Skip to main content

Cryptographic Assessment of SSL/TLS Servers Popular in India

  • 649 Accesses

Part of the Communications in Computer and Information Science book series (CCIS,volume 625)

Abstract

Major web sites use Secure Sockets Layer (SSL) or its updated version name called Transport Layer Security (TLS) to secure all communications between their servers and web browsers. It is very important to analyze the security of this protocol because the compromise of the banking accounts, health care directories, information of national importance, even vital information about business competitors is unacceptable.

SSL/TLS is not a simple encryption or hashing algorithm. It is a protocol which consists of bunch of cryptographic primitives which aim to provide secure communication. Moreover, this protocol has a long history of attacks and it needs to be revised since security field is changing. This paper presents the most commonly used configurations of this protocol among web servers, highlighting issues where it is insecure and areas where it can be improved. Specifically, parameters used in cryptographic primitives and certificates used by the web servers have been reported. The approach was to probe all web servers using a tool - TestSSLServer. There were sets of two experiments carried out. One in which top 500 most popular websites in India were probed and other in which 50 banking sites in India were probed. Some of the surprising results were that servers still posses SSLv2 and v3 despite of its insecurity. Also, banking sites were found not to support forward secrecy.

Keywords

  • Elliptic Curve
  • Forward Secrecy
  • Pseudo Random Function
  • Secure Socket Layer
  • Protocol Version

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-981-10-2738-3_10
  • Chapter length: 12 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   79.99
Price excludes VAT (USA)
  • ISBN: 978-981-10-2738-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.99
Price excludes VAT (USA)
Fig. 1.

References

  1. Wikipedia, Transport Layer Security. https://en.wikipedia.org/wiki/Transport_Layer_Security

  2. Ristic, I.: Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications

    Google Scholar 

  3. Wikipedia, CRIME. https://en.wikipedia.org/wiki/CRIME

  4. Wikipedia, Public Key Infrastructure. https://en.wikipedia.org/wiki/Public_key_infrastructure

  5. DROWN. https://drownattack.com/

  6. POODLE. https://blog.qualys.com/ssllabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

  7. Wagner, D., Schneier, B.: Analysis of the SSL 3.0 Protocol

    Google Scholar 

  8. Rescorla, E.: SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, Boston (2001)

    Google Scholar 

  9. BEAST. https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat

  10. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y.: Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS

    Google Scholar 

  11. LOGJAM. https://weakdh.org/

  12. TLS Working Group Draft. https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-10

  13. The Transport Layer Security (TLS) Protocol Version 1.2 - RFC 5246. https://tools.ietf.org/html/rfc5246

  14. Transport Layer Security (TLS) Renegotiation Indication Extension - RFC 5746. https://tools.ietf.org/html/rfc5746

  15. Alexa top 500. http://www.alexa.com/topsites/countries/IN

  16. Directories of Banks in India. http://www.banknetindia.com/banklinks.htm

  17. Pornin, T.: TestSSLServer. pornin@bolet.org, http://www.bolet.org/TestSSLServer/

  18. Davies, J.: Implementing SSL/TLS Using Cryptography and PKI

    Google Scholar 

  19. Lee, H.K., Malkin, T., Nahum, E.: Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices

    Google Scholar 

  20. Boneh, D.: Coursera, Cryptography I

    Google Scholar 

  21. Katz, J.: Coursera, Cryptography

    Google Scholar 

  22. Schneier, B.: Applied Cryptography

    Google Scholar 

  23. Buchmann, J.A., Karatsiolis, E., Wiesmaier, A.: Introduction to Public Key Infrastructures

    Google Scholar 

  24. JSON Parser - cJSON. https://github.com/DaveGamble/cJSON

  25. Source Code for Parsing JSON. https://github.com/prakhs123/Parsing-TestSSLServer-Jsons

  26. Prohibiting Secure Sockets Layer (SSL) Version 2.0 - RFC 6176. https://tools.ietf.org/html/rfc6176

  27. Deprecating Secure Sockets Layer Version 3.0 - RFC 7568. https://tools.ietf.org/html/rfc7568

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Prakhar Jain .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 Springer Nature Singapore Pte Ltd.

About this paper

Cite this paper

Jain, P., Shukla, K.K. (2016). Cryptographic Assessment of SSL/TLS Servers Popular in India. In: Mueller, P., Thampi, S., Alam Bhuiyan, M., Ko, R., Doss, R., Alcaraz Calero, J. (eds) Security in Computing and Communications. SSCC 2016. Communications in Computer and Information Science, vol 625. Springer, Singapore. https://doi.org/10.1007/978-981-10-2738-3_10

Download citation

  • DOI: https://doi.org/10.1007/978-981-10-2738-3_10

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-10-2737-6

  • Online ISBN: 978-981-10-2738-3

  • eBook Packages: Computer ScienceComputer Science (R0)