ABSTRACT
The Transport Layer Security (TLS) protocol is the de-facto standard for encrypted communication on the Internet. However, it has been plagued by a number of different attacks and security issues over the last years. Addressing these attacks requires changes to the protocol, to server- or client-software, or to all of them. In this paper we conduct the first large-scale longitudinal study examining the evolution of the TLS ecosystem over the last six years. We place a special focus on the ecosystem's evolution in response to high-profile attacks.
For our analysis, we use a passive measurement dataset with more than 319.3B connections since February 2012, and an active dataset that contains TLS and SSL scans of the entire IPv4 address space since August 2015. To identify the evolution of specific clients we also create the---to our knowledge---largest TLS client fingerprint database to date, consisting of 1,684 fingerprints.
We observe that the ecosystem has shifted significantly since 2012, with major changes in which cipher suites and TLS extensions are offered by clients and accepted by servers having taken place. Where possible, we correlate these with the timing of specific attacks on TLS. At the same time, our results show that while clients, especially browsers, are quick to adopt new algorithms, they are also slow to drop support for older ones. We also encounter significant amounts of client software that probably unwittingly offer unsafe ciphers. We discuss these findings in the context of long tail effects in the TLS ecosystem.
- Bro network monitoring system. https://www.bro.org/.Google Scholar
- Browserstack. https://www.browserstack.com.Google Scholar
- Bugzilla - Allow RC4 only for whitelisted hosts. https://bugzilla.mozilla.org/show_bug.cgi?id=1124039#c2.Google Scholar
- zgrab: A banner grabber, in go. https://github.com/zmap/zgrab.Google Scholar
- Mozilla Security Blog - Deprecating the RC4 cipher. https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/, 2015.Google Scholar
- D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015. Google ScholarDigital Library
- D. Akhawe, J. Amann, M. Vallentin, and R. Sommer. Here's My Cert, So Trust Me, Maybe?: Understanding TLS Errors on the Web. In Proc. of the International Web Conference (WWW), 2013. Google ScholarDigital Library
- M. R. Albrecht and K. G. Paterson. Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS. In Proc. Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), 2016.Google ScholarCross Ref
- N. J. AlFardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. N. Schuldt. On the security of RC4 in TLS. In Proc. USENIX Security Symposium, 2013. Google ScholarDigital Library
- N. J. AlFardan and K. G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In Proc. IEEE Symposium on Security and Privacy (S&P), May 2013. Google ScholarDigital Library
- J. Amann, R. Sommer, M. Vallentin, and S. Hall. No Attack Necessary: The Surprising Dynamics of SSL Trust Relationships. In Proc. Annual Computer Security Applications Conference, 2013. Google ScholarDigital Library
- J. Amann, M. Vallentin, S. Hall, and R. Sommer. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. Technical Report TR-12--014, ICSI, Nov. 2012.Google Scholar
- B. Anderson, S. Paul, and D. McGrew. Deciphering malware's use of tls (without decryption). Journal of Computer Virology and Hacking Techniques, Aug 2017.Google Scholar
- G. I. Apecechea, M. S. Inci, T. Eisenbarth, and B. Sunar. Lucky 13 strikes back. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015. Google ScholarDigital Library
- T. Arcueri. Imperfect Forward Secrecy: The Coming Cryptocalypse, July 2016. https://tonyarcieri.com/imperfect-forward-secrecy-the-coming-cryptocalypse.Google Scholar
- N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt. DROWN: Breaking TLS Using SSLv2. In Proc. USENIX Security Symposium, 2016. Google ScholarDigital Library
- B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P. Y. Strub, and J. K. Zinzindohoue. A Messy State of the Union: Taming the Composite State Machines of TLS. In Proc. IEEE Symposium on Security and Privacy (S&P), May 2015. Google ScholarDigital Library
- K. Bhargavan and G. Leurent. On the practical (in-)security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016. Google ScholarDigital Library
- Blake-Wilson, S. and Bolyard, N. and Gupta, V. and Hawk, C. and Moeller, B. Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS), 2006. RFC 4492.Google Scholar
- R. Bricout, S. Murphy, K. G. Paterson, and T. van der Merwe. Analysing and exploiting the Mantin biases in RC4. Des. Codes Cryptography, 86(4):743--770, 2018. Google ScholarDigital Library
- M. Brinkmann. Mozilla starts to enable TLS 1.3 on Firefox Stable, Apr. 2018. https://www.ghacks.net/2018/04/13/mozilla-starts-to-enable-tls-1-3-on-firefox-stable/.Google Scholar
- L. Brotherston. TLS fingerprinting. http://www.virustotal.com://github.com/LeeBrotherston/tls-fingerprinting.Google Scholar
- L. Chuat, P. Szalachowski, A. Perrig, B. Laurie, and E. Messeri. Efficient Gossip Protocols for Verifying the Consistency of Certificate Logs. In 2015 IEEE Conference on Communications and Network Security (CNS), 2015.Google Scholar
