DOCSLIB.ORG

Coming of Age: a Longitudinal Study of TLS Deployment

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Coming of Age: a Longitudinal Study of TLS Deployment Coming of Age: A Longitudinal Study of TLS Deployment Platon Kotzias Abbas Razaghpanah Johanna Amann IMDEA Software Institute Stony Brook University ICSI/Corelight/LBNL Universidad Politécnica de Madrid Kenneth G. Paterson Narseo Vallina-Rodriguez Juan Caballero Royal Holloway, University of London IMDEA Networks Institute IMDEA Software Institue ICSI ABSTRACT of each new attack and vulnerability that is discovered. Over the The Transport Layer Security (TLS) protocol is the de-facto standard last few years various TLS vulnerabilities such as BEAST, Lucky for encrypted communication on the Internet. However, it has been 13, POODLE, Heartbleed, FREAK, Logjam, and multiple attacks plagued by a number of different attacks and security issues over against RC4 have been discovered. The Snowden revelations have the last years. Addressing these attacks requires changes to the also highlighted weaknesses in TLS, specifically the reliance on protocol, to server- or client-software, or to all of them. In this RSA key transport for establishing keying material, a method that paper we conduct the first large-scale longitudinal study examining can be passively broken by an entity in possession of the server’s the evolution of the TLS ecosystem over the last six years. We RSA private key. Addressing these attacks requires changes to place a special focus on the ecosystem’s evolution in response to the protocol, to server-, or to client-software, or to all of them high-profile attacks. simultaneously. For our analysis, we use a passive measurement dataset with Prior work highlights different parts of the TLS ecosystem like more than 319.3B connections since February 2012, and an active specific attacks [6, 9, 10, 17, 41, 44, 44, 63, 74, 82], problems ofthe dataset that contains TLS and SSL scans of the entire IPv4 address PKI [7, 46, 54, 60] or problems of TLS usage in specific areas like on space since August 2015. To identify the evolution of specific clients mobile devices [47, 71, 83]. However, to the best of our knowledge, we also create the—to our knowledge—largest TLS client fingerprint no prior work has examined the specific impact of security issues database to date, consisting of 1,684 fingerprints. on protocol deployment. We observe that the ecosystem has shifted significantly since In this paper, we conduct a large-scale longitudinal study exam- 2012, with major changes in which cipher suites and TLS extensions ining the evolution of the TLS ecosystem since 2012 both on the are offered by clients and accepted by servers having taken place. client and on the server side. We analyze trends and evolution of the Where possible, we correlate these with the timing of specific at- ecosystem, putting a special focus on changes occurring in response tacks on TLS. At the same time, our results show that while clients, to specific high-profile attacks. For this, we use a combination of especially browsers, are quick to adopt new algorithms, they are passive and active measurement data. Our passive measurements also slow to drop support for older ones. We also encounter signif- have been running continuously since February 2012 and currently icant amounts of client software that probably unwittingly offer contain protocol information about more than 319.3B TLS connec- unsafe ciphers. We discuss these findings in the context of long tail tions. The active measurement data provided to us by Censys [42] effects in the TLS ecosystem. contains SSL and TLS scans of the entire IPv4 address space starting from August 2015. ACM Reference Format: To identify the patching behavior and evolution of specific clients Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Pater- we also create the—to our knowledge—largest TLS client fingerprint son, Narseo Vallina-Rodriguez, and Juan Caballero. 2018. Coming of Age: A Longitudinal Study of TLS Deployment. In 2018 Internet Measurement database to date, consisting of 1,684 fingerprints. These fingerprints Conference (IMC ’18), October 31-November 2, 2018, Boston, MA, USA. ACM, allow us to attribute 69.26% of TLS connections to specific TLS- New York, NY, USA, 14 pages. https://doi.org/10.1145/3278532.3278568 using programs or libraries. Using these fingerprints we discover that while clients, especially browsers, are quick to adopt new al- 1 INTRODUCTION gorithms, they are also slow to drop support for older ones. We also encounter significant amounts of client software that probably The Transport Layer Security (TLS) protocol is the most widely unwittingly offer unsafe ciphers. We discuss these findings inthe used encrypted communication protocol on the Internet. However, context of long tail effects arising from the desire to maintain back- in order to stay secure, it has had to constantly evolve in the face wards compatibility, software abandonment, and the difficulties Permission to make digital or hard copies of all or part of this work for personal or faced by users of TLS (in a broad sense) in keeping up-to-date with classroom use is granted without fee provided that copies are not made or distributed proper TLS usage. for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the Our analysis, shows radical changes in the TLS ecosystem over author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or the last 6 years. In 2012, 90% of TLS connections used TLS 1.0, while republish, to post on servers or to redistribute to lists, requires prior specific permission today 90% use TLS 1.2, with TLS 1.3 traffic increasing rapidly. In and/or a fee. Request permissions from [email protected]. IMC ’18, October 31-November 2, 2018, Boston, MA, USA 2012, the use of RC4 and CBC-mode for encryption was prevalent; © 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM. today RC4 has almost completely disappeared in response to at- ACM ISBN 978-1-4503-5619-0/18/10...$15.00 tacks, while CBC-mode accounts for about 10% of traffic. RC4 and https://doi.org/10.1145/3278532.3278568 IMC ’18, October 31-November 2, 2018, Boston, MA, USA Kotzias et al. CBC-mode have been largely replaced by modern AEAD schemes, to the server listing its capabilities such as the maximum protocol especially AES-GCM. We observe significant declines in the adver- version, the cipher suites, and elliptic curves it supports. The server tisement and use of export cipher suites, anonymous cipher suites, then chooses its preferred options, among those offered by the and vintage algorithms like 3DES. We also see a rise in the use of client, and informs the client of its choices in the Server Hello forward-secret cipher suites, now accounting for more than 90% message. Thus, the server chooses the final protocol version, cipher of connections. Ephemeral elliptic-curve-based Diffie-Hellman key suite, and other parameters that will be used in the secure channel. exchange (ECDHE) now dominates RSA key transport in TLS hand- Table 1 lists the release dates of all SSL/TLS versions. A key shakes, with Curve25519 gaining in popularity and accounting for feature added in TLS 1.0 over the earlier SSL protocol versions are more than 20% of connections today. TLS extensions used for adding TLS functionality and TLS protocol We correlate major changes in the use of cipher suites and TLS message formats [40]. The client includes in the Client Hello all the extensions with the timing of specific TLS attacks and assess the extensions that it supports and the server simply ignores extensions impact of security research. We observe a few cases, like HeartBleed, that it does not understand. As of March 2018, 28 TLS extensions where the ecosystem changed very quickly. We also observe a have been standardized [57]. It is also possible for anyone to define strong correlation in time between Snowden revelations and the their own extensions. change to forward-secret ciphers. On the other hand, it took several years for RC4 usage to reduce significantly after attacks against 2.2 TLS Attacks RC4 were discovered. Moreover, we do not observe a change in our Many attacks against SSL/TLS have been discovered in recent years. traffic after CBC attacks, possibly due to the lack of better available As a result, both the protocol specification and individual implemen- options at the time or due to the existence of patches. At last, server tations have been significantly revised. In some cases, just changing support for SSL3 is still embarassingly high, despite the severity of client and/or server configurations was sufficient mitigation –for POODLE and RC4 attacks. example to avoid using weak cipher suites. In other cases, where Our main contributions are as follows: (i) We conduct a large- good alternatives were not widely supported or where support for scale longitudinal study on the evolution of the TLS ecosystem legacy was needed, more invasive changes to implementations were since 2012. We place a special focus on high-profile attacks and required. Finally, as we will see, clients and servers have changed detail the impact that these attacks have had on the ecosystem. the versions of the protocol they negotiate in response to attacks. (ii) We present the largest, and longest-running, passive TLS moni- Below, we provide a brief description and a timeline of the most toring dataset comprising 319.3B TLS connections collected since notable attacks, ordered by disclosure date. February 2012. We use our passive dataset, together with a large active scan dataset, to detail the changes to the TLS ecosystem since BEAST (09/06/2011) BEAST allows a MITM attacker to decrypt 2012.
Load more

Recommended publications
  • Hola Dating App, Your Guide to Find a Suitable Personality Based on Yours
    Jun 27, · A walk through Brad Pitt’s star-studded dating history Of course, pop culture aficionados have been watching Brad’s dating life even closer since he and Angelina Jolie filed for divorce in Apr 11, · Search, chat, meet and date new people at the Hola dating app, your guide to find a suitable personality based on yours. Finding interesting people both young and old has become easier with dating apps these day. At Hola we believe technology can connect individuals more efficiently, and especially with people who are in your neighbourhood and might be interested in you/5(16). Hola's best FREE dating site! % Free Online Dating for Hola Singles at renuzap.podarokideal.ru Our free personal ads are full of single women and men in Hola looking for serious relationships, a little online flirtation, or new friends to go out with. Start meeting singles in Hola today with our free online personals and free Hola chat! Oct 26, · Using APKPure App to upgrade Hola! Dating, fast, free and save your internet data. The description of Hola! Dating. Striking up a conversation with an attractive stranger takes a lot of courage. You might have your soulmate standing right in front of you, but if you’re scared to talk to them, you’ll end up missing your renuzap.podarokideal.rury: APP. Rapper from St. Louis, Missouri, USA. He was born on Tuesday, March 29, Is Hitman Holla married or single, and who is he dating now? Let’s find out! As of , Hitman Holla is possibly single.
    [Show full text]
  • Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities
    Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities Robert Merget and Juraj Somorovsky, Ruhr University Bochum; Nimrod Aviram, Tel Aviv University; Craig Young, Tripwire VERT; Janis Fliegenschmidt and Jörg Schwenk, Ruhr University Bochum; Yuval Shavitt, Tel Aviv University https://www.usenix.org/conference/usenixsecurity19/presentation/merget This paper is included in the Proceedings of the 28th USENIX Security Symposium. August 14–16, 2019 • Santa Clara, CA, USA 978-1-939133-06-9 Open access to the Proceedings of the 28th USENIX Security Symposium is sponsored by USENIX. Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities Robert Merget1, Juraj Somorovsky1, Nimrod Aviram2, Craig Young3, Janis Fliegenschmidt1, Jörg Schwenk1, and Yuval Shavitt2 1Ruhr University Bochum 2Department of Electrical Engineering, Tel Aviv University 3Tripwire VERT Abstract the encryption key. The attack requires a server that decrypts a message and responds with 1 or 0 based on the message va- The TLS protocol provides encryption, data integrity, and lidity. This behavior essentially provides the attacker with a authentication on the modern Internet. Despite the protocol’s cryptographic oracle which can be used to mount an adaptive importance, currently-deployed TLS versions use obsolete chosen-ciphertext attack. The attacker exploits this behavior cryptographic algorithms which have been broken using var- to decrypt messages by executing adaptive queries.Vaudenay ious attacks. One prominent class of such attacks is CBC exploited a specific form of vulnerable behavior, where im- padding oracle attacks. These attacks allow an adversary to plementations validate the CBC padding structure and re- decrypt TLS traffic by observing different server behaviors spond with 1 or 0 accordingly.
    [Show full text]
  • Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019
    Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications Tianwei Zhang Jun Jiang Yinqian Zhang Nanyang Technological University Two Sigma Investments, LP The Ohio State University [email protected] [email protected] [email protected] Abstract—We systematize software side-channel attacks with three questions: (1) What are the common and distinct a focus on vulnerabilities and countermeasures in the cryp- features of various vulnerabilities? (2) What are common tographic implementations. Particularly, we survey past re- mitigation strategies? (3) What is the status quo of cryp- search literature to categorize vulnerable implementations, tographic applications regarding side-channel vulnerabili- and identify common strategies to eliminate them. We then ties? Past work only surveyed attack techniques and media evaluate popular libraries and applications, quantitatively [20–31], without offering unified summaries for software measuring and comparing the vulnerability severity, re- vulnerabilities and countermeasures that are more useful. sponse time and coverage. Based on these characterizations This paper provides a comprehensive characterization and evaluations, we offer some insights for side-channel of side-channel vulnerabilities and countermeasures, as researchers, cryptographic software developers and users. well as evaluations of cryptographic applications related We hope our study can inspire the side-channel research to side-channel attacks. We present this study in three di- community to discover new vulnerabilities, and more im- rections. (1) Systematization of literature: we characterize portantly, to fortify applications against them. the vulnerabilities from past work with regard to the im- plementations; for each vulnerability, we describe the root cause and the technique required to launch a successful 1.
    [Show full text]
  • A Security Analysis of the WPA-TKIP and TLS Security Protocols
    ARENBERG DOCTORAL SCHOOL Faculty of Engineering Science A Security Analysis of the WPA-TKIP and TLS Security Protocols Mathy Vanhoef Supervisor: Dissertation presented in partial Prof. dr. ir. F. Piessens fulfillment of the requirements for the degree of Doctor in Engineering Science: Computer Science July 2016 A Security Analysis of the WPA-TKIP and TLS Security Protocols Mathy VANHOEF Examination committee: Dissertation presented in partial Prof. dr. ir. P. Van Houtte, chair fulfillment of the requirements for Prof. dr. ir. F. Piessens, supervisor the degree of Doctor in Engineering Prof. dr. ir. C. Huygens Science: Computer Science Prof. dr. D. Hughes Prof. dr. ir. B. Preneel Prof. dr. K. Paterson (Royal Holloway, University of London) July 2016 © 2016 KU Leuven – Faculty of Engineering Science Uitgegeven in eigen beheer, Mathy Vanhoef, Celestijnenlaan 200A box 2402, B-3001 Leuven (Belgium) Alle rechten voorbehouden. Niets uit deze uitgave mag worden vermenigvuldigd en/of openbaar gemaakt worden door middel van druk, fotokopie, microfilm, elektronisch of op welke andere wijze ook zonder voorafgaande schriftelijke toestemming van de uitgever. All rights reserved. No part of the publication may be reproduced in any form by print, photoprint, microfilm, electronic or any other means without written permission from the publisher. Preface When I started my PhD four years ago, I thought people were exaggerating when they said that doing a PhD was a unique and special experience. Turns out I was wrong: it is indeed quite the journey! It was a roller coaster of exciting and sometimes no so exciting research results, late-night deadline races, moments of doubt, enriching and rewarding travels, grueling dilemmas, facing your own limitations,.
    [Show full text]
  • HOLA Lite Setup
    HOLA Lite setup HOLA Lite is a mobile web app that can be used to access HOLA on both (iOS & Android) mobile operating systems. HOLA Lite requires modern browser to be installed on your mobile device. Below are examples on how to easily place HOLA Lite start icon on your phone/tablet home screen. • Google Chrome (on Android) – automatic • Google Chrome (on Android) – manual • Firefox (on Android) - manual • Samsung Internet browser (on Android) - manual • Xiaomi browser (on Android) – automatic • Xiaomi browser (on Android) – manual • UC browser (on Android) - manual • Safari (on iOS) - manual Note: HOLA Lite must be served via secure https connection for home screen launcher to work correctly. www.deyatech.com | [email protected] | Tel: +86 10 6501 3753 www.deyatech.com | [email protected] | Tel: +86 400 082 6608 Google Chrome (on Android) - automatic 1 2 3 4 www.deyatech.com | [email protected] | Tel: +86 10 6501 3753 Open browser, type in hostname or After the site loads, pop-up window Add to Home screen pop-up shows This will add HOLA Lite web app to IP address of your HOLA Lite and hit shows up. Click “Add Lite to Home up. Click ADD button. your home screen. Enter. screen” button. www.deyatech.com | [email protected] | Tel: +86 400 082 6608 Google Chrome (on Android) - manual 1 2 3 4 www.deyatech.com | [email protected] | Tel: +86 10 6501 3753 Open browser, type in hostname or In options, select Add to Home Add to Home screen pop-up shows This will add HOLA Lite web app to IP address of your HOLA Lite and hit screen option.
