Coming of Age: A Longitudinal Study of TLS Deployment

Authors:
Platon Kotzias

IMDEA Software Institute, Universidad Politécnica de Madrid

IMDEA Software Institute, Universidad Politécnica de Madrid
View Profile

,
Abbas Razaghpanah

Stony Brook University

Stony Brook University
View Profile

,
Johanna Amann

ICSI/Corelight/LBNL

ICSI/Corelight/LBNL
View Profile

,
Kenneth G. Paterson

Royal Holloway, University of London

Royal Holloway, University of London
View Profile

,
Narseo Vallina-Rodriguez

IMDEA Networks Institute, ICSI

IMDEA Networks Institute, ICSI
View Profile

,
Juan Caballero

IMDEA Software Institue

IMDEA Software Institue
View Profile

IMC '18: Proceedings of the Internet Measurement Conference 2018October 2018Pages 415–428https://doi.org/10.1145/3278532.3278568

Published:31 October 2018Publication History

IMC '18: Proceedings of the Internet Measurement Conference 2018

Pages 415–428

ABSTRACT

The Transport Layer Security (TLS) protocol is the de-facto standard for encrypted communication on the Internet. However, it has been plagued by a number of different attacks and security issues over the last years. Addressing these attacks requires changes to the protocol, to server- or client-software, or to all of them. In this paper we conduct the first large-scale longitudinal study examining the evolution of the TLS ecosystem over the last six years. We place a special focus on the ecosystem's evolution in response to high-profile attacks.

For our analysis, we use a passive measurement dataset with more than 319.3B connections since February 2012, and an active dataset that contains TLS and SSL scans of the entire IPv4 address space since August 2015. To identify the evolution of specific clients we also create the---to our knowledge---largest TLS client fingerprint database to date, consisting of 1,684 fingerprints.

We observe that the ecosystem has shifted significantly since 2012, with major changes in which cipher suites and TLS extensions are offered by clients and accepted by servers having taken place. Where possible, we correlate these with the timing of specific attacks on TLS. At the same time, our results show that while clients, especially browsers, are quick to adopt new algorithms, they are also slow to drop support for older ones. We also encounter significant amounts of client software that probably unwittingly offer unsafe ciphers. We discuss these findings in the context of long tail effects in the TLS ecosystem.

