Transport Layer Security (TLS) is the standard protocol that is responsible for providing secure communication over the internet, including securing the unencrypted HTTP protocol to form HTTPS. As such it is used to secure a wide variety of services and applications. Therefore, vulnerabilities and misconfigurations in TLS can have catastrophic consequences. This module covers basics about the inner workings of TLS, as well as famous TLS attacks and common misconfigurations.
In more detail, this module covers the following:
Introduction to HTTPS/TLS
- What is TLS and how does it relate to HTTPS?
- Theoretical background knowledge about public key infrastructure (PKI)
- Overview of the TLS 1.2 handshake and how TLS sessions are established
- Overview of the TLS 1.3 handshake
Padding Oracle Attacks
- What are padding oracles?
- How to identify padding oracles
- How to exploit padding oracles
- What is a Bleichenbacher attack?
- Introduction to TLS compression
- Attacks on TLS compression
- What is the Heartbleed bug?
- How to identify & exploit the Heartbleed bug
- What is SSL Stripping?
- How can we prevent SSL Stripping?
- Overview of cryptographic attacks against TLS
- What are Downgrade attacks?
TLS Best Practices
- What are best practices for TLS servers?
- How can we test the TLS configuration of TLS servers?
CREST CPSA/CRT-related Sections:
- All sections
CREST CCT APP-related Sections:
- All sections
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the
PwnBox provided in the interactive sections or your virtual machine.
Introduction to HTTPS/TLS
The Hypertext Transfer Protocol (HTTP) is an application layer protocol used to access resources on the internet. Since HTTP transmits data in plaintext, it cannot provide confidentiality, integrity, or authenticity of the transmitted data. To overcome these shortcomings of HTTP, the Hypertext Transfer Protocol Secure (HTTPS), also called
HTTP over TLS was created. The Transport Layer Security (TLS) protocol and its predecessor, the Secure Sockets Layer (SSL) protocol, are cryptographic protocols that provide secure communication over the internet by encrypting traffic.
Encryption can generally be applied at different levels. These include
Encryption-at-rest means that data is stored in an encrypted form to prevent unauthorized access. An example would be hard drive encryption. When
encryption-in-transit is applied, data that is transmitted is encrypted before transmission and decrypted after reception to prevent unauthorized access during the transmission. This module focuses on
encryption-in-transit since TLS applies
end-to-end encryption encrypts data from the true sender to the final recipient such that no other party can access the data.
To illustrate the difference to
encryption-in-transit, consider Alice who wants to send an email to Bob. If they use
end-to-end encryption, Alice encrypts the e-mail and sends it to Bob who decrypts it to access the e-mail. No intermediary servers that the encrypted e-mail is routed over can access it. When TLS and thus
encryption-in-transit is used, Alice encrypts the e-mail and sends it to her mail server, which decrypts it, and re-encrypts it to forward it to the next server, and so on until the final server sends it to Bob. This protects the email from any unauthorized access during transit but all intermediary servers can access the e-mail in plaintext, while only Alice and Bob can access the e-mail if
end-to-end encryption is used.
The main purpose of this module is to provide insights into web cryptography protocols, how they work, and what vulnerabilities can arise when using them. Generally speaking, finding vulnerabilities in protocols is more challenging compared to finding vulnerabilities in individual web applications. That is because protocols such as HTTPS and TLS have been designed with security in mind and revised multiple times to tackle potential security issues. However, if there are security issues in protocols, the impact is generally much higher as well since a huge number of services are affected. Oftentimes, security issues on HTTPS or TLS are not specification flaws but implementation flaws. That means that specific implementations of the protocol do not implement the protocol correctly or deviate slightly which can create security issues.
TLS Overview and Version History
What is TLS?
TLS and before it SSL are widely used to secure communication on the internet, including email, file transfer, and web browsing. TLS was developed to address the weaknesses in SSL and has undergone several revisions over the years, each of which has introduced new features and improvements to the protocol. Today, TLS is the standard protocol for secure communication on the internet.
In the network protocol stack, TLS sits between TCP and the application layer, which can be any application layer protocol such as HTTP, SMTP, or FTP. TLS is transparent for the application layer protocol, meaning the application layer protocol does not need to know if TLS is implemented or not. In particular, TLS takes care of all cryptographic operations, the application layer protocol can operate the same regardless of whether TLS is used or not.
