ABSTRACT
TLS has the potential to provide strong protection against network-based attackers and mass surveillance, but many implementations take security shortcuts in order to reduce the costs of cryptographic computations and network round trips. We report the results of a nine-week study that measures the use and security impact of these shortcuts for HTTPS sites among Alexa Top Million domains. We find widespread deployment of DHE and ECDHE private value reuse, TLS session resumption, and TLS session tickets. These practices greatly reduce the protection afforded by forward secrecy: connections to 38% of Top Million HTTPS sites are vulnerable to decryption if the server is compromised up to 24 hours later, and 10% up to 30 days later, regardless of the selected cipher suite. We also investigate the practice of TLS secrets and session state being shared across domains, finding that in some cases, the theft of a single secret value can compromise connections to tens of thousands of sites. These results suggest that site operators need to better understand the tradeoffs between optimizing TLS performance and providing strong security, particularly when faced with nation-state attackers with a history of aggressive, large-scale surveillance.
- D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In 22nd ACM Conference on Computer and Communications Security, Oct. 2015. Google ScholarDigital Library
- Alexa Internet, Inc. Alexa Top 1,000,000 Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.Google Scholar
- J. Angwin, C. Savage, J. Larson, H. Moltke, L. Poitras, and J. Risen. AT&T helped U.S. spy on Internet on a vast scale. The New York Times, Aug. 16, 2015. http://www.nytimes.com/2015/08/16/us/politics/atthelped-nsa-spy-on-an-array-of-internet-traffic.html.Google Scholar
- N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt. DROWN: Breaking TLS with SSLv2. In 25th USENIX Security Symposium, Aug. 2016. https://drownattack.com.Google Scholar
- M. Belshe, R. Peon, and M. Thomson. Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540 (Proposed Standard), May 2015.Google Scholar
- B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In 36th IEEE Symposium on Security and Privacy, May 2015. Google ScholarDigital Library
- E. Burzstein and J. M. Picod. Recovering Windows secrets and EFS certificates offline. In 4th USENIX Workshop on Offensive Technologies, Aug. 2010. Google ScholarDigital Library
- Cavium. Intelligent network adapters. http://www.cavium.com/Intelligent_Network_Adapters_NIC4E.html.Google Scholar
- S. Checkoway, J. Maskiewicz, C. Garman, J. Fried, S. Cohney, M. Green, N. Heninger, R.-P. Weinmann, E. Rescorla, and H. Shacham. A systematic analysis of the Juniper Dual EC incident. In 23rd ACM Conference on Computer and Communications Security, Oct. 2016. Google ScholarDigital Library
- CNE access to core mobile networks. Media leak. https://theintercept.com/document/2015/02/19/cne-access-core-mobile-networks-2/.Google Scholar
- Codenomicon. The Heartbleed bug. http://heartbleed.com/.Google Scholar
- D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280 (Proposed Standard), May 2008.Google Scholar
- T. Dierks and C. Allen. The TLS protocol version 1.0. RFC 2246 (Proposed Standard), Jan. 1999. Google ScholarDigital Library
- T. Dierks and E. Rescorla. The transport layer security (TLS) protocol version 1.2. RFC 5246 (Proposed Standard), Aug. 2008. http://www.ietf.org/rfc/rfc5246.txt.Google Scholar
- W. Diffie, P. C. Van Oorschot, and M. J. Wiener. Authentication and authenticated key exchanges. Designs, Codes and cryptography, 2(2):107--125, 1992. Google ScholarDigital Library
- Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman. Censys: A search engine backed by Internet-wide scanning. In 22nd ACM Conference on Computer and Communications Security, Oct. 2015. Google ScholarDigital Library
- Z. Durumeric, J. A. Halderman, et al. Internet-wide scan data repository. https://scans.io.Google Scholar
- Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS certificate ecosystem. In 13th ACM Internet Measurement Conference, IMC '13, pages 291--304, 2013. Google ScholarDigital Library
- Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. A. Halderman. The matter of Heartbleed. In 14th ACM Internet Measurement Conference, IMC '14, pages 475--488, 2014. Google ScholarDigital Library
- Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide scanning and its security applications. In 22nd USENIX Security Symposium, Aug. 2013. Google ScholarDigital Library
- R. Gallagher. Operation Socialist. The Intercept, Dec. 13, 2014. https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/.Google Scholar
- S. Gallagher. Googlers say "f*** you" to NSA, company encrypts internal network. Ars Technica, Nov. 2013. http://arstechnica.com/information-technology/2013/11/googlers-say-f-you-to-nsa-companyencrypts-internal-network/.Google Scholar
- B. Gellman and A. Soltani. NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say. The Washington Post, Oct. 30, 2013. https://www.washingtonpost.com/world/nationalsecurity/nsa-infiltrates-links-to-yahoo-google-datacenters-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html.Google Scholar
