 All right, hello everyone. So my name is Harikus and I brought a talk with me today For for something I built for myself because I felt that was missing for a long time And so I titled this talk where trust ends certificate pinning for the rest of us Okay, so what's got what's this gonna be about so I'm I'll talk a little bit about what is HTTPS and why we trust it today for our communication over the internet Why some people don't trust it for some things? What potential attack vectors there are today? off-the-shelf remedies, how does the industry type try to fix this and At the end how to take back control for yourself if you want to be sure that you are really talking to your own servers at home Certificate pinning for everyone All right So if you have questions just ask right away or at the end of the talk as you prefer so a quick primer on what HTTPS is today when you use a web browser and You do online banking or you talk to some servers to Wikipedia or to any other site today it's usually HTTPS which means it's encrypted and You also assume that The service you connect to is also authenticated. So which means you are actually talking to the server. You think you're talking to so that's two Very different things. The one is authentication, which means HTTPS makes sure That the server you think you talk to actually you are actually talking to and then there is encryption and privacy So once it's been established that you're really talking to your bank and not to a fraudster Then encryption is switched on so that nobody can eavesdrop on you and see what you are actually doing over the connection But it's two different things All right So how does it work in practice? so at the beginning you type in a domain name Then the domain name gets resolved into an IP address and then a TCP connection is established to port 443 and then what happens first is The web server sends a certificate to the web browser and the certificate contains a so-called certificate chain public private key pairs and the browser checks this certificate chain and Make sure at the end there is a root certificate that it has in its root certificate store And if all the certificates in that chain in that chain say okay I validate I vouch for the next certificate then you can be sure that You are actually connected to your bank so if something goes wrong for example a certificate has expired or There is no root certificate for for this website in the browser store Then you usually get an error message saying there is something wrong have a closer look or in some cases the browser even completely refuses to actually load the web page and but if everything checks out you get this green logo at the left side of and then Encryption starts and the web page is loaded So what could possibly go wrong well actually quite a number of things can go wrong Under certain circumstances you are prone to men in the middle attacks with forged certificates or with previously self-signed root certificates Well, how can that happen anyone remembers DG notar? Yeah, that was a couple of years ago Dutch registry for root certificates who signs Certificates for banks for you for me for everyone. So they were broken into and the attacker just Created certificates and signed it with a key of DG notar and took those certs for Google and for Other organizations and so he could imposter Google by breaking into DG notar Well, they don't exist anymore today for that very reason and so it's not a theoretical thing It's also a practical thing. It has happened and not only with DG notar, but also with other certificate authorities Then another thing is you have state actors who are who have potential control over certificate authorities so if they want to Under very special circumstances if you are a prime target, then they can just create a certificate for themselves For for a bank or for whatever they're interested in your communication and use that An attacker could just send an invalid certificate and do a man in the middle attack So terminate your tunnel and then establish a new one you get an error but now you can just hope that people ignore it and Well in some companies they do that for different purposes and they actually Teach people to ignore the warnings and I think that's a that's a very dangerous thing Right and then there is a route search of companies to secure internet traffic So in some companies when you work there they have imported their own route certificate in the browser or in the operating system and So any HTTPS connection gets intercepted between the internet and the intranet of the company You still get the green logo, but actually what happens is at the at the border They decrypt all the communication look inside for whatever purposes So I guess German companies only have very good intentions They want to make sure there are no viruses and stuff in there but you can also use it for malicious purposes and you don't see anything because The route certificate they use they imported that in the browser because it's their PC and it's totally Unclear whether that happens or not until you take a closer look Well, those are the attack vectors today and for most things well You can't forget about it because if you just go to Wikipedia for example at least in our country Well, it's not a problem should that get intercepted no problem But in other countries or for banking websites You really want to be sure that that is not happening and how can you make sure of that actually? Before I come to what is actually done to make things a little bit more trustworthy Let's talk a little bit about why a lot of people don't have a lot of trust in this system So I was talking about route certificates earlier, which means that's the certificates in the browser's Certificate store which vouch for the validity of the chain of a certificate you get from a website and a typical browser today Trusts more than 100 route certificates. So 100 organic or more than 100 organizations in the world You trust implicitly because the browser trusts them and there is always this running gag You have to trust the Hong Kong post office They can make a certificate and for everything and you trust it implicitly your browser trusts the Hong Kong post office But it's actually true. I looked it up in the Firefox browser. There is the Hong Kong post office. So it's it's not a joke. It's real All right, so basically what you have to do is you have to trust a hundred and more route or route certificate authorities that they are not well That they are not doing strange things and Well undermine your trust and that's an awful lot of authorities. I have to trust and I don't trust That all these these organizations for some of the things I really want to to have secured and then two words of caution on This very well widely spread operating system starts with a W There are a couple of nasty things going on there So if you have an antivirus program installed on that operating system what that usually does it installs its own route certificate Firefox and into other browsers and what they do is they also intercept any incoming Communication and re-encrypted and send it to the browser again for checking for viruses and other things But obviously that