What Is HTTPS, and Why Does It Matter?

all right so like Ashley said in my talk is what is HTTPS and why does it matter so before I get started does anyone here know nothing about HTTPS also at least one person hopefully you'll get the most of this talk um does anyone know a ton about HTTPS cool you want to switch because you probably know more than me either way hopefully ever will learn something if not if you're waiting for the next speaker hopefully you can at least be entertained so actually gave a super long introduction I'm ray Doyle Eric toiler sec local to the area I've been here for years you can find me on twitter at the euler sec or my blog i've been posting

weekly for four years now there's a ton of posts senior staff adversarial engineer at a velar in downtown durham great company just started also part of team ever sec and ever sec CTF we're running the CTF upstairs and we also just wonder become this year wasn't in the bio on the last day we kind of ever awesome come talk to us about our CTF are competing and yeah I've got a ton of certs Ashley asked if she could skip them if you want to learn about certs or no cool and I don't have let me know that said a better way to get to know me whisky this is a picture of our third annual bourbon Bonanza we had fifty four

whiskey's this year um so buy me drink talk about anything computers I'll probably listen and crowd involvement I'm not gonna make a drink for those of you saw my Carolina con talk that what horribly but I highly recommend you live tweeting during this talk when I makes when I get something wrong use that hashtag if you want me to learn something new use that hashtag if you take a picture of me looking ridiculous or good use the hashtag have fun with it it'll be a good time so before I begin some caveats as I joked about the beginning I'm not an expert my job is to break stuff I'm a penetration tester formerly developer there's tons I

don't know about and in 40 minutes I can't cover the tip of the iceberg about HTTP that said I'm hopefully gonna cover a lot of talks sorry a lot of topics that will at least get you familiar with it and why you should be using it if you're not already so here's a big verbose slide full of definitions you can read it I'll post the slides later it's not all going to be important right now that said HTTP is how your browser and the web server you're connected to communicate it's the basis of what we know is the Internet your computer tells the website you want a web page it sends it back to you you

can view it HTTP is HTTP over SSL it's how when you go to you know PayPal ER Ebanks website you get that cool little like lock icon and the top left something so you're secure sometimes you don't longer get those scary warnings that's basically how your connection is it's telling you that the connection is secure to a point and that's hopefully what you'll learn a little about during this topic what SSL is is what's actually performing the encryption for HTTPS and sure it's how the data so your passwords all of the information you're getting back from the website your credit card when you're on Amazon how it's being transmitted back and forth so that ideally only you and the server

know that information TLS stands for a transport layer security this is just an updated more secure version of SSL basically nowadays when most people say SSL or HTTPS they're actually referring to TLS hopefully most sites are using SSL that's a talk for another topic HSTs is a very important topic that i'm not going to cover at all that's that I wanted to include it the biggest benefit of HSTs is it prevents downgrade attacks so back when SSL was first implemented you could have your bank it could be secure but an attacker could basically tell your connection now you don't want to use SSL it's fine use the other one so it wouldn't actually be encrypted anyway that said I'm not gonna

have the time for that if you're interested look it up talk to me talk to people who raise their hand when they said they knew more than me so what are the advantages of SSL why should I why do I want it honestly there's a ton of advantages you know nowadays Google's gonna rank you higher customers are gonna be you a more secure they'll be privacy there'll be data integrity I'll cover a lot of these but honestly the bigger the biggest issue is just security it's it's you want to have a secure website you care about security implement HTTPS implement SSL TLS so what are the disadvantages I've seen plenty of arguments I've seen plenty of

websites but it's 2019 the only real argument that's a disadvantage is it is more work it's not necessarily a ton of work but the difference between having an HTTP website and having an HTTPS website is a little more work that's it

so one of the first advantages I mentioned or didn't mention but that was on that slide is authentication authentication is just how you log into a website when you go to your bank com you type in your username you type in your password you hit enter that's the act of authentication credentials are what you're actually passing to the website your username and password so when you authenticate to a website ideally you don't want other people to know your username and password this is the reason you either you know keep it on a post-it note that you don't show to anyone or you use a password manager or you just remember it you we know that

our passwords are important and private for the most part so we try not to share them well they fit websites not using HTTPS you're sharing it with people and you may not have been realized so let's see if a video can work we're not gonna do any live demos yet so to set this up on the right window we have our are evil attacker in a coffee shop just hanging out trying to you know do some bad stuff and on the Left we have a user who's just trying to log into their banking website so I apologize the size is small okay so the the hackers starting up some software on his right window it's called