SSL was first developed by Netscape in the mid-1990s as a way to secure communication over the internet. It quickly became the standard protocol for secure communication and was widely adopted by web browsers and servers. There are three major versions of SSL:
- SSL 1.0: This was the initial version of SSL. It was never released to the public due to serious security flaws.
- SSL 2.0: This was the first SSL version that became widely used. It was released in 1995. However, it suffered from multiple serious specification flaws that made it impractical to use in some cases and susceptible to cryptographic attacks.
- SSL 3.0: This was the last version of SSL. It is a full redesign of the 2.0 version that fixed the specification flaws. However, from today's perspective, it relies on deprecated cryptographic algorithms and is vulnerable to a variety of attacks.
In response to weaknesses in SSL, the TLS protocol was developed to replace it. TLS was designed to address the vulnerabilities in SSL and to provide stronger encryption and authentication for secure communication. Like SSL, TLS has undergone several revisions, each of which has introduced new features and improvements to the protocol. Some of the key versions of TLS include:
- TLS 1.0: This was the first version of TLS and was released in 1999. It was based on SSL 3.0 and included many of the same features as SSL, but with additional security enhancements.
- TLS 1.1: This version of TLS was released in 2006 and introduced several important improvements to the protocol, including support for new cryptographic algorithms and protection against attacks such as man-in-the-middle attacks (aka
- TLS 1.2: This version of TLS was released in 2008 and introduced further security enhancements, including support for stronger cryptographic algorithms and better protection against attacks. It also introduced new features such as the ability to negotiate the use of compression during the handshake process.
- TLS 1.3: This is the latest version of TLS, released in 2018. It includes significant improvements to the protocol, including faster performance, stronger encryption, and better protection against attacks. It also includes a simplified handshake process and the ability to negotiate the use of encryption during the handshake process.
In this module, we will discuss attacks that broke certain SSL/TLS protocol versions completely, including SSL 2.0 and SSL 3.0.
What is HTTPS?
Now that we have a basic understanding of what TLS is, let's discuss how TLS relates to HTTPS. HTTPS works the same as HTTP, however in HTTPS, TLS is contained in the protocol stack. That means HTTPS traffic is encrypted and integrity protected thus preventing attackers from eavesdropping on or manipulating data. While HTTP uses the protocol scheme
http:// and targets port 80 by default, HTTPS uses
https:// and targets port 443. Although there are different HTTP versions, HTTPS only means that the HTTP traffic is encapsulated in TLS. Thus, there are no dedicated HTTPS versions.
Introduction to TLS Attacks
The Transport Layer Security (TLS) protocol and its predecessor, the Secure Sockets Layer (SSL) protocol, are cryptographic protocols that provide secure communication over the internet. TLS protects the confidentiality, integrity, and authenticity of transmitted data. To provide these security services, TLS utilizes a combination of cryptographic algorithms such as symmetric encryption, asymmetric encryption, and Message Authentication Codes (MACs).
In this module, we will take a closer look at TLS to gain a broad understanding of how TLS works and what things to look out for when testing TLS configurations. We will discuss common TLS security vulnerabilities to understand what misconfiguration or bugs caused them. Finally, we will discuss how to detect, exploit, and prevent each of these attacks as well as common misconfigurations regarding TLS servers.
Padding Oracle Attacks
The first type of TLS attacks discussed in this module are Padding Oracle attacks. Padding oracle attacks exploit vulnerable servers that leak information about the correctness of the padding after decrypting a received ciphertext. These attacks can enable an attacker to fully decrypt a ciphertext without knowledge of the encryption key. Examples of Padding Oracle attacks on TLS are the POODLE, DROWN, and Bleichenbacher attacks.
The second type of TLS attacks discussed in this module are compression attacks. Compression can be applied at the HTTP level or TLS level to increase the performance of data transmission. However, incorrectly configured servers can be exploited, resulting in the leakage of encrypted information such as session cookies or CSRF tokens. Examples of compression-based attacks on TLS are the CRIME and BREACH attacks.
Misc Attacks & Misconfigurations
The last type of TLS attacks discussed in this module are various other attacks that exploit misconfigurations or bugs. A famous example is the Heartbleed bug that exploits a missing length validation in the OpenSSL library, which can lead to a complete server takeover via private key leakage. We will also discuss different TLS misconfigurations that can weaken TLS security by using insecure cryptographic primitives.