Advertisement

Lost in TLS? No More! Assisted Deployment of Secure TLS Configurations

  • Salvatore ManfrediEmail author
  • Silvio Ranise
  • Giada Sciarretta
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11559)

Abstract

Over the last few years, there has been an almost exponential growth of TLS popularity and usage, especially among applications that deal with sensitive data. However, even with this widespread use, TLS remains for many system administrators a complex subject. The main reason is that they do not have the time to understand all the cryptographic algorithms and features used in a TLS suite and their relative weaknesses. For these reasons, many different tools have been developed to verify TLS implementations. However, they usually analyze the TLS configuration and provide a list of possible attacks, without specifying their mitigations. In this paper, we present TLSAssistant, a fully-featured tool that combines state-of-the-art TLS analyzers with a report system that suggests appropriate mitigations and shows the full set of viable attacks.

Keywords

TLS misconfiguration Vulnerability detection Assisted mitigations 

Notes

Acknowledgments

The authors would like to thank IPZS for the collaboration on the development of the authentication solution based on the CIE 3.0 carried out in the context of the joint laboratory DigimatLab between FBK and IPZS.

Supplementary material

References

  1. 1.
    Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015).  https://doi.org/10.1145/2810103.2813707
  2. 2.
    AlFardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy, SP, pp. 526–540 (2013).  https://doi.org/10.1109/SP.2013.42
  3. 3.
    Aviram, N., et al.: DROWN: breaking TLS with SSLv2. In: 25th USENIX Security Symposium (2016)Google Scholar
  4. 4.
    Bhargavan, K., Leurent, G.: Transcript collision attacks: breaking authentication in TLS, IKE and SSH. In: 23rd Annual Network and Distributed System Security Symposium, NDSS (2016)Google Scholar
  5. 5.
    Bhargavan, K., Leurent, G.: On the practical (in-)security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016 (2016).  https://doi.org/10.1145/2976749.2978423
  6. 6.
  7. 7.
    Bright, P.: Apple, Google, Microsoft, and Mozilla come together to end TLS 1.0. https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/
  8. 8.
    Cartwright, M.: Book Review: Experimentation in Software Engineering: An Introduction. By Wohlin, C, Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A. Kluwer Academic Publishers (1999). ISBN 0-7923-8682-5. Softw. Test. Verif. Reliab. (2001).  https://doi.org/10.1002/stvr.230
  9. 9.
    Dell’Interno, M.: Carta di identitá elettronica. https://www.cartaidentita.interno.gov.it
  10. 10.
    Desnos, A.: Github: Androguard. https://github.com/androguard/androguard
  11. 11.
    Dormann, W.: Announcing CERT Tapioca 2.0 for Network Traffic Analysis. https://insights.sei.cmu.edu/cert/2018/05/announcing-cert-tapioca-20-for-network-traffic-analysis.html
  12. 12.
    Ducklin, P.: Boffins ‘crack’ HTTPS encryption in Lucky Thirteen attack. https://nakedsecurity.sophos.com/2013/02/07/boffins-crack-https-encryptionin-lucky-thirteen-attack/
  13. 13.
    Ducklin, P.: The SLOTH attacks: why laziness about cryptography puts security at risk. https://nakedsecurity.sophos.com/2016/01/08/the-sloth-attacks-why-laziness-about-cryptography-puts-security-at-risk/
  14. 14.
    Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why Eve and Mallory love android: an analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61 (2012).  https://doi.org/10.1145/2382196.2382205
  15. 15.
    Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: ACM Conference on Computer and Communications Security, pp. 38–49 (2012).  https://doi.org/10.1145/2382196.2382204
  16. 16.
    Gluck, Y., Harris, N., Prado, A.: BREACH: reviving the CRIME attack. http://breachattack.com/
  17. 17.
  18. 18.
  19. 19.
    Green, M.: The Internet is broken: could we please fix it? https://blog.cryptographyengineering.com/2012/02/28/how-to-fix-internet/
  20. 20.
    Grimmett, J.: Encryption export controls (2001). http://www.au.af.mil/au/awc/awcgate/crs/rl30273.pdf
  21. 21.
    Group, N.W.: The TLS Protocol: Version 1.0. https://tools.ietf.org/pdf/rfc2246.pdf
  22. 22.
    Group, N.W.: The Transport Layer Security (TLS) Protocol: Version 1.1. https://tools.ietf.org/pdf/rfc4346.pdf
  23. 23.
    Group, N.W.: The Transport Layer Security (TLS) Protocol: Version 1.2. https://tools.ietf.org/pdf/rfc5246.pdf
  24. 24.
    Group, N.W.: Transport Layer Security Protocol Compression Methods. https://tools.ietf.org/pdf/rfc3749.pdf
  25. 25.
    Group, O.W.: OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens. https://tools.ietf.org/pdf/draft-ietf-oauth-mtls-10.pdf
  26. 26.
    IETF: The Transport Layer Security (TLS) Protocol: Version 1.3. https://tools.ietf.org/pdf/rfc8446.pdf
  27. 27.
    IETF: Transport Layer Security (TLS) Renegotiation Indication Extension. https://tools.ietf.org/pdf/rfc5746.pdf
  28. 28.
  29. 29.
    Kolybabi, M., Lawrence, G.: ssl-enum-ciphers. https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
  30. 30.
    Lyon, G.: Nmap: the Network Mapper. https://nmap.org
  31. 31.
    Microsoft-Inria: Triple Handshakes Considered Harmful: Breaking and Fixing Authentication over TLS. https://www.mitls.org/pages/attacks/3SHAKE
  32. 32.
    Möller, B., Duong, T., Kotowicz, K.: This POODLE Bites: Exploiting the SSL 3.0 Fallback. https://www.openssl.org/~bodo/ssl-poodle.pdf
  33. 33.
  34. 34.
  35. 35.
    Poligrafico e Zecca dello Stato Italiano. https://www.ipzs.it
  36. 36.
    Pornin, T.: What is DROWN and how does it work? https://security.stackexchange.com/a/116140/186367
  37. 37.
  38. 38.
  39. 39.
  40. 40.
    Robshaw, M.: Stream ciphers (1995). ftp://ftp.rsasecurity.com/pub/pdfs/tr701.pdf
  41. 41.
  42. 42.
  43. 43.
    Services, A.W.: Alexa Top Sites. https://aws.amazon.com/alexa-top-sites/
  44. 44.
    Shannon, C.E.: Communication theory of secrecy systems*. Bell Syst. Tech. J. 28 (1949).  https://doi.org/10.1002/j.1538-7305.1949.tb00928.xMathSciNetCrossRefGoogle Scholar
  45. 45.
  46. 46.
    Smyth, B., Pironti, A.: Truncating TLS connections to violate beliefs in web applications. In: 7th USENIX Workshop on Offensive Technologies, WOOT (2013)Google Scholar
  47. 47.
    Somorovsky, J.: Systematic fuzzing and testing of TLS libraries. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1492–1504 (2016).  https://doi.org/10.1145/2976749.2978411
  48. 48.
    Vanhoef, M., Piessens, F.: RC4 NOMORE (Numerous Occurrence MOnitoring & Recovery Exploit). https://www.rc4nomore.com/
  49. 49.
  50. 50.
    Wetter, D.: /bin/bash based SSL/TLS tester: testssl.sh. https://testssl.sh
  51. 51.

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.Security & Trust, FBKTrentoItaly
  2. 2.University of TrentoTrentoItaly

Personalised recommendations