[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3278532.3278568acmconferencesArticle/Chapter ViewAbstractPublication PagesimcConference Proceedingsconference-collections
research-article
Public Access

Coming of Age: A Longitudinal Study of TLS Deployment

Published: 31 October 2018 Publication History

Abstract

The Transport Layer Security (TLS) protocol is the de-facto standard for encrypted communication on the Internet. However, it has been plagued by a number of different attacks and security issues over the last years. Addressing these attacks requires changes to the protocol, to server- or client-software, or to all of them. In this paper we conduct the first large-scale longitudinal study examining the evolution of the TLS ecosystem over the last six years. We place a special focus on the ecosystem's evolution in response to high-profile attacks.
For our analysis, we use a passive measurement dataset with more than 319.3B connections since February 2012, and an active dataset that contains TLS and SSL scans of the entire IPv4 address space since August 2015. To identify the evolution of specific clients we also create the---to our knowledge---largest TLS client fingerprint database to date, consisting of 1,684 fingerprints.
We observe that the ecosystem has shifted significantly since 2012, with major changes in which cipher suites and TLS extensions are offered by clients and accepted by servers having taken place. Where possible, we correlate these with the timing of specific attacks on TLS. At the same time, our results show that while clients, especially browsers, are quick to adopt new algorithms, they are also slow to drop support for older ones. We also encounter significant amounts of client software that probably unwittingly offer unsafe ciphers. We discuss these findings in the context of long tail effects in the TLS ecosystem.

References

[1]
Bro network monitoring system. https://www.bro.org/.
[2]
Browserstack. https://www.browserstack.com.
[3]
Bugzilla - Allow RC4 only for whitelisted hosts. https://bugzilla.mozilla.org/show_bug.cgi?id=1124039#c2.
[4]
zgrab: A banner grabber, in go. https://github.com/zmap/zgrab.
[5]
Mozilla Security Blog - Deprecating the RC4 cipher. https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/, 2015.
[6]
D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015.
[7]
D. Akhawe, J. Amann, M. Vallentin, and R. Sommer. Here's My Cert, So Trust Me, Maybe?: Understanding TLS Errors on the Web. In Proc. of the International Web Conference (WWW), 2013.
[8]
M. R. Albrecht and K. G. Paterson. Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS. In Proc. Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), 2016.
[9]
N. J. AlFardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. N. Schuldt. On the security of RC4 in TLS. In Proc. USENIX Security Symposium, 2013.
[10]
N. J. AlFardan and K. G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In Proc. IEEE Symposium on Security and Privacy (S&P), May 2013.
[11]
J. Amann, R. Sommer, M. Vallentin, and S. Hall. No Attack Necessary: The Surprising Dynamics of SSL Trust Relationships. In Proc. Annual Computer Security Applications Conference, 2013.
[12]
J. Amann, M. Vallentin, S. Hall, and R. Sommer. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. Technical Report TR-12--014, ICSI, Nov. 2012.
[13]
B. Anderson, S. Paul, and D. McGrew. Deciphering malware's use of tls (without decryption). Journal of Computer Virology and Hacking Techniques, Aug 2017.
[14]
G. I. Apecechea, M. S. Inci, T. Eisenbarth, and B. Sunar. Lucky 13 strikes back. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015.
[15]
T. Arcueri. Imperfect Forward Secrecy: The Coming Cryptocalypse, July 2016. https://tonyarcieri.com/imperfect-forward-secrecy-the-coming-cryptocalypse.
[16]
N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt. DROWN: Breaking TLS Using SSLv2. In Proc. USENIX Security Symposium, 2016.
[17]
B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P. Y. Strub, and J. K. Zinzindohoue. A Messy State of the Union: Taming the Composite State Machines of TLS. In Proc. IEEE Symposium on Security and Privacy (S&P), May 2015.
[18]
K. Bhargavan and G. Leurent. On the practical (in-)security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.
[19]
Blake-Wilson, S. and Bolyard, N. and Gupta, V. and Hawk, C. and Moeller, B. Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS), 2006. RFC 4492.
[20]
R. Bricout, S. Murphy, K. G. Paterson, and T. van der Merwe. Analysing and exploiting the Mantin biases in RC4. Des. Codes Cryptography, 86(4):743--770, 2018.
[21]
M. Brinkmann. Mozilla starts to enable TLS 1.3 on Firefox Stable, Apr. 2018. https://www.ghacks.net/2018/04/13/mozilla-starts-to-enable-tls-1-3-on-firefox-stable/.
[22]
L. Brotherston. TLS fingerprinting. http://www.virustotal.com://github.com/LeeBrotherston/tls-fingerprinting.
[23]
L. Chuat, P. Szalachowski, A. Perrig, B. Laurie, and E. Messeri. Efficient Gossip Protocols for Verifying the Consistency of Certificate Logs. In 2015 IEEE Conference on Communications and Network Security (CNS), 2015.
[24]
J. Clark and P. van Oorschot. SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In Proc. IEEE Symposium on Security and Privacy (S&P), 2013.
[25]
B. Coat. ProxySG, ASG and WSS will interrupt SSL connections when clients using TLS 1.3 access sites also using TLS 1.3. http://bluecoat.force.com/knowledgebase/articles/Technical_Alert/000032878, 2017.
[26]
CVE-2011--3389. https://nvd.nist.gov/vuln/detail/CVE-2011--3389, 2011.
[27]
CVE-2013--2566. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--2566, 2013.
[28]
CVE-2012--4929. https://nvd.nist.gov/vuln/detail/CVE-2012--4929, 2012.
[29]
CVE-2013--0169. https://nvd.nist.gov/vuln/detail/CVE-2013--0169, 2013.
[30]
CVE-2014--0160. https://nvd.nist.gov/vuln/detail/CVE-2014--0160, 2014.
[31]
CVE-2014--3566. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--3566, 2014.
[32]
CVE-2015--0204. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015--0204, 2015.
[33]
CVE-2015--2808. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-CVE-2015--2808, 2015.
[34]
CVE-2015--4000. https://cve.mitre.org/cgi-bin/cvename.cgi?name= cve-CVE-2015--4000, 2015.
[35]
CVE-2015--7575. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015--7575, 2015.
[36]
CVE-2016--0800. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016--0800, 2016.
[37]
CVE-2016--2183. https://nvd.nist.gov/vuln/detail/CVE-2016--2183, 2016.
[38]
D. Benjamin. Applying GREASE to TLS Extensibility. IETF Draft, 2016.
[39]
T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3, bis 00 (pre-draft), Apr. 2014. https://tools.ietf.org/html/draft-ietf-tls-rfc5246-bis-00.
[40]
Dierks, T. and Rescola, R. The Transport Layer Security (TLS) Protocol Version 1.2, 2008. RFC 5246.
[41]
T. Duong and J. Rizzo. Here come the ⊕ ninjas. Unpublished manuscript, 2011.
[42]
Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. Halderman. A Search Engine Backed by Internet-Wide Scanning. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015.
[43]
Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. Halderman. Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security. In Proc. ACM Int. Measurement Conference (IMC), 2015.
[44]
Z. Durumeric, J. Kasten, D. Adrian, J. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, and V. Paxson. The matter of Heartbleed. In Proc. ACM Int. Measurement Conference (IMC), 2014.
[45]
Z. Durumeric, Z. Ma, D. Springall, R. Barnes, N. Sullivan, E. Bursztein, M. Bailey, J. Halderman, and V. Paxson. The Security Impact of HTTPS Interception. In Proc. Network and Distributed System Security Symposium (NDSS), 2017.
[46]
Z. Durumeric, E. Wustrow, and J. Halderman. Zmap: Fast internet-wide scanning and its security applications. In Proc. USENIX Security Symposium, volume 2013, 2013.
[47]
S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2012.
[48]
C. Garman, K. G. Paterson, and T. van der Merwe. Attacks only get better: Password recovery attacks against RC4 in TLS. In Proc. USENIX Security Symposium, 2015.
[49]
Google. Android Developer Portal: SSLSocket. https://developer.android.com/reference/javax/net/ssl/SSLSocket.
[50]
Google. Android Distribution dashboard. https://developer.android.com/about/dashboards/.
[51]
M. Green. Attack of the week: FREAK (or factoring the NSA for fun and profit). https://blog.cryptographyengineering.com/2015/03/03/attack-of-week-freak-or-factoring-nsa/, 2017.
[52]
J. Gustafsson, G. Overier, M. Arlitt, and N. Carlsson. A First Look at the CT Landscape: Certificate Transparency Logs in Practice. In Proc. Passive and Active Measurement (PAM), 2017.
[53]
R. Holz, J. Amann, O. Mehani, M. Wachs, and M. A. Kaafar. TLS in the wild: An Internet-wide analysis of TLS-based protocols for electronic communication. In Proc. Network and Distributed System Security Symposium (NDSS), Feb. 2016.
[54]
R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL Landscape: A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements. In Proc. ACM Int. Measurement Conference (IMC), 2011.
[55]
M. HusÃąk, M. CermÃąk, T. JirsÃŋk, and P. Celeda. Network-Based HTTPS Client Identification Using SSL/TLS Fingerprinting. In Proc. International Conference on Availability, Reliability and Security, Aug 2015.
[56]
IANA. Transport Layer Security Parameters. https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml, 2017.
[57]
IANA. Transport Layer Security (TLS) Extensions. https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml, 2017.
[58]
ICSI Certificate Notary. https://notary.icsi.berkeley.edu, 2017.
[59]
T. Jager, J. Schwenk, and J. Somorovsky. On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015.
[60]
D. Kaminsky, M. L. Patterson, and L. Sassaman. PKI layer cake: New collision attacks against the global X. 509 infrastructure. In International Conference on Financial Cryptography and Data Security. Springer, 2010.
[61]
M. Majkowski. SSL fingerprinting for p0f. https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/, 2012.
[62]
C. Meyer, J. Somorovsky, E. Weiss, J. Schwenk, S. Schinzel, and E. Tews. Revisiting SSL/TLS implementations: New bleichenbacher side channels and attacks. In Proc. USENIX Security Symposium, 2014.
[63]
B. Möller, T. Duong, and K. Kotowicz. This POODLE bites: exploiting the SSL 3.0 fallback. Security Advisory, 2014.
[64]
Mozilla. Firefox 52.0 - Release notes. https://www.mozilla.org/en-US/firefox/52.0/releasenotes/, 2017.
[65]
Mozilla. Firefox 60.0 - Release notes. https://www.mozilla.org/en-US/firefox/60.0/releasenotes/, 2018.
[66]
PCI Security. Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS. https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls, May 2017.
[67]
Popov, A. Prohibiting RC4 Cipher Suites, 2015. RFC 7465.
[68]
T. project. Tor. https://www.torproject.org/, 2018.
[69]
Qualys. SSL Labs database of user agent capabilities. https://www.ssllabs.com/ssltest/clients.html, 2018.
[70]
Qualys. SSL Pulse. https://www.ssllabs.com/ssl-pulse/, 2018.
[71]
A. Razaghpanah, A. A. Niaki, N. Vallina-Rodriguez, S. Sundaresan, J. Amann, and P. Gill. Studying TLS Usage in Android Apps. In Proc. ACM Int. Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2017.
[72]
E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3, Draft 28, Mar. 2018. https://tools.ietf.org/html/draft-ietf-tls-tls13--28.
[73]
I. Ristić. HTTP client fingerprinting using SSL handshake analysis. https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html, 2009.
[74]
I. Ristic. Is BEAST still a threat? https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat, 2013.
[75]
J. Rossignol. Google Says There Are Now More Than 2 Billion Monthly Active Android Devices, May 2017. https://www.macrumors.com/2017/05/17/2-billion-active-android-devices/.
[76]
M. D. Ryan. Enhanced Certificate Transparency and End-to-End Encrypted Mail. In Network and Distributed System Security Symposium (NDSS), 2014.
[77]
Seggelmann, R. and Tuexen, M. and Williams, M. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension, 2012. RFC 6520.
[78]
Y. Sheffer, R. Holz, and P. Saint-Andre. Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS), May 2015. RFC 7525.
[79]
J. Somorovsky. Systematic Fuzzing and Testing of TLS Libraries. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.
[80]
Synopsys. The Heartbleed Bug. http://heartbleed.com/.
[81]
S. Turner and T. Polk. Prohibiting Secure Sockets Layer (SSL) Version 2.0, March 2011. RFC 6176.
[82]
L. Valenta, S. Cohney, A. Liao, J. Fried, S. Bodduluri, and N. Heninger. Factoring as a service. In J. Grossklags and B. Preneel, editors, Financial Cryptography and Data Security - 20th International Conference, FC 2016, Christ Church, Barbados, February 22-26, 2016, Revised Selected Papers, volume 9603 of Lecture Notes in Computer Science, pages 321--338. Springer, 2016.
[83]
N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson. A Tangled Mass: The Android Root Certificate Stores. In Proc. ACM Int. Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2014.
[84]
B. VanderSloot, J. Amann, M. Bernhard, Z. Durumeric, M. Bailey, and J. Halderman. Towards a complete view of the certificate ecosystem. In Proc. ACM Int. Measurement Conference (IMC), 2016.
[85]
M. Vanhoef and F. Piessens. All your biases belong to us: Breaking RC4 in WPATKIP and TLS. In Proc. USENIX Security Symposium, 2015.
[86]
S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. In Proc. ACM Int. Measurement Conference (IMC), 2009.
[87]
L. Zhang, D. Choffnes, D. Levin, T. Dumitras, A. Mislove, A. Schulman, and C. Wilson. Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. In Proc. ACM Int. Measurement Conference (IMC), 2014.