Wireshark it just listens to network traffic so now on the left side we have our our user and they're just trying to log in to their website it's a very beautifully designed banking website it looks a lot like some of the seed I'm no longer a developer so they're just logging in and if you can see there's no lock icon it says not secure so that's one of the ways we know HTTP is not being used so they type in their credentials and they're logged in so they get their account number 8 6 7-5 3 or 9 and they get their account balance which is 1.3 million dollars so you know they're doing pretty good they're

feeling good about themselves they're just check-in their their banking information at Starbucks so they're happy but now the attacker who's you know sitting a few rows away to drink his latte he's seen some network traffic so he's scrolling through it just to see what he's you know captured on this network and he sees an HTTP request which like we said before is how browsers and web servers communicate and the video restarted so he sees an HTTP request so once he remembers said uses program he takes a look at it and this is just a request from the browser to the server saying hey give me my banking website there's nothing interesting there it's just code for the web site no

big deal he Scrolls a little further keeps just looking seeing he's got anything interesting and sees another request now in this request if we can see they're actually going to login dot PHP so the login page and we've got their username and password right now for their banking website not something you want to give to a random person Starbucks additionally we actually from the response from the server we've now got their log or their account number as well as their account balance so this is a clear example of why you want to use HTTPS why you don't want to be logging into websites that don't use HTTPS

so another example of an advantage of a GPS is privacy I'm sure most people know what privacy is by now you've you've heard the term once or twice in your lifetime you know it there are things I'm sure that you do or post on the internet that may not be considered sensitive information they're not a username they're not a pass or you're not your credit card but there are things you wouldn't just shout out loud they're things you wouldn't just post on a wall somewhere they could be you know a private conversation between you and someone else they could be a quiz online that is you know more sensitive information it doesn't matter there are things that

we do on the internet that we have some sort of expectation of privacy that said without HTTPS same as the banking information people could sniff it they could capture it they could they could view what you're sending or receiving on the Internet there is a another point of this that I'm not gonna cover it's an entire other presentation so when you go to say your bank comm your computer sends a request called DNS saying hey where it is what's the address of my bank comm and it gives you back that address none of that is encrypted so people will still know what websites you're going to even if you do use HTTPS so any website you go to if

someone's listening they will know it there is a way to do dns over HTTPS it's fairly new it's very complicated but that part of the privacy won't be covered by standard HTTPS so an example of privacy now I just went to Google and was looking for domestic abuse examples unfortunately not a fortune I couldn't thankfully I couldn't find a form that was using HTTP but I did find the wait county network of care which lists all the domestic violence shelters on HTTP website now that said if you can imagine instead of a search bar if there was a form here that you would enter information about you know a pencil abusive spouse or person you know so

that's something that's not sensitive information it's not a credit card but if you were inputting form data about you know hey this person is abusing me I would like to find a shelter or schedule appointment anything like that someone on your network could sniff it instead of a bad guy at Starbucks it could be the abuser it could be someone who's trying to find out information about you so HTTP isn't just about you know buying stuff on Amazon checking out PayPal privacy is a huge issue if you don't want people to listen to your you know your connections so we know that we should we should log in over HTTPS that's great let's see a video of that

so we go back so now we're at our homepage for our bank which is even prettier website that you know has a button at the top left that says login again I am NOT the best web developer and it's a little harder to see but this page is not secure that's unfortunate but if you look there's no login there's no sensitive information we're okay for now and on the right side we still have our evil hacker listening to the network or he will be in a second so when we click the login link we're taken back to our login page and now if you see that little lock icon is back or it's not back the little lock

icon is there we're you know using HTTPS now it's in the URL bar everything is happy so let's see what happens when we log in same as before we type in our username we type in our password we're logged back into our bank we still have the same amount of money awesome so if we go back to the the evil hackers window he's seen you know what he captured he's not good at Wireshark filters so he's scrolling up and down he sees a connection so if we take a look at that we see you know the original the original page which was not using HTTPS okay that's okay we knew there was just a button there so he clears that and

