Empirical analysis of SSL/TLS weaknesses in real websites: Who cares?

Sanghak Oh; Eunsoo Kim; Hyoungshick Kim

doi:10.1007/978-3-319-56549-1_15

Empirical analysis of SSL/TLS weaknesses in real websites: Who cares?

Sanghak Oh
, Eunsoo Kim
, Hyoungshick Kim

Department of Computer Science and Engineering

Sungkyunkwan University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Scopus citations

Abstract

As SSL/TLS has become the de facto standard Internet protocol for secure communication in recent years, its security issues have also been intensively studied. Even though several tools have been introduced to help administrators know which SSL/TLS vulnerabilities exist in their network hosts, it is still unclear whether the best security practices are effectively adopted to fix those vulnerabilities in real-world applications. In this paper, we present the landscape of real websites about SSL/TLS weaknesses through an automatic analysis of the possibilities of six representative SSL/TLS attacks—Heartbleed, POODLE, CCS injection, FREAK, Logjam and DROWN—on popular websites. Surprisingly, our experiments show that 45% and 52.6% of top 500 most popular global and Korean websites are still vulnerable to at least one of those attacks, respectively. We also observed several interesting trends in how websites were vulnerable to those attacks. Our findings suggest that better tools and education programs for SSL/TLS security are needed to help administrators keep their systems up-to-date with security patches.

Original language	English
Title of host publication	Information Security Applications - 17th International Workshop, WISA 2016, Revised Selected Papers
Editors	Dooho Choi, Sylvain Guilley
Publisher	Springer Verlag
Pages	174-185
Number of pages	12
ISBN (Print)	9783319565484
DOIs	https://doi.org/10.1007/978-3-319-56549-1_15
State	Published - 2017
Event	17th International Workshop on Information Security Applications, WISA 2016 - Jeju Island, Korea, Republic of Duration: 25 Aug 2016 → 25 Aug 2016

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10144 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	17th International Workshop on Information Security Applications, WISA 2016
Country/Territory	Korea, Republic of
City	Jeju Island
Period	25/08/16 → 25/08/16

Keywords

Attack
Security patch
SSL/TLS
Vulnerability

Access to Document

10.1007/978-3-319-56549-1_15

Cite this

Oh, S., Kim, E., & Kim, H. (2017). Empirical analysis of SSL/TLS weaknesses in real websites: Who cares? In D. Choi, & S. Guilley (Eds.), Information Security Applications - 17th International Workshop, WISA 2016, Revised Selected Papers (pp. 174-185). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10144 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-56549-1_15

Oh, Sanghak ; Kim, Eunsoo ; Kim, Hyoungshick. / Empirical analysis of SSL/TLS weaknesses in real websites : Who cares?. Information Security Applications - 17th International Workshop, WISA 2016, Revised Selected Papers. editor / Dooho Choi ; Sylvain Guilley . Springer Verlag, 2017. pp. 174-185 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{8f9a74729fca4b07ba6ec7f032be8083,

title = "Empirical analysis of SSL/TLS weaknesses in real websites: Who cares?",

abstract = "As SSL/TLS has become the de facto standard Internet protocol for secure communication in recent years, its security issues have also been intensively studied. Even though several tools have been introduced to help administrators know which SSL/TLS vulnerabilities exist in their network hosts, it is still unclear whether the best security practices are effectively adopted to fix those vulnerabilities in real-world applications. In this paper, we present the landscape of real websites about SSL/TLS weaknesses through an automatic analysis of the possibilities of six representative SSL/TLS attacks—Heartbleed, POODLE, CCS injection, FREAK, Logjam and DROWN—on popular websites. Surprisingly, our experiments show that 45\% and 52.6\% of top 500 most popular global and Korean websites are still vulnerable to at least one of those attacks, respectively. We also observed several interesting trends in how websites were vulnerable to those attacks. Our findings suggest that better tools and education programs for SSL/TLS security are needed to help administrators keep their systems up-to-date with security patches.",

keywords = "Attack, Security patch, SSL/TLS, Vulnerability",

author = "Sanghak Oh and Eunsoo Kim and Hyoungshick Kim",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing AG 2017.; 17th International Workshop on Information Security Applications, WISA 2016 ; Conference date: 25-08-2016 Through 25-08-2016",

year = "2017",

doi = "10.1007/978-3-319-56549-1\_15",

language = "English",

isbn = "9783319565484",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "174--185",

editor = "Dooho Choi and \{Guilley \}, Sylvain",

booktitle = "Information Security Applications - 17th International Workshop, WISA 2016, Revised Selected Papers",

