More Web Proxy on the site http://driver.im/

research-article

Lies and the lying liars that tell them: a fair and balanced look at TLS

Authors:

Juan DengAuthors Info & Claims

CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research

Article No.: 59, Pages 1 - 3

https://doi.org/10.1145/1852666.1852732

Published: 21 April 2010 Publication History

Abstract

The secure sockets layer (SSL), later modified to become transport layer security (TLS), has become the basis of many aspects of Internet security. The vast majority of e-commerce sites use TLS to protect consumers. Within the past year, a number of TLS weaknesses have become apparent. These weaknesses are due to problems in the domain name system (DNS), problems with certificate distribution, browser programming errors, usability issues, and advances in cryptanalysis. While the basic SSL/TLS protocol is not compromised by any of these security failures, the result is that current e-commerce implementations are severely flawed. This provides a number of important lessons for designing, implementing and deploying trusted systems.

Supplementary Material

Supplemental material. (a59-brooks_slides.pdf)

Download
242.17 KB

References

[1]

http://tools.ietf.org/html/rfc5246 (last visited August 2009).

[2]

W. R. Stevens, Unix Network Programming, Prentice Hall PTR, Englewood Cliffs, NJ, 1990.

Digital Library

[3]

D. Kaminsky, "Why we were so vulnerable to the DNS vulnerability," 25^th Chaos Computer Congress, Berlin, January 2009, http://dewy.fem.tu-imenau.de/CCC/25C3/video_h264_720x756/25c3-2906-en-why_were_we_so_vulnerable_to_the_dns_vulnerability.mp4.torrent (last visited August 2009).

[4]

D. Kaminsky, "DNS rebinding packet tricks," 24^th Chaos Computer Congress, Berlin, January 2008, http://dewy.fem.tu-imenau.de/CCC/24C3/mp4/24c3-2393-en-dns_packet_rebinding_tricks-COMPATIBLE.mp4 (last visited August 2009).

[5]

S. Young and D. Aitel, The Hacker's Handbook, Auerbach, Boca Raton, 2004.

[6]

http://www.kb.cert.org/vuls/id/800113 (last visited August 2009).

[7]

D. Kaminsky, "Black Ops 2008 -- It's The End of the Cache As We Know It," Black Hat USA 2008, https://media.blackhat.com/bh-us-08-Kaminsky/black-hat-usa-08-kaminsky-blackops08-hires.m4v (last visited August 2009).

[8]

http://www.xelerance.com/dnssec/ (last visited August 2009).

[9]

http://www.itu.int/rec/T-REC-X.509/en (last visited August 2009).

[10]

D. Molnar, et. al., "MD5 considered harmful today," 25^th Chaos Computer Congress, Berlin, January 2009, http://dewy.fem.tu-imenau.de/CCC/25C3/video_h264_720x756/25c3-3023-en-making_the_theoretical_possible.mp4.torrent (last visited August 2009).

[11]

C. Soghoian and S. Stamm, "Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL," http://files.cloudprivacy.net/ssl-mitm.pdf (last visited April 2010).

[12]

http://www.thoughtcrimes.org/software/sslsniff (last visited August 2009).

[13]

Moxie Marlinspike, "Defeating OCSP with the character '3'," Blackhat 2009, http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatOCSP-PAPER2.pdf (last visited August 2009).

[14]

Moxie Marlinspike, "New tricks for defeating SSL in practice," Blackhat DC 2009, https://www.blackhat.com/presentations/bh-dc-09/MARLINSPIKE/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf (last visited August 2009).

[15]

Moxie Marlinspike, "Null Prefix Attacks Against SSL/TLS Certificates," Blackhat 2009, http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-PAPER1.pdf (last visited August 2009).

[16]

Dan Kaminsky, "Something About Network Security," Blackhat 2009, http://www.blackhat.com/presentations/bh-usa-09/KAMINSKY/BHUSA09-Kaminsky-BlackOpsPKI-VIDEO.MOV (last visited August 2009).

[17]

G. Danezis "Analysis of the HTTP Protocol over TLS," http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.92.3893 (last visited April 2010).

Cited By

Deb NSingh RBrooks RBai K(2021)A Review of Extremely Fast Charging Stations for Electric VehiclesEnergies10.3390/en1422756614:22(7566)Online publication date: 12-Nov-2021
https://doi.org/10.3390/en14227566

Index Terms

Lies and the lying liars that tell them: a fair and balanced look at TLS
1. Applied computing
  1. Electronic commerce
    1. Secure online transactions
2. Security and privacy

Recommendations

A Notary Extension for the Online Certificate Status Protocol
SOCIALCOM '13: Proceedings of the 2013 International Conference on Social Computing

X.509 certificates are data structures that bind public key values to subjects. This binding aids in the proper identification and authentication of communicating parties. The current X.509 certificate status validation method is imperfect, and under ...
E-SSL: An SSL Security-Enhanced Method for Bypassing MITM Attacks in Mobile Internet
6th International Workshop on Structured Object-Oriented Formal Language and Method - Volume 10189

In mobile internet, the Secure Sockets Layer SSL validation vulnerabilities of applications can be easily exploited through SSL Man-in-the-Middle MITM attacks, which are difficult to defeat. In this paper, an SSL Security-Enhanced method E-SSL is ...
ACCENT: Cognitive cryptography plugged compression for SSL/TLS-based cloud computing services

Emerging cloud services, including mobile offices, Web-based storage services, and content delivery services, run diverse workloads under various device platforms, networks, and cloud service providers. They have been realized on top of SSL/TLS, which ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research

April 2010

257 pages

ISBN:9781450300179

DOI:10.1145/1852666

Editors:
Frederick T. Sheldon
Oak Ridge National Laboratory
,
Stacy Prowell
Oak Ridge National Laboratory
,
Robert K. Abercrombie
Oak Ridge National Laboratory
,
Axel Krings
University of Idaho

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Air Force Office of Scientific Research

Conference

CSIIRW '10

CSIIRW '10: Annual Cyber Security and Information Intelligence Research Workshop

April 21 - 23, 2010

Tennessee, Oak Ridge, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
421
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Deb NSingh RBrooks RBai K(2021)A Review of Extremely Fast Charging Stations for Electric VehiclesEnergies10.3390/en1422756614:22(7566)Online publication date: 12-Nov-2021
https://doi.org/10.3390/en14227566

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents