Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

European Symposium on Research in Computer Security

ESORICS 2012: Computer Security – ESORICS 2012 pp 217–234Cite as

  1. Home
  2. Computer Security – ESORICS 2012
  3. Conference paper
X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-Middle

X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-Middle

  • Ralph Holz19,
  • Thomas Riedmaier19,
  • Nils Kammenhuber19 &
  • …
  • Georg Carle19 
  • Conference paper
  • 3935 Accesses

  • 22 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7459)

Abstract

Although recent compromises and admissions have given new credibility to claimed encounters of Man-in-the-middle (MitM) attacks on SSL/TLS, very little proof exists in the public realm. In this paper, we report on the development and deployment of Crossbear, a tool to detect MitM attacks on SSL/TLS and localise their position in the network with a fair degree of confidence. MitM attacks are detected using a notary approach. For the localisation, we use a large number of traceroutes, conducted from so-called hunters from many positions on the Internet. Crossbear collects this data, orchestrates the hunting from a central point and provides the data for analysis. We outline the design of Crossbear and analyse the degree of effectivity that Crossbear achieves against attackers of different kinds and strengths. We also explain how analysis can make use of out-of-band sources like lookups of Autonomous Systems and geo-IP-mapping. Crossbear is already available, and 150 hunters have been deployed on the global PlanetLab testbed.

Keywords

  • Man-in-the-middle attack
  • detection
  • localisation
  • X.509
  • SSL/TLS

Download conference paper PDF

References

  1. Mozilla Security Blog: DigiNotar removal follow up (2011), https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/ (last retrieved in April 2012)

  2. Engert, K.: Man-In-The-Middle experience in Warsaw. Blog entry (June 2011), https://kuix.de/blog/comments.php?y=11&m=06&entry=entry110616-171707 (last retrieved in April 2012)

  3. Eckersley, P.: A Syrian man-in-the-middle attack against Facebook (May 2011), https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook (last retrieved in April 2012)

  4. Borhani, A.: Is This MITM Attack to Gmail’s SSL? Forum post (August 2011), https://www.google.com/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en (last retrieved in April 2012)

  5. Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, J.P.: The inconvenient truth about Web certificates. In: 10th Workshop on Economics of Information Security, WEIS 2011 (June 2011)

    Google Scholar 

  6. Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape – a thorough analysis of the X.509 PKI using active and passive measurements. In: Proc. 11th Annual Internet Measurement Conference (IMC 2011), Berlin, Germany. ACM, Sheridan (2011)

    Google Scholar 

  7. Eckersley, P., Burns, J.: Burns: Is the SSLiverse a safe place? Talk at 27C3 (2010), https://www.eff.org/files/ccc2010.pdf (last retrieved in April 2012)

  8. Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of SSL warning effectiveness. In: Proc. 18th USENIX Security Symposium, pp. 399–416 (2009)

    Google Scholar 

  9. Soghoian, C., Stamm, S.: Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper). In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 250–259. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  10. Electronic Frontier Foundation: The Sovereign Keys project (2011), https://www.eff.org/sovereign-keys (last retrieved in April 2012)

  11. Laurie, B., Langley, A.: Certificate transparency (2012), http://www.certificate-transparency.org/ (last retrieved in April 2012)

  12. Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: Improving SSH-style host authentication with multi-path probing. In: Proc. USENIX 2008 Ann. Techn. Conf. (ATC) (2008)

    Google Scholar 

  13. Thoughtcrime Labs/IDS: Convergence (2011), http://convergence.io (last retrieved in April 2012)

  14. Advanced Network Technology Center, University of Oregon: Route views project (2012), http://www.routeviews.org/ (last retrieved in April 2012)

  15. Riedmaier, T., Holz, R.: Crossbear repository, https://github.com/crossbear/Crossbear (last retrieved in April 2012)

  16. Filastò, A., Appelbaum, J.: OONI: Open observatory of network interference. In: Proc. 2nd USENIX Workshop on Free and Open Communications on the Internet (FOCI 2012) (August 2012)

    Google Scholar 

  17. Teixeira, R., Shaikh, A., Griffin, T., Rexford, J.: Dynamics of hot-potato routing in IP networks. In: Proc. Joint Int. Conf. on Measurement and Modeling of Computer Systems (SIGMETRICS), pp. 307–319. ACM, New York (2004)

    Google Scholar 

  18. Qiu, S., McDaniel, P., Monrose, F.: Toward valley-free inter-domain routing. In: Proc. IEEE Int. Conf. on Communications (ICC), pp. 2009–2016 (June 2007)

    Google Scholar 

  19. Hepner, C., Zmijewski, E.: Defending against BGP man-in-the-middle attacks. Talk at BlackHat (2009), https://www.renesys.com/tech/presentations/pdf/blackhat-09.pdf (last retrieved in April 2012)

  20. Spring, N., Mahajan, R., Wetherall, D.: Measuring ISP topologies with Rocketfuel. In: Proc. ACM SIGCOMM, pp. 133–145. ACM, Pittsburgh (2002)

    Google Scholar 

  21. Alexa Internet Inc.: Top 1,000,000 sites (updated daily) (2009-2011), http://s3.amazonaws.com/alexa-static/top-1m.csv.zip (last retrieved in April 2012)

Download references

Author information

Authors and Affiliations

  1. Network Architectures and Services, Fakultät für Informatik, Technische Universität München, Germany

    Ralph Holz, Thomas Riedmaier, Nils Kammenhuber & Georg Carle

Authors
  1. Ralph Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Riedmaier
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nils Kammenhuber
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Georg Carle
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Informatica, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, Italy

    Sara Foresti

  2. Computer Science Department, Columbia University, 1214 Amsterdam Avenue, 10025, New York, NY, US

    Moti Yung

  3. Institute of Informatics and Telematics, Information Security Group, National Research Council, Pisa Research Area, Via G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Holz, R., Riedmaier, T., Kammenhuber, N., Carle, G. (2012). X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-Middle. In: Foresti, S., Yung, M., Martinelli, F. (eds) Computer Security – ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science, vol 7459. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33167-1_13

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-33167-1_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33166-4

  • Online ISBN: 978-3-642-33167-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature