Taxonomy of man-in-the-middle attacks on HTTPS

With the increase in Man-in-the-Middle (MITM) attacks capable of breaking Hypertext Transfer Protocol Secure (HTTPS) over the past five years, researchers tasked with the improvement of HTTPS must understand each attacks characteristics. However with the large amount of attacks it is difficult to discern attack differences, with out any existing classification system capable of classifying these attacks. In this paper we provide a framework for classifying and mitigating MITM attacks on HTTPS communications. The identification and classification of these attacks can be used to provide useful insight into what can be done to improve the security of HTTPS communications. The classification framework was used to create a taxonomy of MITM attacks providing a visual representation of attack relationships, and was designed to flexibly allow other areas of attack analysis to be added. The classification framework was tested against a testbed of MITM attacks, then further validated and evaluated at the INTERPOL Global Complex for Innovation (IGCI) with a forensic taxonomy extension, and forensic analysis tool

Estudo do mecanismo de descoberta de vizinhança do IPv6 para realização do ataque man in the middle

We did this presentation in the Undergraduate Workshop at the XVII Brazilian Symposium on Information and Computer Systems Security (SBSeg). The information about the symposium is available at https://sbseg2017.redes.unb.br. Presentation abstract: Due to the increasing demand for a more connected world, the need to transition from IPv4 to IPv6 protocols has become a problem. With IPv6 traffic on the networks, the security of this version of the protocol becomes a target of study, since its predecessor carries with it security flaws. One of the flaws is in its neighborhood discovery mechanism, which allows a “man in the middle” sort of attack. This kind of attack provides improper access to the information that flows on the network. This research analyzed this mechanism of IPv6 to verify if the protocol also brings with it failures that allow this type of attack. For this, we perform experiments that showed that this security flaw persists in IPv6

Attack on WiFi-based Location Services and SSL using Proxy Servers

Wireless LANs are very common in any household or business today. It allows access to their home or business network and the Internet without using wires. Their wireless nature allows mobility and convenience for the user and that opens up a lot of new possibilities in mobile devices such as smartphones and tablets. One application that makes use of wireless LANs is positioning, which can be used in areas where Global Positioning Systems may have trouble functioning or not at all. However, a drawback of using wireless communication is that it is susceptible to eavesdropping and jamming. Once the wireless signal is jammed, an attacker can set up fake access points on different channels or frequencies to impersonate a legitimate access point. In this thesis, this attack is performed specifically to trick WiFi-based location services. The attack is shown to work on Skyhook, Google, Apple and Microsoft location services, four of the major location service providers, and on dual-band hardware. Some countermeasures to such an attack are also presented. The web is an important part of many people’s lives nowadays. People expect that their privacy and confidentiality is preserved when they use the web. Previously, web traffic uses HTTP which meant traffic is all unencrypted and can be intercepted and read by attackers. This is clearly a security problem so many websites now default to using a more secure protocol, namely HTTPS which uses HTTP with SSL, and forces the user to HTTPS if they connect to the no SSL protocol. SSL works by exchanging keys between the client and server and the actual data is protected using the key and the cipher suite that is negotiated between the two. However, if a network uses a proxy server, it works slightly different. The SSL connection is broken up into two separate ones and that creates the potential for man-in-the-middle attacks that allow an attacker to intercept the data being transmitted. This thesis analyzes several scenarios in which an adversary can conduct such a man-in-the-middle attack, and potential detection and mitigation methods

An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS

Transport Layer Security (TLS) is a mature cryptographic protocol, but has flexibility during implementation which can introduce exploitable flaws. New vulnerabilities are routinely discovered that affect the security of TLS implementations. We discovered that discrete logarithm implementations have poor parameter validation, and we mathematically constructed a deniable backdoor to exploit this flaw in the finite field Diffie-Hellman key exchange. We described attack vectors an attacker could use to position this backdoor, and outlined a man-in-the-middle attack that exploits the backdoor to force Diffie-Hellman use during the TLS connection. We conducted an Internet-wide survey of ephemeral finite field Diffie-Hellman (DHE) across TLS and STARTTLS, finding hundreds of potentially backdoored DHE parameters and partially recovering the private DHE key in some cases. Disclosures were made to companies using these parameters, resulting in a public security advisory and discussions with the CTO of a billion-dollar company. We conducted a second Internet-wide survey investigating X.509 certificate name mismatch errors, finding approximately 70 million websites invalidated by these errors and additionally discovering over 1000 websites made inaccessible due to a combination of forced HTTPS and mismatch errors. We determined that name mismatch errors occur largely due to certificate mismanagement by web hosting and content delivery network companies. Further research into TLS implementations is necessary to encourage the use of more secure parameters

The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election

In the world's largest-ever deployment of online voting, the iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 state election in New South Wales, Australia. During the election, we performed an independent security analysis of parts of the live iVote system and uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism. These vulnerabilities do not seem to have been detected by the election authorities before we disclosed them, despite a pre-election security review and despite the system having run in a live state election for five days. One vulnerability, the result of including analytics software from an insecure external server, exposed some votes to complete compromise of privacy and integrity. At least one parliamentary seat was decided by a margin much smaller than the number of votes taken while the system was vulnerable. We also found protocol flaws, including vote verification that was itself susceptible to manipulation. This incident underscores the difficulty of conducting secure elections online and carries lessons for voters, election officials, and the e-voting research community