Preventing HTTPS Stripping Attacks with SSL/TLS: Workshop Insights

Workshop 6: SSL/TLS The HTTPS stripping attacks Zhou Peng and Daoyuan Wu 25 April 2014

SSLStrip Background The HTTPS stripping steps Transparently hijacking HTTP traffic Discovering HTTPS links and redirects Mapping HTTPS links into look-alike HTTP links References: http://www.thoughtcrime.org/software/sslstrip/in dex.html 2

Objectives Provide hands-on experience on attacking HTTPS connections using sslstrip Understand how sslstrip can steal your credentials (e.g., your Facebook username and password) 3

Overview of This Lab Preparation Step Step 1: Boot your system Step 2: Configure your Firefox browser Sslstrip Attacking Step Step 3: Download and run sslstrip Step 4: Browse HTTPS web sites Step 5: Analyze how sslstrip intercept your connections Step 6: Use sslstrip to steal your credentials Lab Assignment 4

Step 1 (Boot your system) Reboot your computer to Mac OS Find Terminal in Launchpad. Find Firefox in Launchpad. Find Python 2.7 environment It should be by default accessible in Terminal. An example: $ cd Documents Documents $ python sslstrip.py -h 5

Step 2 (Configure your Firefox browser) Start Firefox via Launchpad Click Edit > Preferences Click on Advanced and Select Network Tab Click Settings and Select Manual proxy configuration Configure HTTP Proxy as 127.0.0.1 and the Port is 8080 Please do not enable Use this proxy server for all protocols Leave other entries (including SSL Proxy, FTP Proxy and SOCKS Host) empty Erase No Proxy For entry Save your settings 6

Step 3 (Download and run sslstrip) Click Terminal in Mac Download sslstrip https://docs.google.com/file/d/0B80v2ixuaO4ObDVVUXBxVDJ1LTA/ Or http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz Decompress sslstrip (to Documents directory) Use 7zip to unzip the sslstrip-0.9.zip tar -zxf sslstrip-0.9.tar.gz & cd sslstrip-0.9 Run sslstrip with help (see what options sslstrip supports) python sslstrip.py -h Run sslstrip python sslstrip.py -a -w log.txt -l 8080 7

Step 4 (Browser HTTPS web sites) 1. Input www.google.com in the address bar of Firefox browser 2. After www.google.com is loaded, come to your Terminal which runs sslstrip and input command Ctrl+c to terminate sslstrip 3. Open the file log.txt and search Found secure reference 4. How many https links have been found by sslstrip? 8

Step 5 (Analyze how sslstrip intercept your connections) 1. We use apis.google.com as a hint to see how sslstrip intercept your connections 2. In the file log , we can find I.ms="https://apis.google.com"; in the HTML document 3. Back to your Firefox browser, right click at the blank area and select View page source 4. Search apis.google.com in the page source, you can find I.ms="http://apis.google.com" 5. Now, Do you know how sslstrip works? 9

Step 6 (Use sslstrip to steal your credentials) 1. Run python sslstrip.py -p -w logpw.txt -l 8080 in your Terminal 2. Visit http://www.facebook.com/ using Firefox browser 3. Input some username in the username entry and input some password in the password entry 4. Click Sign in 5. Terminate sslstrip using command Ctrl+c and read the file logpw.txt 6. Search email or pass in the log file. What do you find [Or simply search your email address] 10

Questions 1. Use sslstrip to intercept your traffic when you visit www.polyu.edu.hk and answer the question: How many HTTPS links have been found and what are they? (5 marks) 2. Given that sslstrip can access all your connections to the Internet. Now, you will login to your Facebook account, how do you prevent sslstrip from stealing your passwords? (5 marks) Hint: sslstrip can only intercept HTTP connections. 11

Questions? 12