he's still looking for the login as well as the bank account information so he he Scrolls up and down and actually I think this one maybe the so he Scrolls up and down and if we see right there there's some severe new protocol that says TLS let's look at the well I don't know what that is I can't read any of that that doesn't seem helpful at all but it was it was TLS v 1.2 which I mentioned earlier so that he can't read that that doesn't help at all yeah so he Scrolls a bit more he's just seeing if he captured anything and there's no other HTTP like there was before so the reason for that was once

we clicked on that login page the browser and the server made a secure connection and everything we we sent back and forth was encrypted so I honestly don't know if that was the correct packet but the packet we opened that had all that that gibberish and nonsense that was actually the same as before with the username and password and credit or banking information but the attacker wasn't able to read it this time awesome almost awesome so another huge advantage of HTTPS is data integrity now data integrity in short means that if you go to you know your bank comm and it has HTTPS it's got the little lock icon it's in the URL bar no errors everything is happy then in

theory no one can change anything on that page if it was HTTP people can change the stuff on that page while they're able to intercept the traffic and we saw see what's on it they can also change it before it gets back to you and your browser would have no way of knowing that what the server sent is what you received HTTPS does this in a form of you know it's called message digests basically they take what the server sends do some math get a number give that number to your browser and say hey these two things need to match up this allows you to know that no one tampered with your information as well

well why does that matter I mean if someone's to tell me I have less money in my bank account that's fine well the reason this matters is the video we just showed before I just showed it before so we're back on the HTTP web site that has just a login button no big deal we know we're not sending any information to that wolf you up we click the same login button this isn't a different web page we're at a page that looks slightly different because my web development skills still aren't great and it says this is a malicious site ideally the hackers won't be doing this but for the demo purposes it will be and if you look in the URL it's actually

a different URL um it says the connection is not secure the URL is different that's kind of weird but we know our bank uses SSL so we log in we're in our bank the URLs correct we're at you know our banking website our bank account information is fine and we had a right balance so I don't know what that was about no big deal well this if we take a look at from the hackers perspective you know he looks nope I just take the wrong thing okay so he's got a assumes in a second he's got a file on his web server that actually has our huge name and password but he shouldn't have that we logged in using

SSL we we went to our main bank website what's up with that so as it turns out if we take a look at the source of our our main banking pages website the link to our login page is actually different it's not the one we expect it's not you know our bank comm slash login it's the malicious web page so what happened there so a very simple this is all of the code that I used to to steal a banking website login this is a little confusing if you don't read JavaScript or know what's doing but the bolded line at the very bottom basically intercepted the request so our browser said you know I want to go to my

bank calm the server set back a response and the attackers computer said any links on the web page replace them with a link to a server that I control that's it so since the the main page was using HTTP the attacker was able to modify it now he couldn't change the login page it was using HTTPS he couldn't sniff it so instead what he did was change the link the user logged in to a page that looked exactly like their bank he sent their login to their bank they looked like they logged in just fine but before that happened he stole their login credentials and now he's got the username and password for their banking account not so great so

what is the benefits of data integrity so code injection is a big one that's what I just showed so he changed a link on a webpage to a link that he controlled they could also do things like you know put some sort of malicious JavaScript crypto miners if you've heard about those they're in the news a lot they could you know make your computer mind bitcoins for them or whatever else there's also an insertion so imagine if you were you know at home visiting HTTP website spectrum could actually put their own ads into any website you're viewing or anyone could because again there's no there's no data integrity anyone can put any ads they could

control you know what addressing which is annoying but no big deal another huge one is is content modification which seems a little different but the next slide I'll cover it a bit more interestingly it could be something as harmless as changing all of the pictures on a website so you know you're trying to you know voi website of whatever house is someone could replace all of them with pictures of cats and you would not know why because the websites are using HTTP people can modify the data and there's also some big scary attacks based on these above that I'll hopefully show live so content modification and I want to thank Patrick for sending in this this is really cool so this little

