Abstract
As SSL/TLS has become the de facto standard Internet protocol for secure communication in recent years, its security issues have also been intensively studied. Even though several tools have been introduced to help administrators know which SSL/TLS vulnerabilities exist in their network hosts, it is still unclear whether the best security practices are effectively adopted to fix those vulnerabilities in real-world applications. In this paper, we present the landscape of real websites about SSL/TLS weaknesses through an automatic analysis of the possibilities of six representative SSL/TLS attacks—Heartbleed, POODLE, CCS injection, FREAK, Logjam and DROWN—on popular websites. Surprisingly, our experiments show that 45% and 52.6% of top 500 most popular global and Korean websites are still vulnerable to at least one of those attacks, respectively. We also observed several interesting trends in how websites were vulnerable to those attacks. Our findings suggest that better tools and education programs for SSL/TLS security are needed to help administrators keep their systems up-to-date with security patches.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bhiogade, M.S.: Secure socket layer. In: Proceedings of the Computer Science and Information Technology Education Conference (2002)
Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., et al.: The matter of heartbleed. In: Proceedings of the Conference on Internet Measurement Conference (2014)
Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback. Google, September 2014
MITRE. CCS-injection CVE Report(CVE-2014-0224) (2013). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: Proceedings of the IEEE Symposium on Security and Privacy (2015)
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Matthew Green, J., Halderman, A., Heninger, N., Springall, D., Thomé, E., Valenta, L., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015)
Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., David Adrian, J., Halderman, A., Viktor Dukhovni, D., et al.: Breaking TLS using SSLv2 (2008)
Paulson, L.C.: Inductive analysis of the internet protocol TLS. ACM Trans. Inf. Syst. Secur. 2(3), 332–351 (1999)
Fogel, B., Farmer, S., Alkofahi, H., Skjellum, A., Hafiz, M.: POODLEs, More POODLEs, FREAK attacks too: how server administrators responded to three serious web vulnerabilities. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 122–137. Springer, Cham (2016). doi:10.1007/978-3-319-30806-7_8
Dierks, T., Rescorla, E.: RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2, Updated by RFCs, 5746(5878):6176, August 2008
Lyon, G.F.: Nmap network scanning: the official Nmap project guide to network discovery and security scanning. Insecure (2009)
Aviram. The DROWN Attack (2016). https://drownattack.com/
Huggins, J.: Selenium WebDriver (2016). http://docs.seleniumhq.org/projects/webdriver/
Song, Y., Kim, H., Huh, J.H.: On the guessability of resident registration numbers in South Korea. In Proceedings of Australasian Conference on Information Security and Privacy (2016)
Durumeric, Z., Eric Wustrow, J., Halderman, A., ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the Usenix Security (2013)
Graham, R.D.: MASSCAN: Mass IP port scanner (2014). https://github.com/robertdavidgraham/masscan
Acknowledgements
This work was partly supported by the MSIP/IITP (R0166-15-1041), the ITRC (IITP-2016-R0992-16-1006), and the IITP (No. R-20160222-002755). Authors would like to thank all the anonymous reviewers for their valuable feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Oh, S., Kim, E., Kim, H. (2017). Empirical Analysis of SSL/TLS Weaknesses in Real Websites: Who Cares?. In: Choi, D., Guilley, S. (eds) Information Security Applications. WISA 2016. Lecture Notes in Computer Science(), vol 10144. Springer, Cham. https://doi.org/10.1007/978-3-319-56549-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-56549-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56548-4
Online ISBN: 978-3-319-56549-1
eBook Packages: Computer ScienceComputer Science (R0)