    [Show full text]
  • Directed Greybox Fuzzing
    Directed Greybox Fuzzing Marcel Böhme Van-Thuan Pham∗ National University of Singapore, Singapore National University of Singapore, Singapore [email protected] [email protected] Manh-Dung Nguyen Abhik Roychoudhury National University of Singapore, Singapore National University of Singapore, Singapore [email protected] [email protected] ABSTRACT However, existing greybox fuzzers cannot be effectively directed.1 Existing Greybox Fuzzers (GF) cannot be effectively directed, for Directed fuzzers are important tools in the portfolio of a security instance, towards problematic changes or patches, towards critical reseacher. Unlike undirected fuzzers, a directed fuzzer spends most system calls or dangerous locations, or towards functions in the of its time budget on reaching specific target locations without stacktrace of a reported vulnerability that we wish to reproduce. wasting resources stressing unrelated program components. Typical In this paper, we introduce Directed Greybox Fuzzing (DGF) applications of directed fuzzers may include which generates inputs with the objective of reaching a given set • patch testing [4, 21] by setting changed statements as targets. of target program locations efficiently. We develop and evaluate When a critical component is changed, we would like to check a simulated annealing-based power schedule that gradually as- whether this introduced any vulnerabilities. Figure 1 shows the signs more energy to seeds that are closer to the target locations commit introducing Heartbleed [49]. A fuzzer that focusses on while reducing energy for seeds that are further away. Experiments those changes has a higher chance of exposing the regression. with our implementation AFLGo demonstrate that DGF outper- • crash reproduction [18, 29] by setting method calls in the forms both directed symbolic-execution-based whitebox fuzzing stack-trace as targets.
    [Show full text]
  • The Rocky Road To
    The Rocky Road to Hanno Böck https://hboeck.de @hanno 1 Transport Layer Security A protocol to create an encrypted and authenticated layer around other protocols 2 TLS 1.3 was published in August 2018 3 How did we get there? 4 In 1995 Netscape introduced Secure Socket Layer or SSL version 2 5 In 1996 it was followed up with SSL version 3 6 In 1999 the IETF took over and renamed it to TLS 7 SSL/TLS History 1995: SSL 2 1996: SSL 3 1999: TLS 1.0 2006: TLS 1.1 2008: TLS 1.2 2018: TLS 1.3 8 Vulnerabilities C C S 9 Padding Oracles in CBC mode 10 Plaintext Plaintext Plaintext Initialization Vector (IV) block cipher block cipher block cipher Key Key Key encryption encryption encryption Ciphertext Ciphertext Ciphertext WhiteTimberwolf, Wikimedia Commons, Public Domain 11 CBC Padding for Block Ciphers (AES) Encryption of data blocks means we have to fill up space 12 CBC in TLS MAC-then-Pad-then-Encrypt 13 Valid Padding 00 01 01 02 02 02 03 03 03 03 ... 14 We assume a situation where the attacker can see whether the padding is valid 15 Ciphertext Ciphertext block cipher block cipher Key Key decryption decryption Initialization Vector (IV) ?== 00 -> padding valid Plaintext Plaintext Attacker wants to decrypt Attacker manipulates / XOR with guess 16 Ciphertext Ciphertext block cipher block cipher Key Key decryption decryption Initialization Vector (IV) ?== 01 01 -> padding valid Plaintext Plaintext Attacker knows Attacker manipulates to 01 Attacker wants to know Attacker manipulates to guess 01 17 2002: Serge Vaudenay discovers Padding Oracle Vaudenay,
    [Show full text]
  • An Analysis of the Transport Layer Security Protocol
    An Analysis of the Transport Layer Security Protocol Thyla van der Merwe Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group School of Mathematics and Information Security Royal Holloway, University of London 2018 Declaration These doctoral studies were conducted under the supervision of Professor Kenneth G. Paterson. The work presented in this thesis is the result of original research I conducted, in collabo- ration with others, whilst enrolled in the School of Mathematics and Information Security as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Thyla van der Merwe March, 2018 2 Dedication To my niece, Emma. May you always believe in your abilities, no matter what anybody tells you, and may you draw on the strength of our family for support, as I have done (especially your Gogo, she’s one tough lady). “If you’re going through hell, keep going.” Winston Churchill 3 Abstract The Transport Layer Security (TLS) protocol is the de facto means for securing commu- nications on the World Wide Web. Originally developed by Netscape Communications, the protocol came under the auspices of the Internet Engineering Task Force (IETF) in the mid 1990s and today serves millions, if not billions, of users on a daily basis. The ubiquitous nature of the protocol has, especially in recent years, made the protocol an attractive target for security researchers. Since the release of TLS 1.2 in 2008, the protocol has suffered many high-profile, and increasingly practical, attacks.
