SSL and HTTPS
=============

Administrivia
    Lab 4 is posted.
    Get started on lab 4 early if you haven't worked with Javascript before.

Overall problem: security in the presence of a network adversary.
    Web browser communicates with web servers via network.
    Unlike last lecture, consider adversaries that intercept, modify packets.
    Turns out this is a good model for many situations:
	Nearby adversaries can intercept packets on wired, wireless networks.
	Adversaries can often spoof packets from arbitrary sources.
    How to build secure systems in the presence of such adversaries?

Recall: two kinds of encryption schemes.
    Let c denote the ciphertext, p is plaintext, E is encrypt, D is decrypt
    Symmetric key cryptography means same key is used to encrypt & decrypt
	c = E_k(p)
	p = D_k(c)
    Asymmetric key (public-key) cryptography: encrypt & decrypt keys differ
	c = E_PK(p)
	p = D_SK(c)
	PK and SK are called public and secret (private) key, respectively
    Public-key cryptography is orders of magnitude slower than symmetric
    We will look at the internals of these algorithms in a later lecture.

    Encryption provides data secrecy, often also want integrity.
    Message authentication code (MAC) with symmetric keys can provide integrity.
	Look up HMAC if you're interested in more details.
    Can use public-key crypto to sign and verify, almost the opposite:
	Use secret key to generate signature (compute D_SK)
	Use public key to check signature (compute E_PK)

How to secure network communication with cryptography?  (Simple sketch.)
    Suppose two computers already have a shared secret key.
	Use symmetric encryption and MAC to encrypt, authenticate messages.
	Adversary cannot decrypt or tamper with messages.
    What can we do if two computers don't have a shared secret?
    One possibility: two computers know each other's public keys.
	Use public-key encryption (expensive) to exchange symmetric keys.
	Strawman: A picks symmetric key, encrypts with PK_B, sends to B.
	Now fall back to symmetric encryption/MAC case.
    What can go wrong with strawman?
	Adversary can impersonate A, by sending another symmetric key to B.
	Possible solution (one of many; if B cares who A is):
	    B also chooses and send a symmetric key to A, encrypted with PK_A.
	    Then both A and B use a hash of the two keys combined.
	Adversary can later obtain SK_B, decrypt symmetric key and all messages.
	Solution: use a key exchange protocol like Diffie-Hellman,
		  which provides forward secrecy.
    What if neither computer knows each other's public key?
	Common approach: use a trusted third party to generate certificates.
	Certificate is tuple (name, pubkey), signed by certificate authority.
	Meaning: certificate authority claims that name's public key is pubkey.
	If both parties trust certificate authority, can obtain public keys.

Plan for securing web browsers: HTTPS
    New protocol: https instead of http (e.g., https://www.paypal.com/).
    1. How to ensure data is not sniffed or tampered with on the network?
	Use SSL (a cryptographic protocol that uses certificates).
	SSL encrypts and authenticates network traffic.
    2. How to ensure that we are talking with the right server?
	SSL certificate name must match hostname in the URL
	In our example, certificate name must be www.paypal.com.
	What happens if adversary tampers with DNS records?
	    Good news: security doesn't depend on DNS.
	    We already assumed adversary can tamper with network packets.
	    Wrong server will not know correct private key matching certificate.
    3. How to ensure client-side Javascript cannot be used to subvert security?
	Origin (from last lecture's same-origin policy) includes the protocol.
	http://www.paypal.com/ is different from https://www.paypal.com/
	Here, we care about integrity of data (e.g., Javascript code).
	Non-HTTPS pages cannot tamper with HTTPS pages.
	Rationale: non-HTTPS pages could have been modified by adversary.
    4. How to ensure user credentials are not sent to wrong server?
	Certificates play a big role in differentiating between servers.
	Cookies (common form of user credentials) have a "Secure" flag.
	Secure cookies can only be sent with HTTPS requests.
	Non-Secure cookies can be sent with HTTP and HTTPS requests.
    5. Finally, users can enter credentials directly.  How to secure that?
	Lock icon in the browser tells user they're interacting with HTTPS site.
	Browser should indicate to the user the name in the site's certificate.
	User should verify site name they intend to give credentials to.
	Often, this fails, for technical & social reasons, leading to phishing.

How can this plan go wrong?
    As you might expect, every step above can go wrong.
    Not an exhaustive list, but gets at problems that ForceHTTPS wants to solve.

1. Cryptography.
    There have been some attacks on the cryptographic parts of SSL.
    But, cryptography is rarely the weakest part of a system.

2. Authenticating the server.
    Certificates can be relatively easy to obtain.
	Many years ago, used to require a faxed request on company letterhead.
	Now often requires receiving secret token at root@domain.com or similar.
	Security depends on the policy of least secure certificate authority.
	There are ~100 trusted certificate authorities in most browsers.
    SSL implementations have bugs in verifying certificate names.
	Certificate contains length (in bytes) followed by that many name bytes.
	Many C implementations store names as standard C strings.
	Some CAs would provide certificates for www.paypal.com\0.attacker.com.
	To non-C code (e.g., Java), looks like a valid attacker.com subdomain.
    Users ignore certificate mismatch errors.
	Despite certificates being easy to obtain, many sites misconfigure them.
	Some don't want to deal with (non-zero) cost of getting certificates.
	Others forget to renew them (certificates have expiration dates).
	End result: browsers allow users to override mismatched certificates.

3. Mixing HTTP and HTTPS content.
    Web page origin is determined by the URL of the page itself.
    Page can have many embedded elements:
	Javascript via <SCRIPT> tags
	CSS style sheets via <STYLE> tags
	Flash code via <EMBED> tags
	Images via <IMG> tags
    Each element has its own URL, which can have different origin from page.
    If adversary can tamper with these elements, could control the page.
	In particular, Javascript, CSS, and Flash code give control over page.
    Probably the developer wouldn't include Javascript from attacker's site.
    But, if the URL is non-HTTPS, adversary can tamper with HTTP response.

4. Protecting cookies.
    Web application developer could make a mistake, forgets the Secure flag.
    User visits http://bank.com/ instead of https://bank.com/, leaks cookie.

    Suppose the user only visits https://bank.com/.  Why is this a problem?
    Adversary can cause another HTTP site to redirect to http://bank.com/.
    Even if user never visits any HTTP site, application logic might be buggy.
	E.g., gmail uses XMLHttpRequest to talk to Google's servers.
	Initially tried HTTPS, but if that failed, fell back to HTTP.
	Adversary can easily make the HTTPS request fail..
	(This particular bug is no longer there, I believe.)

5. Users directly entering credentials.
    Phishing attacks.
    Users don't check for lock icon.
    Users don't carefully check domain name, don't know what to look for.
	E.g., typo domains (paypa1.com)
    Web developers put login forms on HTTP pages (target login script is HTTPS).
	Adversary can modify login form to point to another URL.
	Login form not protected from tampering, user has no way to tell.

How can we address some of these problems?
    ForceHTTPS (this paper):
	A flag that a server can set for itself.
	- Makes SSL certificate misconfigurations into a fatal error.
	- Redirects HTTP requests to HTTPS.
	- Prohibits non-HTTPS embedding (+ performs ForceHTTPS for them).
	What problems does this solve?  Mostly 2, 3, and to some extent 4.
	Is this really necessary?  Yes for 2, maybe not strictly so for 3, 4.
    Better tools / better developers to avoid programming mistakes.
	Mark all sensitive cookies as Secure (#4).
	Avoid any insecure embedding (#3).
	Unfortunately, seems error-prone..
	Does not help end-users (requires developer involvement).
	Just marking a cookie as "Secure" in browser is often insufficient.
	    E.g., Google's login service creates new cookies on request.
	    Login service has its own (Secure) cookie.
	    Can request login to a Google site by loading login's HTTPS URL.
	    Login page may redirect to a HTTP URL with non-Secure cookie.
	    ForceHTTPS solves problem by redirecting HTTP URLs to HTTPS.
	    http://blog.icir.org/2008/02/sidejacking-forced-sidejacking-and.html
    EV certificates.
	Trying to address problem 5: users don't know what to look for in cert.
	In addition to URL, embed the company name (e.g., "PayPal, Inc.")
	Typically shows up as a green box next to the URL bar.
	Why would this be more secure?
	When would it actually improve security?
	Might indirectly help solve #2, if users come to expect EV certificates.

Implementing ForceHTTPS
    The ForceHTTPS bit is stored in a cookie.
    Interesting issues:
	State exhaustion (the ForceHTTPS cookie getting evicted).
	Denial of service (force entire domain; force via JS; force via HTTP).
	Bootstrapping (how to get ForceHTTPS bit; how to avoid privacy leaks).
	    Possible solution 1: DNSSEC.
	    Possible solution 2: embed ForceHTTPS bit in URL name (if possible).

Current status of ForceHTTPS:
    Some ideas from ForceHTTPS are being adopted into standards.
    HTTP Strict-Transport-Security header is similar to a ForceHTTPS cookie.
	Turns HTTP links into HTTPS links.
	Prohibits user from overriding SSL errors (e.g., bad certificate).
	Optionally prohibits insecure embedding.
	Optionally provides an interface for users to manually enable it.