HTTPS and TLS Tales

[00:00:00] Hey, it's Ahmad here. I know what you're thinking that we know what is the difference between a city

[00:00:07] P.N.H.T.T.P.S. and we are not bringing something new to the table but today I was thinking

[00:00:13] that I wanted this episode to be a reminder of why we moved from a city P to a city P.S. and then

[00:00:21] what happened later where attackers and researchers found several weaknesses in TLS and we should

[00:00:28] not ignore the implementation of part of the protocol. I hope you find it interesting.

[00:00:41] You're listening to this cyber-rhythm where we decipher the offensive and defensive side of

[00:00:48] the cyber route.

[00:00:50] Ahmad Almorabea.

[00:01:03] Okay, so let's start with the basics.

[00:01:05] A city P or a hybrid transfer protocol is the foundation of data communication on the

[00:01:11] worldwide web but the internet evolved.

[00:01:15] The need for secure communication became crucial leading to the birth of H.C.T.B.S or H.T.T.P.

[00:01:22] Secure.

[00:01:23] The S here is what makes all the difference.

[00:01:27] Turning standard and secure communication into a secure channel but how that's what we are

[00:01:32] unpacking today.

[00:01:33] The heart of H.T.B.S lies in encryption.

[00:01:37] encryption is like a secret code that only the intended recipient can understand.

[00:01:42] In STTPS we use two types, symmetric and asymmetric.

[00:01:48] Symmetric encryption uses the same key to encrypt and decrypt data.

[00:01:52] I can to assure it's secret.

[00:01:54] Symmetric encryption on the other hand uses two keys.

[00:01:59] I'll probably key for encryption and private key for decryption.

[00:02:02] Here I'm talking in a generic way.

[00:02:04] I don't want to go in details of the encryption and protocols itself because I do

[00:02:09] want you to be bored but if you want, I can make an episode and maybe we talk about it

[00:02:16] in the future.

[00:02:17] Now H.T.T.P.S doesn't just use any encryption.

[00:02:21] It uses TLS, transport layer security.

[00:02:23] This protocol ensures that the data you send that receive is encrypted and secure.

[00:02:28] The TLS hand shake process you don't see but happens every time you visit an H.T.B.S website.

[00:02:34] Establishes a secure connection using these encryption methods.

[00:02:38] An integral part of H.T.B.S is the TLS certificates.

[00:02:41] These certificates are issued by certificate authorities and serve as the digital passport

[00:02:47] for websites, proving their authenticity there are different levels of validation for

[00:02:52] these certificates from domain validated one which the most basic to extended validation

[00:02:59] which is the most rigorous.

[00:03:01] This process ensures you are talking to the actual website you think you are talking

[00:03:05] to, not an imposter.

[00:03:07] Apart from encryption, H.T.P.S also ensures data integrity.

[00:03:11] This means the data sent and received remains an altered during transit.

[00:03:16] It makes like hashing a message authentication code, aka Max, play a vital role here.

[00:03:22] Acting as digital seals that alert if data has been tampered with.

[00:03:27] Additional security features of H.T.P.S.

[00:03:29] So H.T.P.S also include features like H.S.T.S which forces browsers to use secure connections

[00:03:37] and perfect forward secrecy.

[00:03:39] I want to talk more about perfect forward secrecy because I think it's an integral part

[00:03:44] in nowadays communication but maybe in a future episode.

[00:03:48] So in short, perfect forward secrecy will just ensure that even if one set of keys is compromised

[00:03:54] past sessions remain secure another feature is O.C.S.P. Stabling, away to effectively validate

[00:04:01] certificates.

[00:04:02] One of the most widely used tools for implementing H.T.P.S. is Opened to Cell.

[00:04:07] This open source software library provides robust SSL and TLS protocols for secure

[00:04:12] communication.

[00:04:13] However, its history hasn't been without hiccups.

[00:04:17] Let's talk about the Harplyed Bug.

[00:04:18] A name that sent chalk waves throughout the internet in 2014.

[00:04:23] This severe vulnerability in Opened to Cell allowed attackers to read the memory of systems

[00:04:28] protected by affected version of Opened to Cell software library.

[00:04:33] This breach exposed the crucial fact that no system is secure and continuous vigilance

[00:04:39] is key in cybersecurity.

[00:04:43] Let's look at some real world examples.

[00:04:45] One notable case was the DG Noter Bridge in 2011.

[00:04:49] DG Noter, a Dutch certificate authority was compromised leading to the issuance of fraud

[00:04:55] length certificates.

[00:04:56] This breach allowed attackers to impersonate legitimate websites, investigating the catastrophic

[00:05:02] consequences of compromising CA, or certificate authority.

[00:05:06] These examples highlight importance of proper H.T.P.S. implementation.

[00:05:11] It's not just about using the protocol itself.

[00:05:13] It's about configuring it correctly, staying updated with the latest security batches

[00:05:18] and continuously monitoring for vulnerabilities.

[00:05:21] The evolution of cyber threats means that what security they may not be secure tomorrow.

[00:05:27] Regular audits, understanding the latest and cyber security and being proactive about

[00:05:31] security measures are crucial for any organization.

[00:05:34] While we've discussed about some general vulnerabilities in HTTPS and its components, let's

[00:05:39] focus now on specific attacks targeting TLS, version 1.1 and 1.2.

[00:05:45] These versions of TLS while more secure than their predecessor have not been immune to

[00:05:50] sophisticated cyber attacks.

[00:05:52] First, let's discuss about Beast Attack, which is BEST attack, which primarily targeted

[00:05:57] TLS 1.0 but also had implication of TLS 1.1.

[00:06:02] Beast or browser exploit against SSL and TLS and build in 2011.

[00:06:08] It's an encryption mode that TLS uses and even ASNDS use.

[00:06:16] It's a type of mode like you have several modes like you have CBC, you have ECB and you

[00:06:20] have a lot of them.

[00:06:21] You have CTR as well.

[00:06:23] So the problem was using this method in these TLS versions by using this exploits.

[00:06:29] Attackers could decrepate exchange between the users browser and web server while TLS 1.1

[00:06:35] was less susceptible due to its implementation of explicit IV or initialization vector.

[00:06:41] The attack highlighted the need for consistent vigilance in cryptographic protocols.

[00:06:47] Next, let's look at the crime and breach attacks.

[00:06:50] Both of these exploited abnormality in the compression mechanism of TLS, crime disclosed

[00:06:55] in 2012, leveraged a compression feature to unveil sensitive information like session cookie,

[00:07:01] breach revealed in 2003 targeted HTTP compression at different layers, but effectively exploited

[00:07:08] the same formability in TLS 1.1 and 1.2.

[00:07:12] These attacks showed the even non cryptographic components in the protocol could introduce significant

[00:07:18] vulnerabilities.

[00:07:19] Another significant vulnerabilities came to light with the Boudre, which is P-O-O-D-L-A attack,

[00:07:26] which previously mentioned primary target SSL 3.0.

[00:07:32] However, it also affected servers that fall back to SSL 3.0 from TLS 1.0 and above.

[00:07:39] This emphasized the risks of using outdated protocols and the importance of proper

[00:07:44] configuration to prevent protocol downgraded attacks.

[00:07:47] I know that most of these attacks are an advantage day, but I want you to know that there

[00:07:53] are attacks when a protocol that everyone uses every day without they know about.

[00:07:58] People think that using HTTP SWP sites is enough, but they don't know about

[00:08:03] other misconfigurations and problems in the protocol.

[00:08:07] Think about some providers uses algorithm with low key space.

[00:08:11] There is also an encrypted connection or a secure tunnel, but the usage of a secure version

[00:08:16] or small key size of the algorithm itself could lead to an attacker, capture your session,

[00:08:21] and try to decryptate offline.

[00:08:23] I'm not saying that it happens every day, and I'm not saying that there are someone who

[00:08:28] want to check your connection and just keep packable with it, but implementing this to your

[00:08:33] service could lead to people trying to find bugs in your product starting from these things,

[00:08:38] or entry point if you may.

[00:08:41] TORROW UP. TLS 1.1 and 1.2 while significant advancement in secure communication

[00:08:47] have not been without their challenges as we advance in the cyber security world.

[00:08:51] It's crucial to learn from these vulnerabilities and stay ahead of potential threats,

[00:08:56] whether you are web developer or a secure professional or just a concerned internet user.

[00:09:01] Understanding these issues is key to a safer online experience.

[00:09:06] Now, we are using TLS 1.3, most of these attacks will not be valid, but at least knowing about

[00:09:12] them will give you an idea of what's going on in the cyber world.

[00:09:16] And don't think that attackers wouldn't stop at TLS 1.3 because wait for it and you will see

[00:09:22] you attacks into wild. So, if you reach this point, it means that you are really interested about

[00:09:28] this topic, and I wanted to say one thing. You know, the cyber-riddler podcast is now one year old.

[00:09:36] I started the podcast in January 2023 and it was great seeing people reacting to the podcast.

[00:09:44] Thank you all for supporting the podcast and recommending it for everyone.

[00:09:48] I couldn't do this without you guys, and I hope this podcast was something new in your life,

[00:09:53] or something that changed your opinion a little about some topics in the cyber world.

[00:09:58] With that, I want to leave you with one word. Thank you for supporting me

[00:10:02] and the podcast. See you on the next episode.