Cited By

View all
  • (2024)Propagating Threat Scores with a TLS Ecosystem Graph Model Derived by Active Measurements2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559063(1-11)Online publication date: 21-May-2024
  • (2024)Investigating TLS Version Downgrade in Enterprise SoftwareProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653263(31-42)Online publication date: 19-Jun-2024
  • (2024)Fingerprinting the Shadows: Unmasking Malicious Servers with Machine Learning-Powered TLS AnalysisProceedings of the ACM Web Conference 202410.1145/3589334.3645719(1933-1944)Online publication date: 13-May-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
IMC '18: Proceedings of the Internet Measurement Conference 2018
October 2018
507 pages
ISBN:9781450356190
DOI:10.1145/3278532
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 October 2018

Permissions

Request permissions for this article.

Check for updates

Badges

  • Distinguished Paper

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

IMC '18
Sponsor:
IMC '18: Internet Measurement Conference
October 31 - November 2, 2018
MA, Boston, USA

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)663
  • Downloads (Last 6 weeks)127
Reflects downloads up to 12 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Propagating Threat Scores with a TLS Ecosystem Graph Model Derived by Active Measurements2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559063(1-11)Online publication date: 21-May-2024
  • (2024)Investigating TLS Version Downgrade in Enterprise SoftwareProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653263(31-42)Online publication date: 19-Jun-2024
  • (2024)Fingerprinting the Shadows: Unmasking Malicious Servers with Machine Learning-Powered TLS AnalysisProceedings of the ACM Web Conference 202410.1145/3589334.3645719(1933-1944)Online publication date: 13-May-2024
  • (2024)EFACTLS: Effective Active TLS Fingerprinting for Large-Scale Server Deployment CharacterizationIEEE Transactions on Network and Service Management10.1109/TNSM.2024.336452621:3(2582-2595)Online publication date: Jun-2024
  • (2024) AddrMiner : A Fast, Efficient, and Comprehensive Global Active IPv6 Address Detection System IEEE/ACM Transactions on Networking10.1109/TNET.2024.340650832:5(3870-3887)Online publication date: Oct-2024
  • (2024)The Potential Harm of Email Delivery: Investigating the HTTPS Configurations of Webmail ServicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324660021:1(125-138)Online publication date: Jan-2024
  • (2024)Improving the Security of a Webservice: Best Practices and Attack Simulations2024 23rd RoEduNet Conference: Networking in Education and Research (RoEduNet)10.1109/RoEduNet64292.2024.10722558(1-5)Online publication date: 19-Sep-2024
  • (2024)A systematic review of cybersecurity assessment methods for HTTPSComputers and Electrical Engineering10.1016/j.compeleceng.2024.109137115:COnline publication date: 1-Apr-2024
  • (2024)Split Gröbner Bases for Satisfiability Modulo Finite FieldsComputer Aided Verification10.1007/978-3-031-65627-9_1(3-25)Online publication date: 26-Jul-2024
  • (2023)We really need to talk about session ticketsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620510(4877-4894)Online publication date: 9-Aug-2023
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media