white device is called a news tweak you plug it in and it will literally do that attack I just demonstrated about replacing stuff only will replace it on news websites now can you see the bigger issues so say cnn.com was an HTTP website I could literally change the news that you're getting and make you believe different things make you have different feelings because I can change any of the data being sent back to your browser you don't know that that's where actually what's not on cnn.com so the picture is is fairly innocuous they change the word ceasefire to custard what if I change the word turkey to Israel there's a lot bigger implications any website using HTTP I could change

the entire content of it I don't have to steal your credentials I can change what you're thinking change what you're doing and it's a really cool device they they sell it it'll automatically do it yeah I recommend taking a look at it so I mentioned a big scarier attack and this is the more advanced part so hopefully those of you who at least knew a bit about HTTPS will will enjoy this part and the the crux of this this demo I'm gonna do an earlier name and shame so the origin of this talk was cackalacky con cackalacky coms website was using HTTP no big deal it was a static website there was no forms there was nothing

sensitive and no one was modifying any you know the dates or anything like that that said there's still some scary stuff that we can do as attackers so let's do it live and see what happens hopefully things work well so we'll load up some VMs we'll have our hacker and our our innocuous little user and these slides will be posted so if you're worrying about taking pictures or stuff like that as I'll have the videos and demonstration of this so we'll log in as our attacker and since you know we're hackers we'll just and I'll cover what is happening in a second but so you know we're a hacker we're gonna run some commands there'll be some cool colors

terminal will do stuff no big deal alright so we are an Internet user this is high resolution but we're gonna we're gonna go read my old roommates blog he's just a software developer it's just a static blog with a web page ways to connect to the internet first

let's see if I got that password rate should have done that beforehand I got all right let's see if it connects it's more fun if we use a real website on the Internet CTD has not been working cool on any of them Steve what's the password

ever sexy TF look at that providing Internet two speakers one talk at a time while we try and see if I can type in it I wanted to thank the so I mentioned we won the Derby Con CTF not only did we win their CTF they actually donated all of their networking gear to us for the ever sec CTF so all right so we're connected the Internet so let's read a blog post this stuff is hacking on the hackers computer we don't really care is there internet on the every SEC network Jeff Steve alright cool so we see it's HTTP no lock but just a blog post about an interview question yet at Microsoft no big deal we're not gonna send any

sensitive information we don't care if someone modifies his Mallik blog post whatever Nobby do so let's go back to our hacker computer some stuff happened with this green one I'll cover that in a second but this one is more interesting so this line right here we see an IP address let's actually the IP address of our user in the coffee shop or user at work whatever we've got a username I users actually the user logged into the user browsing the blog website as well as a some sort of big long hash string so let's let's grab that and see what it is so if we go to our slightly other hacker computer because I couldn't

get it to work on the first one and we put this in a file we run a quick command some more hacker stuff will happen so if you see right here there's a new string at the end of hash that says password with an exclamation mark that's actually the password of the user browsing that blog website what the heck happened so if we go back to our first hacker window there's some there's a bunch of commands happening and a bunch of output but the first thing that the hacker did with in this window was he intercepted all traffic on the network all of it went through him then went on to the router okay additionally he had a script running

that anytime a webpage had a body tag so basically saying hey this web page is over he replaced it with a picture this picture was - you know a file that he was hosting called file JPEG well I don't see you don't see a picture here it's actually right there but he could have hidden it better but it's a broken picture why do we care he was also running and I can't call gladly speak to you plenty more about this this attack is really cool it's hard to demonstrate a short talk over here he's running a program called responder so when this when the blog looked for this picture which it didn't have it's not hosted on

my roommates blog we we injected it with that first window it said hey I want this you know image dot ping it reached out the hackers computer was where was looking said hey do you have any shot ping and it was like yeah but also since you're using Internet Explorer I do want to note that this attack will only work against Internet Explorer it can work against edge it's weird but it will not work against Chrome or Firefox but since he was using our Explorer inner Explorer was like hey I'm on Windows that files on the network you can have my credentials just in case you need them and the server is like well thanks I don't need them

here's the image so since it sent us their credentials we were able to receive them which is what this big long string is now this is a big long string it is it is very hard to crack it that said we saw the user had a pretty weak password of password with an exclamation mark so just by visiting an HTTP website not sending any information not you know being tricked into anything we now have this users username and password for their computer now we can do whatever we want so this that's the the bigger scarier issue just because you're not sending sensitive data doesn't mean you shouldn't be using HTTPS so what are the key takeaways I didn't forget the theme

