Frontend Scrapbook

Notes that make a difference

Man-In-the-Middle attacks, HTTPS, HTTPS downgrade and HKBP

By admin

on Mon Aug 17 2020

In 1994, Netscape invents and implements SSL, and HTTPS on top of it.

In 1999, IETF adopts SSL 3.1 known as TLS 1.0

In. 2008, TLS 1.2 ( SSL 3.3 )

Cryptography involves two types of encryption. Symmetric encryption ( locking a file with password – where password used is same to lock and unlock is an example ) and Public key encryption.

Randomness is a much important concept. If an encryption key were generated on a per-connection basis, how do we safely share the key ?. Solution is public key cryptography.

For the key exchange, Server sends the public key and certificate to client

Client and server compares the ‘cipher suites’

Session key is generated by client, encrypted with server’s public key so only the server can read it

Session key is what’s used for encrypted data exchange

One of the most used library is OpenSSL. To generate a self signed certificate,

1.Generate a private key

2.Generate a public key from private key

3.Make a new Certificate Signing request (.csr )

4.Sign the certificate with your private key

In HTTPS downgrading ( where the browser initiates http and server redirects to https ), the attacker initiates the https connection from the initial http connection request from the client, there by attacker generating the session key by the attacker.

To defend from downgrading,

bookmarking, browser autocomplete remains https

Content-Security-Policy: upgrade-insecure-requests

Search engines favor https

Browser plugins attempt a ‘secure upgrade’ whenever possible

Downgrading can happen with a bad certificate as well, by making advantage of Server Name Indication ( SNI ) extension to TLS allows attackers to see the hostname a client likes to talk to.

HTTP response header can be added to forbid browsers to make plain http requests to your DOMAIN

Strict-Transport-Security: max-age=3152627; includeSubDomains

But for this to work, the initial response has to happen. For the initial requests, add it to public HSTS preload list ( hstspreload.org ). Browser vendors include list of all domains in their source code when new updates are released. This will FORBID the user to making plain http request to domain.

If certificate authority ( CA ) is compromised, it can cause a domain to be certified and used by attacker.

Defense against such an attack is HTTP public key pinning ( HPKP )

Public-Key-Pins: pin-sha256=“”;max-age: 5363829; includeSubDomains; report-uri=“

For the specified amount of time, browsers will continue to assert that the certificate for your domain matches pin-sha256. Pin value is known as a public key fingerprint