Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Does Query Blocking Improve DNS Privacy? Read chapter Read first chapter

2017 | OriginalPaper | Chapter

Empirical Analysis of SSL/TLS Weaknesses in Real Websites: Who Cares?

Authors : Sanghak Oh, Eunsoo Kim, Hyoungshick Kim

Published in: Information Security Applications

Publisher: Springer International Publishing

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

As SSL/TLS has become the de facto standard Internet protocol for secure communication in recent years, its security issues have also been intensively studied. Even though several tools have been introduced to help administrators know which SSL/TLS vulnerabilities exist in their network hosts, it is still unclear whether the best security practices are effectively adopted to fix those vulnerabilities in real-world applications. In this paper, we present the landscape of real websites about SSL/TLS weaknesses through an automatic analysis of the possibilities of six representative SSL/TLS attacks—Heartbleed, POODLE, CCS injection, FREAK, Logjam and DROWN—on popular websites. Surprisingly, our experiments show that 45% and 52.6% of top 500 most popular global and Korean websites are still vulnerable to at least one of those attacks, respectively. We also observed several interesting trends in how websites were vulnerable to those attacks. Our findings suggest that better tools and education programs for SSL/TLS security are needed to help administrators keep their systems up-to-date with security patches.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter Towards Automated Exploit Generation for Embedded Systems
next chapter Development of Information Security Management Assessment Model for the Financial Sector
Literature
1.
Bhiogade, M.S.: Secure socket layer. In: Proceedings of the Computer Science and Information Technology Education Conference (2002)
2.
Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., et al.: The matter of heartbleed. In: Proceedings of the Conference on Internet Measurement Conference (2014)
3.
Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback. Google, September 2014
4.
5.
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: Proceedings of the IEEE Symposium on Security and Privacy (2015)
6.
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Matthew Green, J., Halderman, A., Heninger, N., Springall, D., Thomé, E., Valenta, L., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015)
7.
Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., David Adrian, J., Halderman, A., Viktor Dukhovni, D., et al.: Breaking TLS using SSLv2 (2008)
8.
Paulson, L.C.: Inductive analysis of the internet protocol TLS. ACM Trans. Inf. Syst. Secur. 2(3), 332–351 (1999)CrossRef
9.
Fogel, B., Farmer, S., Alkofahi, H., Skjellum, A., Hafiz, M.: POODLEs, More POODLEs, FREAK attacks too: how server administrators responded to three serious web vulnerabilities. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 122–137. Springer, Cham (2016). doi:10.​1007/​978-3-319-30806-7_​8 CrossRef
10.
Dierks, T., Rescorla, E.: RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2, Updated by RFCs, 5746(5878):6176, August 2008
11.
Lyon, G.F.: Nmap network scanning: the official Nmap project guide to network discovery and security scanning. Insecure (2009)
12.
13.
14.
Song, Y., Kim, H., Huh, J.H.: On the guessability of resident registration numbers in South Korea. In Proceedings of Australasian Conference on Information Security and Privacy (2016)
15.
Durumeric, Z., Eric Wustrow, J., Halderman, A., ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the Usenix Security (2013)
16.
Metadata
Title
Empirical Analysis of SSL/TLS Weaknesses in Real Websites: Who Cares?
Authors
Sanghak Oh
Eunsoo Kim
Hyoungshick Kim
Copyright Year
2017
Book
Information Security Applications

Print ISBN: 978-3-319-56548-4

Electronic ISBN: 978-3-319-56549-1

Copyright Year: 2017

DOI
https://doi.org/10.1007/978-3-319-56549-1_15

Premium Partner

    Image Credits