- J. Clark and P. van Oorschot. SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In Proc. IEEE Symposium on Security and Privacy (S&P), 2013. Google ScholarDigital Library
- B. Coat. ProxySG, ASG and WSS will interrupt SSL connections when clients using TLS 1.3 access sites also using TLS 1.3. http://bluecoat.force.com/knowledgebase/articles/Technical_Alert/000032878, 2017.Google Scholar
- CVE-2011--3389. https://nvd.nist.gov/vuln/detail/CVE-2011--3389, 2011.Google Scholar
- CVE-2013--2566. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--2566, 2013.Google Scholar
- CVE-2012--4929. https://nvd.nist.gov/vuln/detail/CVE-2012--4929, 2012.Google Scholar
- CVE-2013--0169. https://nvd.nist.gov/vuln/detail/CVE-2013--0169, 2013.Google Scholar
- CVE-2014--0160. https://nvd.nist.gov/vuln/detail/CVE-2014--0160, 2014.Google Scholar
- CVE-2014--3566. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--3566, 2014.Google Scholar
- CVE-2015--0204. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015--0204, 2015.Google Scholar
- CVE-2015--2808. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-CVE-2015--2808, 2015.Google Scholar
- CVE-2015--4000. https://cve.mitre.org/cgi-bin/cvename.cgi?name= cve-CVE-2015--4000, 2015.Google Scholar
- CVE-2015--7575. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015--7575, 2015.Google Scholar
- CVE-2016--0800. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016--0800, 2016.Google Scholar
- CVE-2016--2183. https://nvd.nist.gov/vuln/detail/CVE-2016--2183, 2016.Google Scholar
- D. Benjamin. Applying GREASE to TLS Extensibility. IETF Draft, 2016.Google Scholar
- T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3, bis 00 (pre-draft), Apr. 2014. https://tools.ietf.org/html/draft-ietf-tls-rfc5246-bis-00.Google Scholar
- Dierks, T. and Rescola, R. The Transport Layer Security (TLS) Protocol Version 1.2, 2008. RFC 5246.Google Scholar
- T. Duong and J. Rizzo. Here come the ⊕ ninjas. Unpublished manuscript, 2011.Google Scholar
- Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. Halderman. A Search Engine Backed by Internet-Wide Scanning. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015. Google ScholarDigital Library
- Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. Halderman. Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security. In Proc. ACM Int. Measurement Conference (IMC), 2015. Google ScholarDigital Library
- Z. Durumeric, J. Kasten, D. Adrian, J. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, and V. Paxson. The matter of Heartbleed. In Proc. ACM Int. Measurement Conference (IMC), 2014. Google ScholarDigital Library
- Z. Durumeric, Z. Ma, D. Springall, R. Barnes, N. Sullivan, E. Bursztein, M. Bailey, J. Halderman, and V. Paxson. The Security Impact of HTTPS Interception. In Proc. Network and Distributed System Security Symposium (NDSS), 2017.Google ScholarCross Ref
- Z. Durumeric, E. Wustrow, and J. Halderman. Zmap: Fast internet-wide scanning and its security applications. In Proc. USENIX Security Symposium, volume 2013, 2013. Google ScholarDigital Library
- S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2012. Google ScholarDigital Library
- C. Garman, K. G. Paterson, and T. van der Merwe. Attacks only get better: Password recovery attacks against RC4 in TLS. In Proc. USENIX Security Symposium, 2015. Google ScholarDigital Library
- Google. Android Developer Portal: SSLSocket. https://developer.android.com/reference/javax/net/ssl/SSLSocket.Google Scholar
- Google. Android Distribution dashboard. https://developer.android.com/about/dashboards/.Google Scholar
- M. Green. Attack of the week: FREAK (or factoring the NSA for fun and profit). https://blog.cryptographyengineering.com/2015/03/03/attack-of-week-freak-or-factoring-nsa/, 2017.Google Scholar
- J. Gustafsson, G. Overier, M. Arlitt, and N. Carlsson. A First Look at the CT Landscape: Certificate Transparency Logs in Practice. In Proc. Passive and Active Measurement (PAM), 2017.Google ScholarCross Ref
- R. Holz, J. Amann, O. Mehani, M. Wachs, and M. A. Kaafar. TLS in the wild: An Internet-wide analysis of TLS-based protocols for electronic communication. In Proc. Network and Distributed System Security Symposium (NDSS), Feb. 2016.Google ScholarCross Ref
- R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL Landscape: A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements. In Proc. ACM Int. Measurement Conference (IMC), 2011. Google ScholarDigital Library
- M. HusÃąk, M. CermÃąk, T. JirsÃŋk, and P. Celeda. Network-Based HTTPS Client Identification Using SSL/TLS Fingerprinting. In Proc. International Conference on Availability, Reliability and Security, Aug 2015. Google ScholarDigital Library
- IANA. Transport Layer Security Parameters. https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml, 2017.Google Scholar
- IANA. Transport Layer Security (TLS) Extensions. https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml, 2017.Google Scholar
- ICSI Certificate Notary. https://notary.icsi.berkeley.edu, 2017.Google Scholar
- T. Jager, J. Schwenk, and J. Somorovsky. On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015. Google ScholarDigital Library
- D. Kaminsky, M. L. Patterson, and L. Sassaman. PKI layer cake: New collision attacks against the global X. 509 infrastructure. In International Conference on Financial Cryptography and Data Security. Springer, 2010. Google ScholarDigital Library
- M. Majkowski. SSL fingerprinting for p0f. https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/, 2012.Google Scholar
- C. Meyer, J. Somorovsky, E. Weiss, J. Schwenk, S. Schinzel, and E. Tews. Revisiting SSL/TLS implementations: New bleichenbacher side channels and attacks. In Proc. USENIX Security Symposium, 2014. Google ScholarDigital Library
- B. Möller, T. Duong, and K. Kotowicz. This POODLE bites: exploiting the SSL 3.0 fallback. Security Advisory, 2014.Google Scholar
- Mozilla. Firefox 52.0 - Release notes. https://www.mozilla.org/en-US/firefox/52.0/releasenotes/, 2017.Google Scholar
- Mozilla. Firefox 60.0 - Release notes. https://www.mozilla.org/en-US/firefox/60.0/releasenotes/, 2018.Google Scholar
- PCI Security. Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS. https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls, May 2017.Google Scholar
- Popov, A. Prohibiting RC4 Cipher Suites, 2015. RFC 7465.Google Scholar
- T. project. Tor. https://www.torproject.org/, 2018.Google Scholar
- Qualys. SSL Labs database of user agent capabilities. https://www.ssllabs.com/ssltest/clients.html, 2018.Google Scholar
- Qualys. SSL Pulse. https://www.ssllabs.com/ssl-pulse/, 2018.Google Scholar
- A. Razaghpanah, A. A. Niaki, N. Vallina-Rodriguez, S. Sundaresan, J. Amann, and P. Gill. Studying TLS Usage in Android Apps. In Proc. ACM Int. Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2017. Google ScholarDigital Library
- E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3, Draft 28, Mar. 2018. https://tools.ietf.org/html/draft-ietf-tls-tls13--28.Google ScholarCross Ref
- I. Ristić. HTTP client fingerprinting using SSL handshake analysis. https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html, 2009.Google Scholar
- I. Ristic. Is BEAST still a threat? https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat, 2013.Google Scholar
- J. Rossignol. Google Says There Are Now More Than 2 Billion Monthly Active Android Devices, May 2017. https://www.macrumors.com/2017/05/17/2-billion-active-android-devices/.Google Scholar
- M. D. Ryan. Enhanced Certificate Transparency and End-to-End Encrypted Mail. In Network and Distributed System Security Symposium (NDSS), 2014.Google Scholar
- Seggelmann, R. and Tuexen, M. and Williams, M. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension, 2012. RFC 6520.Google Scholar
- Y. Sheffer, R. Holz, and P. Saint-Andre. Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS), May 2015. RFC 7525.Google Scholar
- J. Somorovsky. Systematic Fuzzing and Testing of TLS Libraries. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016. Google ScholarDigital Library
- Synopsys. The Heartbleed Bug. http://heartbleed.com/.Google Scholar
- S. Turner and T. Polk. Prohibiting Secure Sockets Layer (SSL) Version 2.0, March 2011. RFC 6176.Google Scholar
- L. Valenta, S. Cohney, A. Liao, J. Fried, S. Bodduluri, and N. Heninger. Factoring as a service. In J. Grossklags and B. Preneel, editors, Financial Cryptography and Data Security - 20th International Conference, FC 2016, Christ Church, Barbados, February 22-26, 2016, Revised Selected Papers, volume 9603 of Lecture Notes in Computer Science, pages 321--338. Springer, 2016.Google Scholar
- N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson. A Tangled Mass: The Android Root Certificate Stores. In Proc. ACM Int. Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2014. Google ScholarDigital Library
- B. VanderSloot, J. Amann, M. Bernhard, Z. Durumeric, M. Bailey, and J. Halderman. Towards a complete view of the certificate ecosystem. In Proc. ACM Int. Measurement Conference (IMC), 2016. Google ScholarDigital Library
- M. Vanhoef and F. Piessens. All your biases belong to us: Breaking RC4 in WPATKIP and TLS. In Proc. USENIX Security Symposium, 2015. Google ScholarDigital Library
- S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. In Proc. ACM Int. Measurement Conference (IMC), 2009. Google ScholarDigital Library
- L. Zhang, D. Choffnes, D. Levin, T. Dumitras, A. Mislove, A. Schulman, and C. Wilson. Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. In Proc. ACM Int. Measurement Conference (IMC), 2014. Google ScholarDigital Library
Recommendations
RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins
IMC '19: Proceedings of the Internet Measurement ConferenceDespite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue,...
Evolution of Conversations in the Age of Email Overload
WWW '15: Proceedings of the 24th International Conference on World Wide WebEmail is a ubiquitous communications tool in the workplace and plays an important role in social interactions. Previous studies of email were largely based on surveys and limited to relatively small populations of email users within organizations. In ...
Comments