if you're not using HTTPS you're contributing to the Internet dumpster fire now everyone could finally take your drink so how do we fix it the quickest and easiest way is to use something called let's encrypt and well upon mentioned this even during his talk it's it's free it's fairly simple and it's a way for everyone to get an SSL certificate so there's there's instructions here there's a website if you google let's encrypt if you just bother me I'll gladly talk to you about it so this is and it's harder to read I don't want you to set it up right now but these are all of the steps this is all you would need to do if you had a

server you controlled and had command line access to now that said not everyone knows how to use a command line not everyone owns their server this is still kind of hard um if you're just you know a mom-and-pop running your store you're just you know you have a personal travel blog whatever so even easier option is get us get a hosting provider that just does HTTP for you there's a huge list on that same SERP I website I showed before and I'll provide the link with the slides that shows you all of these hosting routers that will enable HTTPS for you you do nothing you host your site under their server for some in the middle there's also the option of

something called CloudFlare CloudFlare is a service that will basically stand between the internet and your website they'll provide some security they'll provide some DNS for dus protections other things but the most relevant thing to this talk is they'll literally set up SSL for you and if I can find my cursor there might be a video that appears to have disappeared though there we go so this is just demonstrating how to use their website so you type in your domain you click add site they'll do some stuff you choose your plan they have a free plan so this is this doesn't cost you anything you update some things that you would already have in your hosting

provider and it'll be set up and that's it you're done you now have their SSL and their other protections so if you're if you have your own website if you work in a company if you see a website without HTTPS try and get someone to implement it that said there is a lot of steps so I'd like to introduce the Tetra algorithm it's accurate algorithm acronym to help you remember how to implement HTTPS so T take ownership of your life II establish boundaries T tell someone that you love them are remember to stay hydrated and I implement HTTPS that's it follow those five steps and you'll have a TP s on your websites I understand even five

letters is a little more complicated so I've provide you with a flowchart does your website need HTTPS yes we saw why implemented tell people implemented if your bank doesn't use a TRS I know there are some call them yell at them obviously that one's terrible but there's no reason websites shouldn't be using HTTPS so time for a quick shame session so I called out cackalacky calm but they are the reason I gave this talk and they did fix it like two days after I yelled at them so the left one is an exploit writing tutorial website this is a security website not using HTTPS top right one and I wish Dan was here he would love this this is iron geek calm

this is Adrienne Crenshaw's website that hosts have not every almost every conference talk so he could have a link to the Derby con opening ceremonies and I could put a pornographic video there instead because he doesn't have data integrity and the bottom right is Baidu it's a huge search engine so I can intercept the request and put my own results into it this is this shouldn't happen we should all be using HTTPS like Chris said Security's here it's just not everywhere so a few quick acknowledgments while I wrap up I want to thank besides our to you they let me you know spell my nonsense up here every year and the second part is it true this year there's no hacker

jeopardy but I heard some crazy guy will be shouting out questions and the CTF room and throwing prizes at people have Alera I'm a new company they they pay me to hack they pay me to talk about stuff like this it's awesome RTP suck beers is a great group it's a bunch of local people and some not so local they help me get the inspiration for this talk because people in the channel about cackalacky con were asking why they needed HTTPS for a static website we saw we could have stolen their username and passwords an ever sexy TF / team ever sec the most recent CTF they've hosted is we've hosted as upstairs most recent

one we one is Derby con if you want to learn about running CTF s-- participating in them you just want to bring us food and drinks come on up and you guys if one person learned one thing from this talk I'm happy so uh how much time we have left but does anyone have any questions I can maybe answer some of them

yes so the the question or comment was bad guys can also use let's encrypt to make malicious sites and that's exactly true so and I meant to cover this a bit more so HTTPS doesn't it doesn't save us from everything it doesn't secure everything I can stand up a bad website using let's encrypt and we saw that the the malicious web page that we stole credentials with it had a certificate it seemed fine so just because something is using HTTPS it doesn't mean it is secure but just because a site is not using HTTPS we know it's not secure yeah awesome comment thanks for bring that up anyone else all right so that's it you

can find me on Twitter you can find my blog you can find me upstairs thanks for coming