References

Bro network monitoring system. https://www.bro.org/.Google Scholar
Browserstack. https://www.browserstack.com.Google Scholar
Bugzilla - Allow RC4 only for whitelisted hosts. https://bugzilla.mozilla.org/show_bug.cgi?id=1124039#c2.Google Scholar
zgrab: A banner grabber, in go. https://github.com/zmap/zgrab.Google Scholar
Mozilla Security Blog - Deprecating the RC4 cipher. https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/, 2015.Google Scholar
D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015. Google ScholarDigital Library
D. Akhawe, J. Amann, M. Vallentin, and R. Sommer. Here's My Cert, So Trust Me, Maybe?: Understanding TLS Errors on the Web. In Proc. of the International Web Conference (WWW), 2013. Google ScholarDigital Library
M. R. Albrecht and K. G. Paterson. Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS. In Proc. Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), 2016.Google ScholarCross Ref
N. J. AlFardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. N. Schuldt. On the security of RC4 in TLS. In Proc. USENIX Security Symposium, 2013. Google ScholarDigital Library
N. J. AlFardan and K. G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In Proc. IEEE Symposium on Security and Privacy (S&P), May 2013. Google ScholarDigital Library
J. Amann, R. Sommer, M. Vallentin, and S. Hall. No Attack Necessary: The Surprising Dynamics of SSL Trust Relationships. In Proc. Annual Computer Security Applications Conference, 2013. Google ScholarDigital Library
J. Amann, M. Vallentin, S. Hall, and R. Sommer. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. Technical Report TR-12--014, ICSI, Nov. 2012.Google Scholar
B. Anderson, S. Paul, and D. McGrew. Deciphering malware's use of tls (without decryption). Journal of Computer Virology and Hacking Techniques, Aug 2017.Google Scholar
G. I. Apecechea, M. S. Inci, T. Eisenbarth, and B. Sunar. Lucky 13 strikes back. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015. Google ScholarDigital Library
T. Arcueri. Imperfect Forward Secrecy: The Coming Cryptocalypse, July 2016. https://tonyarcieri.com/imperfect-forward-secrecy-the-coming-cryptocalypse.Google Scholar
N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt. DROWN: Breaking TLS Using SSLv2. In Proc. USENIX Security Symposium, 2016. Google ScholarDigital Library
B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P. Y. Strub, and J. K. Zinzindohoue. A Messy State of the Union: Taming the Composite State Machines of TLS. In Proc. IEEE Symposium on Security and Privacy (S&P), May 2015. Google ScholarDigital Library
K. Bhargavan and G. Leurent. On the practical (in-)security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016. Google ScholarDigital Library
Blake-Wilson, S. and Bolyard, N. and Gupta, V. and Hawk, C. and Moeller, B. Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS), 2006. RFC 4492.Google Scholar
R. Bricout, S. Murphy, K. G. Paterson, and T. van der Merwe. Analysing and exploiting the Mantin biases in RC4. Des. Codes Cryptography, 86(4):743--770, 2018. Google ScholarDigital Library
M. Brinkmann. Mozilla starts to enable TLS 1.3 on Firefox Stable, Apr. 2018. https://www.ghacks.net/2018/04/13/mozilla-starts-to-enable-tls-1-3-on-firefox-stable/.Google Scholar
L. Brotherston. TLS fingerprinting. http://www.virustotal.com://github.com/LeeBrotherston/tls-fingerprinting.Google Scholar
L. Chuat, P. Szalachowski, A. Perrig, B. Laurie, and E. Messeri. Efficient Gossip Protocols for Verifying the Consistency of Certificate Logs. In 2015 IEEE Conference on Communications and Network Security (CNS), 2015.Google Scholar
J. Clark and P. van Oorschot. SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In Proc. IEEE Symposium on Security and Privacy (S&P), 2013. Google ScholarDigital Library
B. Coat. ProxySG, ASG and WSS will interrupt SSL connections when clients using TLS 1.3 access sites also using TLS 1.3. http://bluecoat.force.com/knowledgebase/articles/Technical_Alert/000032878, 2017.Google Scholar
CVE-2011--3389. https://nvd.nist.gov/vuln/detail/CVE-2011--3389, 2011.Google Scholar
CVE-2013--2566. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--2566, 2013.Google Scholar
CVE-2012--4929. https://nvd.nist.gov/vuln/detail/CVE-2012--4929, 2012.Google Scholar
CVE-2013--0169. https://nvd.nist.gov/vuln/detail/CVE-2013--0169, 2013.Google Scholar
CVE-2014--0160. https://nvd.nist.gov/vuln/detail/CVE-2014--0160, 2014.Google Scholar
CVE-2014--3566. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--3566, 2014.Google Scholar
CVE-2015--0204. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015--0204, 2015.Google Scholar
CVE-2015--2808. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-CVE-2015--2808, 2015.Google Scholar
CVE-2015--4000. https://cve.mitre.org/cgi-bin/cvename.cgi?name= cve-CVE-2015--4000, 2015.Google Scholar
CVE-2015--7575. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015--7575, 2015.Google Scholar
CVE-2016--0800. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016--0800, 2016.Google Scholar
CVE-2016--2183. https://nvd.nist.gov/vuln/detail/CVE-2016--2183, 2016.Google Scholar
D. Benjamin. Applying GREASE to TLS Extensibility. IETF Draft, 2016.Google Scholar
T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3, bis 00 (pre-draft), Apr. 2014. https://tools.ietf.org/html/draft-ietf-tls-rfc5246-bis-00.Google Scholar
Dierks, T. and Rescola, R. The Transport Layer Security (TLS) Protocol Version 1.2, 2008. RFC 5246.Google Scholar
T. Duong and J. Rizzo. Here come the &oplus; ninjas. Unpublished manuscript, 2011.Google Scholar
Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. Halderman. A Search Engine Backed by Internet-Wide Scanning. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015. Google ScholarDigital Library
Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. Halderman. Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security. In Proc. ACM Int. Measurement Conference (IMC), 2015. Google ScholarDigital Library
Z. Durumeric, J. Kasten, D. Adrian, J. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, and V. Paxson. The matter of Heartbleed. In Proc. ACM Int. Measurement Conference (IMC), 2014. Google ScholarDigital Library
Z. Durumeric, Z. Ma, D. Springall, R. Barnes, N. Sullivan, E. Bursztein, M. Bailey, J. Halderman, and V. Paxson. The Security Impact of HTTPS Interception. In Proc. Network and Distributed System Security Symposium (NDSS), 2017.Google ScholarCross Ref
