Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Coming of age: a longitudinal study of TLS deployment
Kotzias P., Razaghpanah A., Amann J., Paterson K., Vallina-Rodriguez N., Caballero J.  IMC 2018 (Proceedings of the 2018 Internet Measurement Conference, Boston, MA, Oct 31-Nov 2, 2018)415-428.2018.Type:Proceedings
Date Reviewed: Jan 28 2019

The paper presents a longitudinal study of secure sockets layer/transport layer security (SSL/TLS) deployment. The datasets span periods from early 2012 and mid-2015 until now, and contain the TLS parameters used for negotiations as well as those actually negotiated for connections. The negotiation parameters allow for fingerprinting and identifying most client and server TLS software versions. The parameters actually negotiated indicate the relative relevance of the use cases.

The presented graphs show the different versions of TLS and the various ciphers offered and negotiated, both as percentages of all connections to show overall relevance and as percentages of actual use to show the support for TLS solutions. The effects of security research and vulnerability reporting on TLS are investigated. To that end, the graphs include time markers linked to major vulnerabilities, including BEAST (2011), Lucky 13 (2012), Heartbleed (2013), POODLE (2014), FREAK (2015), Logjam (2015), and multiple RCA attacks. Each attack is linked to the vulnerable parts of TLS.

The authors further discuss newer TLS security features. The availability of forward secrecy, elliptic curves, and TLS 1.3 allows for stronger security, providing motivation to move forward. It is clear that support for changes in TLS security features dictates the earliest possible adoption.

The authors also identify the continued use of NULL cipher suites (even NULL_WITH_NULL_NULL) and anonymous ciphers, a bad surprise. They even note server software ignoring standard handshake principles.

The earliest measurements indicate poor security practices: they show a very slow adoption of new solutions despite found vulnerabilities. At the time of writing, TLS 1.3 is catching on, though not yet out of draft mode. The impact of published TLS vulnerabilities on the speed of change depends on the root cause of the vulnerability, but is also linked to the media attention received.

The mere presence of weak versions and ciphers is a risk--a difficult lesson to learn despite the evidence (for example, DROWN). The frequency of vulnerable TLS parameter usage shows a long tail even if vulnerabilities are published and more secure versions become available. The paper lists some possible explanations for the slow changes observed; however, TLS is a foundational security feature, so the facts as shown here are cause for some serious concern.
Reviewer:  A. Mariën Review #: CR146402 (1904-0119)
Bookmark and Share
  Featured Reviewer  
 
Security and Protection (C.2.0 ... )
 
 
IP (C.2.2 ... )
 
 
Network Protocols (C.2.2 )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
Introduction to data security and controls (2nd ed.)
Edward R. I., QED Information Sciences, Inc., Wellesley, MA, 1991. Type: Book (9780894353864)		 Aug 1 1992
Security for computer networks: an introduction to data security in teleprocessing and electronic funds transfer
Davies D., Price W., John Wiley & Sons, Inc., New York, NY, 1984. Type: Book (9780471900634)		 Oct 1 1985
The development and proof of a formal specification for a multilevel secure system
Glasgow J., Macewen G. ACM Transactions on Computer Systems 5(2): 151-184, 1987. Type: Article		 Oct 1 1987
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy