论文信息 - concerto: A Methodology Towards Reproducible Analyses of TLS Datasets

concerto: A Methodology Towards Reproducible Analyses of TLS Datasets

Over the years, SSL/TLS has become an essential part of Internet security. As such, it should offer robust and stateof-the-art security, in particular for HTTPS, its first application. Theoretically, the protocol allows for a trade-off between secure algorithms and decent performance. Yet in practice, servers do not always support the latest version of the protocol, nor do they all enforce strong cryptographic algorithms. To assess the quality of HTTPS and other TLS deployment at large, several studies have been led to grasp the state of the ecosystem, and to characterize the quality of certificate chains in particular. In this paper, we propose to analyse some of the existing data concerning TLS measures on the Internet. We studied several datasets, from the first public ones in 2010 to more recent scans. Even if the collection methodology and the used tools vary between campaigns, we propose a unified and reproducible way to analyse the TLS ecosystem through different datasets. Our approach is based on a set of open-source tools, concerto. Our contribution is therefore threefold: an analysis of existing datasets to propose a unified methodology, the implementation of our approach with concerto, and the presentation of some results to validate our toolsets.

[1] J. Alex Halderman,et al. Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[2] Georg Carle,et al. The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[3] Eric Wustrow,et al. ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[4] Paul E. Hoffman,et al. The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.

[5] Donald Eastlake rd,et al. Transport Layer Security (TLS) Extensions: Extension Definitions , 2011 .

[6] Hervé Debar,et al. One year of SSL internet measurement , 2012, ACSAC '12.

[7] Bodo Möller,et al. This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[8] Stephen Farrell,et al. Pervasive Monitoring Is an Attack , 2014, RFC.

[9] Anja Feldmann,et al. An internet census taken by an illegal botnet: a qualitative assessment of published measurements , 2014, CCRV.

[10] Eric Rescorla,et al. The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[11] Olivier Levillain,et al. Parsifal: A Pragmatic Solution to the Binary Parsing Problems , 2014, 2014 IEEE Security and Privacy Workshops.