Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Blue Team TLS Hugs

Avatar for Lee Brotherston Lee Brotherston
July 29, 2017
Technology
0
350

Blue Team TLS Hugs

My talk given at the Crypto & Privacy Village at Defcon 25

Avatar for Lee Brotherston

Lee Brotherston

July 29, 2017
Tweet

More Decks by Lee Brotherston

See All by Lee Brotherston
TLS Tools for Blue Teams
Avatar for Lee Brotherston leebrotherston
0
150
Abusing TLS For Defensive Wins
Avatar for Lee Brotherston leebrotherston
2
1.1k
TLS Fingerprinting SecTorCA Edition
Avatar for Lee Brotherston leebrotherston
0
190
Stealthier Attacks and Smarter Defending with TLS Fingerprinting
Avatar for Lee Brotherston leebrotherston
0
230
The Cynical Trust Model
Avatar for Lee Brotherston leebrotherston
0
60
Corporation In The Middle
Avatar for Lee Brotherston leebrotherston
0
120
Corporation In The Middle - SecTor
Avatar for Lee Brotherston leebrotherston
0
49
Incident Response for Cheapskates - BSidesTO 2013
Avatar for Lee Brotherston leebrotherston
0
78

Other Decks in Technology

See All in Technology
Context Engineeringが企業で不可欠になる理由
Avatar for Hirosato Gamo hirosatogamo
PRO
2
290
仕様書駆動AI開発の実践: Issue→Skill→PRテンプレで 再現性を作る
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
2
570
usermode linux without MMU - fosdem2026 kernel devroom
Avatar for Hajime Tazaki thehajime
0
210
AI時代、1年目エンジニアの悩み
Avatar for JINYOUNG KIM jin4
1
160
生成AI時代にこそ求められるSRE / SRE for Gen AI era
Avatar for ymotongpoo ymotongpoo
5
2.5k
Databricks Free Edition講座 データサイエンス編
Avatar for Takaaki Yayoi taka_aki
0
290
ClickHouseはどのように大規模データを活用したAIエージェントを全社展開しているのか
Avatar for Miki Matsumoto mikimatsumoto
0
190
セキュリティについて学ぶ会 / 2026 01 25 Takamatsu WordPress Meetup
Avatar for Rocket Martue rocketmartue
1
280
M&A 後の統合をどう進めるか ─ ナレッジワーク × Poetics が実践した組織とシステムの融合
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
1
390
月間数億レコードのアクセスログ基盤を無停止・低コストでAWS移行せよ!アプリケーションエンジニアのSREチャレンジ💪
Avatar for miyamu miyamu
0
790
日本語テキストと音楽の対照学習の技術とその応用
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
1
420
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
Avatar for soudai sone soudai
PRO
11
4.5k

Featured

See All Featured
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
0
140
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
1.2k
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
1
1.4k
Ethics towards AI in product and experience design
Avatar for Skipper Chong Warson skipperchong
2
190
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
666
130k
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
370
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
Avatar for Sophie Logan marketingsoph
0
71
The SEO identity crisis: Don't let AI make you average
Avatar for Varn varn
0
64
SEO Brein meetup: CTRL+C is not how to scale international SEO
Avatar for Linda Hogenes lindahogenes
0
2.3k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.6k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1032
470k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
14k

Transcript

  1. Blue Team TLS Hugs Lee Brotherston - @synackpse - #TLSHugs

  2. SSL TLS does what now? Lee Brotherston - @synackpse -

    #TLSHugs

  3. Renegotiation... Encrypted Data Key Exchange Kittens... Unicorn Tears Pixie Dust

    Client Client Hello Server Server Hello Lee Brotherston - @synackpse - #TLSHugs

  4. Current State of the Art Lee Brotherston - @synackpse -

    #TLSHugs

  5. - Ignore TLS - Break TLS - Embrace TLS Lee

    Brotherston - @synackpse - #TLSHugs

  6. Ignore TLS Lee Brotherston - @synackpse - #TLSHugs

  7. IDS Rules Protocol ClearText TLS Enabled HTTP(S) 1572 25 IMAP(S)

    34 10 SMTP(S) 73 10 Lee Brotherston - @synackpse - #TLSHugs

  8. permit any > any port 443 Universal Firewall Bypass Port!

    Lee Brotherston - @synackpse - #TLSHugs

  9. ssh -p443 user@myhost (don’t pretend you don’t) Lee Brotherston -

    @synackpse - #TLSHugs

  10. So, what then? Lee Brotherston - @synackpse - #TLSHugs

  11. EndMalVirusPointRansomWhitelistWareProtection Lee Brotherston - @synackpse - #TLSHugs

  12. Blacklists Lee Brotherston - @synackpse - #TLSHugs

  13. Break TLS Lee Brotherston - @synackpse - #TLSHugs

  14. Request Request Response Proxy Server Client TLS Handshake TLS Handshake

    Response ClearText Actual Certificate Authority work CA :) Lee Brotherston - @synackpse - #TLSHugs