program can read everything you do. So well some people don't like that a lot And then the second bullet point is Firefox Also can fall back to system certificates on on on that operating system And that has been done to allow companies to insert their own route certificates to secure their network Which means that they can that they will intercept all Incoming encrypted web traffic and and have a look inside before they forward that and so usually Firefox has its own certificate store but They it can also be made to fall back to the system certificates. So you have to be aware of that So in effect those two things completely undermine the chain of trust in the browser So other external programs they spy on the websites content that you load. So You have to be aware of that as well in order to judge how secure your connection and how private it actually is A lot of text here. So there are approaches to increase the trust Because 100 certificate 100 plus certificate authorities. I don't have a lot of trust in that So the first thing that was done is have so-called certificate revocation lists So if a certificate was stolen It could be put on a revocation list and in theory the browser could actually check it And if it's on such a list then it could refuse the certificate but it's actually Pretty worthless these days because the browsers assume if they can't reach the server for the certificate revocation list Then everything is okay, and they let this thing through. So it's not Doesn't improve trust a lot Then there was a great idea called HTTP public key pinning What that basically did is or still does today is that the The web server can say in the headers only accept this certificate or this certificate And even if you send another valid certificate the browser will block it because once it has seen the HPKP header once It will only trust those which which it has previously seen Which means basically that certificate pinning Unfortunately Google wants to abandon that in the browser perhaps they already have I haven't really followed that anymore But they have said they don't want that anymore. It's too complicated. It's too error-prone because if you make a little mistake and With with the wrong information inside then you you throw yourself out of the system and you can't get back in until The the time out that you have set is actually over so you can you can can actually throw yourself out So that's not the thing Firefox still supports the feature But with let's encrypt that we have today, which is a great thing I use let's encrypt myself But what they do is they renew a certificate every three months And so that's a bit of a problem for HPKP because here you really want to have the same Certificate all the time and just want it revalidated You can change let's encrypt in a way to work with HPKP, but yeah, it's it's a lot of work And then we come to the next point It's actually difficult to actually check if HPKP works because you need to have Several valid certificates and then try out for yourselves whether those who are not in the header are actually rejected or not Yeah, so I liked HPKP even though it was difficult, but since it's slowly abandoned. It's not the future and Then there is certificate transparency. That's what the industry is is doing these days What that means is that every certificate from those 100 trusted certificate authorities Gets put in a public ledger. So for example, if if I make a certificate for myself with let's encrypt it gets in this public ledger and If some other authority later on would also generate a certificate for my domain, which I didn't do myself It is also put into the ledger and I could in theory find out that that actually happened by looking into the ledger But who's doing that actually so you can only find out that things have gone wrong after the fact if you suspect something Or you set something up to watch the ledger all the time for your domains If if somebody else has actually generated their certificate maliciously for your domain so It's nice, but there is no warning if somebody forges a certificate for you unless you really look very closely and nobody does that At least not me Okay, so not trust the story so far When using TLS certificates, you trust all root certificates and you trust the system behind it that it prevents Everybody from forging certificates and if your trust does not stretch that far What is called certificate pinning is your friend pinning means on your side on your end of the communication You say okay forget about all these root certificates. I only trust certain certificates for certain domains And so I pin them and even if I get a valid certificate That is not pinned for a domain. I will reject it So some people actually do that and there have been approaches in the past to actually do the certificate pinning in Firefox there has been a Great extension called certificate patrol that did exactly that it once it saw a certificate for a domain It locked it it pinned it and if there was a different certificate later on it said it There was a window saying okay There is a new certificate could be could be a good one could be a bad one have a look and acknowledge that this change Of the certificate is actually valid But then unfortunately Mozilla removed its own web browser API for for for old add-ons and the new API did not support the interruption of Of a TLS connection and also now no inspection of the certificates that were used so Unfortunately that add-on was dead All right But at least other programs did certificate pinning or do certain do certificate pinning Today web-based for example the div x5 App which you can have on Android for your calendar and your contacts in the settings you can pin the certificate It's HTTP HTTPS space So there you can pin the certificates if you have an own cloud at home and use it for and use it for calendar and address book for example and here you can make sure that This thing does not connect or boards the communication to your server at home If a new certificate comes along even if it is valid So conversation the XMPP client on on Android you can also pin the certificate there So if if conversations establishes a connection to the server and the server sends a new certificate It can also block it and you have to manually acknowledge that first Chat secure on iOS does it as well and next cloud notes on Android has an option as well I'm not sure if it's working though All right So the cool thing is in September 2018 Mozilla added a new API That allows to check the certificates again. It's called web request get security info and what that does is Together with a couple of other APIs for every connection that Firefox establishes you can have a look at the security info certificate and You can abort loading or let the webpage be downloaded depending on what the certificate is inside so What I did then when I saw that they introduced this get security info API is I thought okay Now it's time for for an add-on for Firefox again, so I can do my own certificate pinning again Okay, a bit of a demo just to see how how that works in practice I'll show you in a in a real Firefox in a moment. Well, let's do it straight away actually so today what you do