    [Show full text]
  • Measuring I2P Censorship at a Global Scale
    Measuring I2P Censorship at a Global Scale Nguyen Phong Hoang Sadie Doreen Michalis Polychronakis Stony Brook University The Invisible Internet Project Stony Brook University Abstract required flexibility for conducting fine-grained measurements on demand. We demonstrate these benefits by conducting an The prevalence of Internet censorship has prompted the in-depth investigation of the extent to which the I2P (invis- creation of several measurement platforms for monitoring ible Internet project) anonymity network is blocked across filtering activities. An important challenge faced by these different countries. platforms revolves around the trade-off between depth of mea- Due to the prevalence of Internet censorship and online surement and breadth of coverage. In this paper, we present surveillance in recent years [7, 34, 62], many pro-privacy and an opportunistic censorship measurement infrastructure built censorship circumvention tools, such as proxy servers, virtual on top of a network of distributed VPN servers run by vol- private networks (VPN), and anonymity networks have been unteers, which we used to measure the extent to which the developed. Among these tools, Tor [23] (based on onion rout- I2P anonymity network is blocked around the world. This ing [39,71]) and I2P [85] (based on garlic routing [24,25,33]) infrastructure provides us with not only numerous and ge- are widely used by privacy-conscious and censored users, as ographically diverse vantage points, but also the ability to they provide a higher level of privacy and anonymity [42]. conduct in-depth measurements across all levels of the net- In response, censors often hinder access to these services work stack.
    [Show full text]
  • IETF Hackathon
    IETF 106 TEEP Hackathon Report Akira Tsukamoto, Nov. 19, 2019 IETF 106 Hackathon - TEEP 1 What we planned • Open Trust Protocol: • Evaluate OTrPv1 vs TEEP (aka OTrPv2) proposal • Test implementations of OTrP-over-HTTP • draft-ietf-teep-otrp-over-http-02 • Brought prototypes of TAM and TEEP device • TAM with node-js by Isobe-san • TAM with SGX by Dave Thaler • TEEP device on OP-TEE by Akira Tsukamoto • TEEP device on SGX by Dave Thaler IETF 106 Hackathon - TEEP 2 Great TEEm IETF 106 Hackathon - TEEP 3 What got done • First time to interop OTrP/TEEP protocol implementations built from specs. • See pictures on following pages. IETF 106 Hackathon - TEEP 4 On the Table IETF 106 Hackathon - TEEP 5 TAM`s UI for uploading TA IETF 106 Hackathon - TEEP 6 TEEP device IETF 106 Hackathon - TEEP 7 Hacking, Debugging! IETF 106 Hackathon - TEEP 8 TEEP Device installing TA IETF 106 Hackathon - TEEP 9 What we learned • Filed issues • draft-ietf-teep-otrp-over-http-03 • #5: demuxing TEEP vs OTrP • draft-tschofenig-teep-protocol-00.txt • Would like to have JSON example • A lot of implementation action items • Prerequisite required for OTrP/TEEP • HTTP, JSON, CBOR stack must be completely working • Understand TEE concepts, such as SGX, Arm TrustZone, knowledge of implementation details (e.g. OP-TEE) IETF 106 Hackathon - TEEP 10 What went well • Constructing stand alone wired network on Hackathon table for TAMs and TEEP devices but having uplink • This will prevent harming IETF network when sending broken packets. • My TEEP device needs to talk to ntp, since does not have RTC.
