CNIT 125 page

    Fake SSL With No Warning

    Impersonate a real Certificate Authority


    Use a Certificate Authority in an
    untrustworthy nation
    Trick browser maker into adding a
    fraudulent CA to the trusted list
    Use a zero byte to change the effective
    domain name
    Wildcard certificate

    Impersonating Verisign

    Researchers created a rogue Certificate


    Authority certificate, by finding MD5 collisions

    Using more than 200 PlayStation 3 game consoles

    Link SSL-2

    Countermeasures

    Verisign announced its intent to replace


    MD5 hashes (presumably with SHA
    hashes), in certificates issued after
    January, 2009
    Earlier, vulnerable certificates would be
    replaced only if the customer requested it

    Link SSL-4

    FIPS 140-1 (from 2001) did not recognize


    MD5 as suitable for government work

    Links SSL-5, SSL-6, SSL-7

    CA in an Untrustworthy
    Nation

    Link SSL-8

    Unknown Trusted CAs

    An unknown entity was apparently trusted for


    more than a decade by Mozilla
    Link SSL-9

    Zero Byte Terminates Domain


    Name

    Just buy a certificate for Paypal.com\0.evil.com

    Browser will see that as matching paypal.com

    Link SSL-10

    You might also like