is This is how it looks like today, right? So you go to a web page it loads and you can see the lock here everything is great But if the certificate actually changes you wouldn't you wouldn't really see it Okay, so let's Install the add-on for that So it's in the it's in the Mozilla store You add it to Firefox. All right, and then You get a little logo up here Doesn't really do anything as long as you don't touch it, but for example when you go to a webpage and You wanted pinned you can just go there now and say Pin certificate and then you get a little green Logo above the icon and then you can see that that page is now pinned Let's do that for Let's say Yeah, let's do that also for post bunk so for for mobile banking I like to use that for mobile banking so that Nobody can give me a malicious banking website you also get a little P up here and So here you can now see that I have pinned two websites the blog wireless moves calm and the money post bank dot de and so just for testing if this thing actually works is I can invalidate The pin that the add-on has stored So for example, I click here. Oops invalidate for testing and so you have seen so now you can see the The hash has changed and if you go back and Reload the page it will now alert you to The fact that the the fingerprint has changed and then you can have a look Actually inside at the certificate chain see if it's actually valid if you have actually done that if you own the website or in case of the The banking service if you think that that sounds legitimate like, you know You can compare for example the validity dates and you can see the certificate chains and Well, if post banks are suddenly gets their certificate from the Hong Kong post office then perhaps it's not quite What you had in mind? So you are immediately alerted of the fact that something is wrong and You can either accept the fingerprint or have a closer look and if you don't like it then well You have to do something else, but in that case I accept it and then the page is reloaded But until I accept it the page is not loaded. It's aborted and So all your secrets that you have inside the TLS connection like your cookies your username and your password even if it's stored in Firefox It's not sent to the other side All right, so really simple to use and a nice indication up here that you have pinned the certificate and Basically what that means is you're back in control now So you don't have to trust a hundred certificate authorities anymore for your very precious sites You have like online banking or your your own services at home Because once the certificate is pinned and nobody steals the keys from your server. You're actually safe alright summary the web security today relies on a chain of trust and This chain of trust has a couple of very weak links. And so if you don't like though You can now again in at least in Firefox. You can take back control Over that with a certificate pinning and it only works in Firefox because that API is only there and Google for example Does not have it. So at the moment even if you wanted to you can't do that in in in in Chrome or in another browser All right That's it Thanks very much Questions. Yes, please hold for the microphone. I guess Thanks Nice approach. I also think about pinning in my bank side, but one question forehand Is this is the list the river at the pinning list synchronized Why a Firefox sync? No, so you have to do it on on each device So there is a possibility to do that, but I have not implemented it yet Yes, thank you for the presentation two questions. Actually, number one when you were showing your site the Pin when you invalidated the the pin warning looked like a regular rotation of let's encrypt certificates Actually, there is no way to tell whether this is a legitimate rotation or somebody is just doing another let's encrypt certificate There is no way to for me as a user to tell I know that. Yeah, okay That's a very good point So again then the problem is always when you get a certificate, which is different from the one you have pinned You need to decide for yourself whether that change is legitimate or not So if it's your own site, it's very simple, you know, if you have changed your certificate or not If it's the banking website, you don't so then you have to make your own decision whether that is Actually good or not and one of the indicators that you can then use is when was the old certificate to expire You know, if it still had a lifetime of two years That's a little bit long But if it's only like one month remaining then it was probably a legitimate change and the alert screen actually shows you that If you have a website which uses let's encrypt and which is not yours, it's exchanged every three months and There again, you have to decide. Yeah, okay. It's let's encrypt It's this website. Do I trust it or not? So and you can't really see that but most banking websites don't use let's encrypt yet And question number two does discover in any way shape or form DNS over HTTPS It's completely independent from that because what happens is the web browser requests the web page. So Don't really care where the IP address comes from What happens is once the TLS connection is established and the certificate has been sent by the server then the loading process is Interrupted the add-on is called. I inspect the certificate and then add-on ever. That's the Or it interrupts the session and so it doesn't really matter where the IP address comes from Yeah No, no because I only look at the certificate not at the domain resolution. So yeah That is a diff that's a different security problem one question about Pinning not the end leave certificate, but the allowed to see a Certificate so one approach to not get notified each time the rollover of the certificate is to just say I Will trust any certificate that comes from let's encrypt but not a certificate that comes from the Hong Kong post office Yeah, is there's a possibility or is there's a bad idea or are you Planning to implement this feature I Thought whether I wanted to implement this or not and I decided at least for me Not to implement it because it's a bit of a dangerous thing Because then your chain of trust you you go to the very low level, but I've done a little something a little bit different There are some services out there like if you if you pin Google Like just for a Google search what you will find out very quickly is that every couple of days or depending on where you are Google exchanges its certificates, even though the validity period is very long and what I decided here is that You can not only pin one certificate for Google this case or for some other Server that changes the certificates very quickly, but to actually trust more than one certificate and for me that fixed the problem Because they they they seem to rotate they don't seem to change very often So after two or three certificates at the top level Everything is okay, but your approach is just as valid. I just didn't want to do that because trusting Yeah But I wouldn't really doubt for the future. So if there is a lot of people who say I really want to have this Yeah, send me a semi a pull request. Why not? Anyone else all right, then thanks very much