    [Show full text]
  • Coming of Age: a Longitudinal Study of TLS Deployment
    Coming of Age: A Longitudinal Study of TLS Deployment Platon Kotzias Abbas Razaghpanah Johanna Amann IMDEA Software Institute Stony Brook University ICSI/Corelight/LBNL Universidad Politécnica de Madrid Kenneth G. Paterson Narseo Vallina-Rodriguez Juan Caballero Royal Holloway, University of London IMDEA Networks Institute IMDEA Software Institue ICSI ABSTRACT of each new attack and vulnerability that is discovered. Over the The Transport Layer Security (TLS) protocol is the de-facto standard last few years various TLS vulnerabilities such as BEAST, Lucky for encrypted communication on the Internet. However, it has been 13, POODLE, Heartbleed, FREAK, Logjam, and multiple attacks plagued by a number of different attacks and security issues over against RC4 have been discovered. The Snowden revelations have the last years. Addressing these attacks requires changes to the also highlighted weaknesses in TLS, specifically the reliance on protocol, to server- or client-software, or to all of them. In this RSA key transport for establishing keying material, a method that paper we conduct the first large-scale longitudinal study examining can be passively broken by an entity in possession of the server’s the evolution of the TLS ecosystem over the last six years. We RSA private key. Addressing these attacks requires changes to place a special focus on the ecosystem’s evolution in response to the protocol, to server-, or to client-software, or to all of them high-profile attacks. simultaneously. For our analysis, we use a passive measurement dataset with Prior work highlights different parts of the TLS ecosystem like more than 319.3B connections since February 2012, and an active specific attacks [6, 9, 10, 17, 41, 44, 44, 63, 74, 82], problems ofthe dataset that contains TLS and SSL scans of the entire IPv4 address PKI [7, 46, 54, 60] or problems of TLS usage in specific areas like on space since August 2015.
    [Show full text]
  • Uncovering Information Leakage from Browser Extensions
    Session 9A: Web 2 CCS’18, October 15-19, 2018, Toronto, ON, Canada Mystique: Uncovering Information Leakage from Browser Extensions Quan Chen Alexandros Kapravelos North Carolina State University North Carolina State University [email protected] [email protected] ABSTRACT ACM Reference Format: Browser extensions are small JavaScript, CSS and HTML programs Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering Infor- that run inside the browser with special privileges. These programs, mation Leakage, from Browser Extensions. In 2018 ACM SIGSAC Confer- ence on Computer and Communications Security (CCS ’18), October 15–19, often written by third parties, operate on the pages that the browser 2018, Toronto, ON, Canada. ACM, New York, NY, USA, 14 pages. https: is visiting, giving the user a programmatic way to configure the //doi.org/10.1145/3243734.3243823 browser. The privacy implications that arise by allowing privileged third-party code to execute inside the users’ browser are not well understood. 1 INTRODUCTION In this paper, we develop a taint analysis framework for browser All popular web browsers today offer extension mechanisms that extensions and use it to perform a large scale study of extensions allow users to customize or enrich their web browsing experiences in regard to their privacy practices. We first present a hybrid ap- by modifying the browser’s behavior, enhancing its functionalities proach to traditional taint analysis: by leveraging the fact that or integrating with popular web services. To support interaction extension source code is available to the runtime JavaScript engine, with the visited web pages, such as modifying their the contents we implement as well as enhance traditional taint analysis using or UI layouts, extension frameworks provide mechanisms to in- information gathered from static data flow and control-flow analy- ject custom JavaScript code into a web page and execute in the sis of the JavaScript source code.
    [Show full text]