Coming of Age: A Longitudinal Study of TLS Deployment

The Transport Layer Security (TLS) protocol is the de-facto standard for encrypted communication on the Internet. However, it has been plagued by a number of different attacks and security issues over the last years. Addressing these attacks requires changes to the protocol, to server- or client-software, or to all of them. In this paper we conduct the first large-scale longitudinal study examining the evolution of the TLS ecosystem over the last six years. We place a special focus on the ecosystem's evolution in response to high-profile attacks. For our analysis, we use a passive measurement dataset with more than 319.3B connections since February 2012, and an active dataset that contains TLS and SSL scans of the entire IPv4 address space since August 2015. To identify the evolution of specific clients we also create the---to our knowledge---largest TLS client fingerprint database to date, consisting of 1,684 fingerprints. We observe that the ecosystem has shifted significantly since 2012, with major changes in which cipher suites and TLS extensions are offered by clients and accepted by servers having taken place. Where possible, we correlate these with the timing of specific attacks on TLS. At the same time, our results show that while clients, especially browsers, are quick to adopt new algorithms, they are also slow to drop support for older ones. We also encounter significant amounts of client software that probably unwittingly offer unsafe ciphers. We discuss these findings in the context of long tail effects in the TLS ecosystem.

[1]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[2]  Mark Ryan,et al.  Enhanced Certificate Transparency and End-to-End Encrypted Mail , 2014, NDSS.

[3]  Bodo Möller,et al.  Network Working Group Elliptic Curve Cryptography (ecc) Cipher Suites for Transport Layer Security (tls) , 2006 .

[4]  Niklas Carlsson,et al.  A First Look at the CT Landscape: Certificate Transparency Logs in Practice , 2017, PAM.

[5]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[6]  J. Alex Halderman,et al.  Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security , 2015, Internet Measurement Conference.

[7]  Michael Tüxen,et al.  Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension , 2012, RFC.

[8]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[9]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[10]  Tibor Jager,et al.  On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption , 2015, CCS.

[11]  Tudor Dumitras,et al.  Analysis of SSL certificate reissues and revocations in the wake of heartbleed , 2014, Internet Measurement Conference.

[12]  J. Alex Halderman,et al.  Towards a Complete View of the Certificate Ecosystem , 2016, Internet Measurement Conference.

[13]  Robin Sommer,et al.  Extracting Certificates from Live Traffic : A Near Real Time SSL Notary Service , 2012 .

[14]  Narseo Vallina-Rodriguez,et al.  Studying TLS Usage in Android Apps , 2017, CoNEXT.

[15]  Narseo Vallina-Rodriguez,et al.  A Tangled Mass: The Android Root Certificate Stores , 2014, CoNEXT.

[16]  Juraj Somorovsky,et al.  Systematic Fuzzing and Testing of TLS Libraries , 2016, CCS.

[17]  Karthikeyan Bhargavan,et al.  On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN , 2016, CCS.

[18]  Subharthi Paul,et al.  Deciphering malware’s use of TLS (without decryption) , 2016, Journal of Computer Virology and Hacking Techniques.

[19]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[20]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[21]  Frank Piessens,et al.  All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS , 2015, USENIX Annual Technical Conference.

[22]  Len Sassaman,et al.  PKI Layer Cake: New Collision Attacks against the Global X.509 Infrastructure , 2010, Financial Cryptography.

[23]  David Benjamin Applying GREASE to TLS Extensibility , 2019 .

[24]  Tim Wright,et al.  Transport Layer Security (TLS) Extensions , 2003, RFC.

[25]  Robin Sommer,et al.  No attack necessary: the surprising dynamics of SSL trust relationships , 2013, ACSAC.

[26]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[27]  Adrian Perrig,et al.  Efficient gossip protocols for verifying the consistency of Certificate logs , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[28]  B. Kocher [Are you ready?]. , 1986, Krankenpflege. Soins infirmiers.

[29]  Kenneth G. Paterson,et al.  Analysing and exploiting the Mantin biases in RC4 , 2017, Designs, Codes and Cryptography.

[30]  Kenneth G. Paterson,et al.  Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS , 2016, EUROCRYPT.

[31]  Pavel Celeda,et al.  Network-Based HTTPS Client Identification Using SSL/TLS Fingerprinting , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[32]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[33]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[34]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[35]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[36]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[37]  Robin Sommer,et al.  Here's my cert, so trust me, maybe?: understanding TLS errors on the web , 2013, WWW.

[38]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[39]  Nadia Heninger,et al.  Factoring as a Service , 2016, Financial Cryptography.

[40]  Gorka Irazoqui Apecechea,et al.  Lucky 13 Strikes Back , 2015, AsiaCCS.

[41]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[42]  Sean Turner,et al.  Prohibiting Secure Sockets Layer (SSL) Version 2.0 , 2011, RFC.

[43]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[44]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[45]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[46]  Yanjiang Yang,et al.  Using Identity as Raw Public Key in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) , 2020 .

[47]  Mohamed Ali Kâafar,et al.  TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication , 2015, NDSS.

[48]  Nick Sullivan,et al.  The Security Impact of HTTPS Interception , 2017, NDSS.

[49]  Andrei Popov,et al.  Prohibiting RC4 Cipher Suites , 2015, RFC.

[50]  Kenneth G. Paterson,et al.  Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS , 2015, USENIX Security Symposium.