  15. Break The CA Model …. even more Lee Brotherston -

    @synackpse - #TLSHugs

  16. Compromised Appliance Lee Brotherston - @synackpse - #TLSHugs

  17. Compromised Internal CA/Key Lee Brotherston - @synackpse - #TLSHugs

  18. Key Management is Haaarrrddd Lee Brotherston - @synackpse - #TLSHugs

  19. Poor Certificate Validation Lee Brotherston - @synackpse - #TLSHugs

  20. “Trusted” CA List Lee Brotherston - @synackpse - #TLSHugs

  21. Trust What The Appliance Trusts *cough* WoSign *cough* Lee Brotherston

    - @synackpse - #TLSHugs

  22. Certificate [un]Pinning Lee Brotherston - @synackpse - #TLSHugs

  23. Malicious Insider Lee Brotherston - @synackpse - #TLSHugs

  24. Embracing TLS? Lee Brotherston - @synackpse - #TLSHugs

  25. Goals Lee Brotherston - @synackpse - #TLSHugs

  26. Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate

    Checks Cryptographic Checks Granular Content Filtering In-Page Exploits Malware Detection Data Exfiltration DLP Lee Brotherston - @synackpse - #TLSHugs

  27. “Perfection is the enemy of good enough” Lee Brotherston -

    @synackpse - #TLSHugs

  28. Lee Brotherston - @synackpse - #TLSHugs

  29. Lee Brotherston - @synackpse - #TLSHugs

  30. Fun with Packet Sniffing Lee Brotherston - @synackpse - #TLSHugs

  31. TLS Fingerprinting (I hear someone did a talk on that)

    …. (it was me) Lee Brotherston - @synackpse - #TLSHugs

  32. Spotting $bad Lee Brotherston - @synackpse - #TLSHugs

  33. None

  34. [semi]Automated fingerprinting Lee Brotherston - @synackpse - #TLSHugs

  35. Pseudo “anomaly based detection” Lee Brotherston - @synackpse - #TLSHugs

  36. Fingerprint Canaries Lee Brotherston - @synackpse - #TLSHugs

  37. None

  38. Incident Response & Attribution(ish) Lee Brotherston - @synackpse - #TLSHugs

  39. Vorführeffekt

  40. OK, Enough Fingerprinting Lee Brotherston - @synackpse - #TLSHugs

  41. Server Responses Lee Brotherston - @synackpse - #TLSHugs

  42. Certificates Lee Brotherston - @synackpse - #TLSHugs

  43. Do You Even IDS, Bro? Lee Brotherston - @synackpse -

    #TLSHugs

  44. Inline TLS Shenanigans Lee Brotherston - @synackpse - #TLSHugs

  45. TLS Handshake Mangling Lee Brotherston - @synackpse - #TLSHugs

  46. Request Request Response Proxy Server Client TLS Handshake TLS Handshake

    Response Nope Lee Brotherston - @synackpse - #TLSHugs

  47. Proxy Server Client TLS Request Response Request Response TLS Version

    Ciphersuites Hashing Algorithms Hostname (SNI) Curves Server Hello Certificates Lee Brotherston - @synackpse - #TLSHugs

  48. Subtractive only Lee Brotherston - @synackpse - #TLSHugs

  49. The Compliances Lee Brotherston - @synackpse - #TLSHugs

  50. A Remaining Problem Lee Brotherston - @synackpse - #TLSHugs

  51. None
  52. None
  53. None
  54. None

  55. A Solution…. Kinda Lee Brotherston - @synackpse - #TLSHugs

  56. None
  57. None
  58. None
  59. None

  60. Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate

    Checks In-Page Exploits Malware Detection Data Exfiltration DLP How Did we Do? ✓ ✓ ✓ ✓ ✓ ✓ ✗ …? Lee Brotherston - @synackpse - #TLSHugs ✓

  61. One more thing… Lee Brotherston - @synackpse - #TLSHugs

  62. 8138561f1c4407e872a729a2d4a8f03d1927a7cd5dc9cb2f4812b50986c386a 116ab557841a5e4c9d80680697fc2c13ef7b01bb5e4e6ae71940e58fa757316 e0ee8ef327d403bba2e1c2bde3ead4166b4e1f93135e3a7acd3cddf3893b349 a120b27ed522d3176d08fc2c0984b911bd09f9601133180702542cb99dea311 0d31a40c75493db1ca59bb5e168df86ccea981f81e0466cc584461eac7dae86 6d3cc0f69e166c7d0a3019f1a163a7ba9273be13e404be0f432b65ea574badd 06a2fcc7ccff992a028c6c40c5de50428af37a1ec8f6db7d1a07af8de1486db c1a69c6bbc734cf17a1f13a48d27a218887b36b1e103964a66b38c74a73c6b9 602da341089709ef7e833e1715fe3bd85151 Lee

    Brotherston - @synackpse - #TLSHugs

  63. Host: www.myhost.com User-Agent: MyBrowser/10.4 (Some OS) CoolWebKit/537.36 Accept: text/html,application/xhtml+xml,application/xml Accept-Encoding:

    gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 GET /XXXXXXXXXXX HTTP/1.1 227 206 151 95 58 26 Lee Brotherston - @synackpse - #TLSHugs

  64. Conclusion Lee Brotherston - @synackpse - #TLSHugs

  65. Stuff … TLS Fingerprinting: https://github.com/LeeBrotherston/tls-fingerprinting https://blog.squarelemon.com/tls-fingerprinting/ TLS Mangler (soon): https://github.com/LeeBrotherston/<somewhere>

    TLS Profiling: https://gist.github.com/wxsBSD/6d5e777afc31b3cf46d0 https://gist.github.com/wxsBSD/0c6584913bcc5e6da31b Slide Deck: https://speakerdeck.com/leebrotherston/ The Twitters (me): @synackpse Lee Brotherston - @synackpse - #TLSHugs

  66. Any Questions? Lee Brotherston - @synackpse - #TLSHugs