Z. Durumeric, E. Wustrow, and J. Halderman. Zmap: Fast internet-wide scanning and its security applications. In Proc. USENIX Security Symposium, volume 2013, 2013. Google ScholarDigital Library
S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2012. Google ScholarDigital Library
C. Garman, K. G. Paterson, and T. van der Merwe. Attacks only get better: Password recovery attacks against RC4 in TLS. In Proc. USENIX Security Symposium, 2015. Google ScholarDigital Library
Google. Android Developer Portal: SSLSocket. https://developer.android.com/reference/javax/net/ssl/SSLSocket.Google Scholar
Google. Android Distribution dashboard. https://developer.android.com/about/dashboards/.Google Scholar
M. Green. Attack of the week: FREAK (or factoring the NSA for fun and profit). https://blog.cryptographyengineering.com/2015/03/03/attack-of-week-freak-or-factoring-nsa/, 2017.Google Scholar
J. Gustafsson, G. Overier, M. Arlitt, and N. Carlsson. A First Look at the CT Landscape: Certificate Transparency Logs in Practice. In Proc. Passive and Active Measurement (PAM), 2017.Google ScholarCross Ref
R. Holz, J. Amann, O. Mehani, M. Wachs, and M. A. Kaafar. TLS in the wild: An Internet-wide analysis of TLS-based protocols for electronic communication. In Proc. Network and Distributed System Security Symposium (NDSS), Feb. 2016.Google ScholarCross Ref
R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL Landscape: A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements. In Proc. ACM Int. Measurement Conference (IMC), 2011. Google ScholarDigital Library
M. HusÃąk, M. CermÃąk, T. JirsÃ&eng;k, and P. Celeda. Network-Based HTTPS Client Identification Using SSL/TLS Fingerprinting. In Proc. International Conference on Availability, Reliability and Security, Aug 2015. Google ScholarDigital Library
IANA. Transport Layer Security Parameters. https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml, 2017.Google Scholar
IANA. Transport Layer Security (TLS) Extensions. https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml, 2017.Google Scholar
ICSI Certificate Notary. https://notary.icsi.berkeley.edu, 2017.Google Scholar
T. Jager, J. Schwenk, and J. Somorovsky. On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015. Google ScholarDigital Library
D. Kaminsky, M. L. Patterson, and L. Sassaman. PKI layer cake: New collision attacks against the global X. 509 infrastructure. In International Conference on Financial Cryptography and Data Security. Springer, 2010. Google ScholarDigital Library
M. Majkowski. SSL fingerprinting for p0f. https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/, 2012.Google Scholar
C. Meyer, J. Somorovsky, E. Weiss, J. Schwenk, S. Schinzel, and E. Tews. Revisiting SSL/TLS implementations: New bleichenbacher side channels and attacks. In Proc. USENIX Security Symposium, 2014. Google ScholarDigital Library
B. Möller, T. Duong, and K. Kotowicz. This POODLE bites: exploiting the SSL 3.0 fallback. Security Advisory, 2014.Google Scholar
Mozilla. Firefox 52.0 - Release notes. https://www.mozilla.org/en-US/firefox/52.0/releasenotes/, 2017.Google Scholar
Mozilla. Firefox 60.0 - Release notes. https://www.mozilla.org/en-US/firefox/60.0/releasenotes/, 2018.Google Scholar
PCI Security. Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS. https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls, May 2017.Google Scholar
Popov, A. Prohibiting RC4 Cipher Suites, 2015. RFC 7465.Google Scholar
T. project. Tor. https://www.torproject.org/, 2018.Google Scholar
Qualys. SSL Labs database of user agent capabilities. https://www.ssllabs.com/ssltest/clients.html, 2018.Google Scholar
Qualys. SSL Pulse. https://www.ssllabs.com/ssl-pulse/, 2018.Google Scholar
A. Razaghpanah, A. A. Niaki, N. Vallina-Rodriguez, S. Sundaresan, J. Amann, and P. Gill. Studying TLS Usage in Android Apps. In Proc. ACM Int. Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2017. Google ScholarDigital Library
E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3, Draft 28, Mar. 2018. https://tools.ietf.org/html/draft-ietf-tls-tls13--28.Google ScholarCross Ref
I. Ristić. HTTP client fingerprinting using SSL handshake analysis. https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html, 2009.Google Scholar
I. Ristic. Is BEAST still a threat? https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat, 2013.Google Scholar
J. Rossignol. Google Says There Are Now More Than 2 Billion Monthly Active Android Devices, May 2017. https://www.macrumors.com/2017/05/17/2-billion-active-android-devices/.Google Scholar
M. D. Ryan. Enhanced Certificate Transparency and End-to-End Encrypted Mail. In Network and Distributed System Security Symposium (NDSS), 2014.Google Scholar
Seggelmann, R. and Tuexen, M. and Williams, M. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension, 2012. RFC 6520.Google Scholar
Y. Sheffer, R. Holz, and P. Saint-Andre. Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS), May 2015. RFC 7525.Google Scholar
J. Somorovsky. Systematic Fuzzing and Testing of TLS Libraries. In Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016. Google ScholarDigital Library
Synopsys. The Heartbleed Bug. http://heartbleed.com/.Google Scholar
S. Turner and T. Polk. Prohibiting Secure Sockets Layer (SSL) Version 2.0, March 2011. RFC 6176.Google Scholar
L. Valenta, S. Cohney, A. Liao, J. Fried, S. Bodduluri, and N. Heninger. Factoring as a service. In J. Grossklags and B. Preneel, editors, Financial Cryptography and Data Security - 20th International Conference, FC 2016, Christ Church, Barbados, February 22-26, 2016, Revised Selected Papers, volume 9603 of Lecture Notes in Computer Science, pages 321--338. Springer, 2016.Google Scholar
N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson. A Tangled Mass: The Android Root Certificate Stores. In Proc. ACM Int. Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2014. Google ScholarDigital Library
B. VanderSloot, J. Amann, M. Bernhard, Z. Durumeric, M. Bailey, and J. Halderman. Towards a complete view of the certificate ecosystem. In Proc. ACM Int. Measurement Conference (IMC), 2016. Google ScholarDigital Library
M. Vanhoef and F. Piessens. All your biases belong to us: Breaking RC4 in WPATKIP and TLS. In Proc. USENIX Security Symposium, 2015. Google ScholarDigital Library
S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. In Proc. ACM Int. Measurement Conference (IMC), 2009. Google ScholarDigital Library
L. Zhang, D. Choffnes, D. Levin, T. Dumitras, A. Mislove, A. Schulman, and C. Wilson. Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. In Proc. ACM Int. Measurement Conference (IMC), 2014. Google ScholarDigital Library