- Google. Google for work: Enterprise solutions to work the way you live. https://www.google.com/work/.Google Scholar
- N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX Security Symposium, Aug. 2012. Google ScholarDigital Library
- K. E. Hickman. The SSL protocol, Apr. 1995. https://tools.ietf.org/html/draft-hickman-netscape-ssl-00.Google Scholar
- J. Hoffman-Andrews. Forward secrecy at Twitter, Nov. 2013. https://blog.twitter.com/2013/forward-secrecy-at-twitter.Google Scholar
- M. Holt. Caddy 0.8.3 released, Apr. 2016. https://caddyserver.com/blog/caddy-0_8_3-released.Google Scholar
- R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In 11th ACM Internet Measurement Conference, IMC '11, pages 427--444, 2011. Google ScholarDigital Library
- Internet Security Research Group. Let's Encrypt certificate authority. https://letsencrypt.org/.Google Scholar
- Jimdo. Website builder: Create a free website. http://www.jimdo.com/.Google Scholar
- D. Korobov. Yandex worker stole search engine source code, tried selling for just 28k. Ars Technica, Dec. 2015. http://arstechnica.com/business/2015/12/yandex-employee-stole-search-engine-source-codetried-to-sell-it-for-just-27000-2/.Google Scholar
- A. Langley. How to botch TLS forward secrecy, June 2013. https://www.imperialviolet.org/2013/06/27/botchingpfs.html.Google Scholar
- Z. Lin. TLS session resumption: Full-speed and secure, Feb. 2015. https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/.Google Scholar
- I. Lovecruft. Twitter, Dec. 2015. https://twitter.com/isislovecruft/status/681590393385914368.Google Scholar
- M. Marquis-Boire, G. Greenwald, and M. Lee. XKEYSCORE: NSA's Google for the world's private communications. The Intercept, July 2015. https://theintercept.com/2015/07/01/nsas-google-worlds-private-communications/.Google Scholar
- J. McLaughlin. Spy chief complains that Edward Snowden sped up spread of encryption by 7 years, Apr. 2016. https://theintercept.com/2016/04/25/spy-chief-complains-that-edward-snowden-sped-upspread-of-encryption-by-7-years/.Google Scholar
- media-34103. Media leak. http://www.spiegel.de/media/media-34103.pdf.Google Scholar
- P. Membrey, D. Hows, and E. Plugge. SSL load balancing. In Practical Load Balancing, pages 175--192. Springer, 2012.Google ScholarCross Ref
- Microsoft. TLS/SSL settings, Nov. 2015. https:// technet.microsoft.com/en-us/library/dn786418.aspx.Google Scholar
- mod_ssl: Apache HTTP server version 2.4. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html.Google Scholar
- Module ngx_http_ssl_module. http://nginx.org/en/docs/http/ngx_http_ssl_module.html.Google Scholar
- Mozilla Telemetry. https://telemetry.mozilla.org/.Google Scholar
- OpenSSL security advisory, Jan. 2016. https://www.openssl.org/news/secadv/20160128.txt.Google Scholar
- PCS harvesting at scale. Media leak. https://theintercept.com/document/2015/02/19/pcs-harvesting-scale/.Google Scholar
- K. Poulsen. Snowden's email provider loses appeal over encryption keys. Wired, Apr. 2014. https://www.wired.com/2014/04/lavabit-ruling/.Google Scholar
- QUIC, a multiplexed stream transport over UDP. https://www.chromium.org/quic.Google Scholar
- E. Rescorla. The Transport Layer Security (TLS) protocol version 1.3 draft-ietf-tls-tls13-15, Aug. 2016. https://tools.ietf.org/html/draft-ietf-tls-tls13-15.Google Scholar
- I. Ristic. Twitter, Apr. 2014. https://twitter.com/ivanristic/status/453280081897467905.Google Scholar
- I. Ristic. SSL/TLS deployment best practices, Dec. 2014. https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf.Google Scholar
- J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig. Transport layer security (TLS) session resumption without server-side state. RFC 4507 (Proposed Standard), May 2006. Obsoleted by RFC 5077.Google Scholar
- J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig. Transport layer security (TLS) session resumption without server-side state. RFC 5077 (Proposed Standard), Jan. 2008.Google Scholar
- J. Schahill and J. Begley. The great SIM heist. The Intercept, Feb. 19, 2015. https://theintercept.com/2015/02/19/great-sim-heist/.Google Scholar
- T. Taubert. Botching forward secrecy: The sad state of server-side TLS session resumption implementations, Nov. 2014. https://timtaubert.de/blog/2014/11/the-sad-state-ofserver-side-tls-session-resumption-implementations/.Google Scholar
- N. Weaver. In defense of bulk surveillance: It works, Sept. 2015. https://www.lawfareblog.com/defense-bulk-surveillance-it-works.Google Scholar
- K. Zetter. Google hack attack was ultra sophisticated, new details show. Wired, Jan. 2010. https://www.wired.com/2010/01/operation-aurora/.Google Scholar
- Y. Zhu. Why the web needs perfect forward secrecy more than ever. EFF Deeplinks Blog, Apr. 2014. https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy.Google Scholar
Index Terms
- Measuring the Security Harm of TLS Crypto Shortcuts
Recommendations
Studying TLS Usage in Android Apps
CoNEXT '17: Proceedings of the 13th International Conference on emerging Networking EXperiments and TechnologiesTransport Layer Security (TLS), has become the de-facto standard for secure Internet communication. When used correctly, it provides secure data transfer, but used incorrectly, it can leave users vulnerable to attacks while giving them a false sense of ...
Comments