Recommendations

RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins
IMC '19: Proceedings of the Internet Measurement Conference

Despite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue,...
Read More
Evolution of Conversations in the Age of Email Overload
WWW '15: Proceedings of the 24th International Conference on World Wide Web

Email is a ubiquitous communications tool in the workplace and plays an important role in social interactions. Previous studies of email were largely based on surveys and limited to relatively small populations of email users within organizations. In ...
Read More
Securing Electricity Supply in the Cyber Age: Exploring the Risks of Information and Communication Technology in Tomorrow's Electricity Infrastructure
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in

IMC '18: Proceedings of the Internet Measurement Conference 2018
October 2018
507 pages
ISBN:9781450356190
DOI:10.1145/3278532

Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 31 October 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Distinguished Paper
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate277of1,083submissions,26%
Upcoming Conference
IMC '24

Sponsor:

sigcomm

sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 51
  Total Citations
  View Citations
- 1,964
  Total Downloads
- Downloads (Last 12 months)487
- Downloads (Last 6 weeks)73
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Coming of Age: A Longitudinal Study of TLS Deployment

IMC '18: Proceedings of the Internet Measurement Conference 2018

ABSTRACT

References

Cited By

Recommendations

RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins

Evolution of Conversations in the Age of Email Overload

Securing Electricity Supply in the Cyber Age: Exploring the Risks of Information and Communication Technology in Tomorrow's Electricity Infrastructure