}

Oh, S, Kim, E & Kim, H 2017, Empirical analysis of SSL/TLS weaknesses in real websites: Who cares? in D Choi & S Guilley (eds), Information Security Applications - 17th International Workshop, WISA 2016, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10144 LNCS, Springer Verlag, pp. 174-185, 17th International Workshop on Information Security Applications, WISA 2016, Jeju Island, Korea, Republic of, 25/08/16. https://doi.org/10.1007/978-3-319-56549-1_15

Empirical analysis of SSL/TLS weaknesses in real websites: Who cares? / Oh, Sanghak; Kim, Eunsoo; Kim, Hyoungshick.
Information Security Applications - 17th International Workshop, WISA 2016, Revised Selected Papers. ed. / Dooho Choi; Sylvain Guilley . Springer Verlag, 2017. p. 174-185 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10144 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Empirical analysis of SSL/TLS weaknesses in real websites

T2 - 17th International Workshop on Information Security Applications, WISA 2016

AU - Oh, Sanghak

AU - Kim, Eunsoo

AU - Kim, Hyoungshick

N1 - Publisher Copyright: © Springer International Publishing AG 2017.

PY - 2017

Y1 - 2017

N2 - As SSL/TLS has become the de facto standard Internet protocol for secure communication in recent years, its security issues have also been intensively studied. Even though several tools have been introduced to help administrators know which SSL/TLS vulnerabilities exist in their network hosts, it is still unclear whether the best security practices are effectively adopted to fix those vulnerabilities in real-world applications. In this paper, we present the landscape of real websites about SSL/TLS weaknesses through an automatic analysis of the possibilities of six representative SSL/TLS attacks—Heartbleed, POODLE, CCS injection, FREAK, Logjam and DROWN—on popular websites. Surprisingly, our experiments show that 45% and 52.6% of top 500 most popular global and Korean websites are still vulnerable to at least one of those attacks, respectively. We also observed several interesting trends in how websites were vulnerable to those attacks. Our findings suggest that better tools and education programs for SSL/TLS security are needed to help administrators keep their systems up-to-date with security patches.

AB - As SSL/TLS has become the de facto standard Internet protocol for secure communication in recent years, its security issues have also been intensively studied. Even though several tools have been introduced to help administrators know which SSL/TLS vulnerabilities exist in their network hosts, it is still unclear whether the best security practices are effectively adopted to fix those vulnerabilities in real-world applications. In this paper, we present the landscape of real websites about SSL/TLS weaknesses through an automatic analysis of the possibilities of six representative SSL/TLS attacks—Heartbleed, POODLE, CCS injection, FREAK, Logjam and DROWN—on popular websites. Surprisingly, our experiments show that 45% and 52.6% of top 500 most popular global and Korean websites are still vulnerable to at least one of those attacks, respectively. We also observed several interesting trends in how websites were vulnerable to those attacks. Our findings suggest that better tools and education programs for SSL/TLS security are needed to help administrators keep their systems up-to-date with security patches.

KW - Attack

KW - Security patch

KW - SSL/TLS

KW - Vulnerability

UR - https://www.scopus.com/pages/publications/85017643876

U2 - 10.1007/978-3-319-56549-1_15

DO - 10.1007/978-3-319-56549-1_15

M3 - Conference contribution

AN - SCOPUS:85017643876

SN - 9783319565484

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 174

EP - 185

BT - Information Security Applications - 17th International Workshop, WISA 2016, Revised Selected Papers

A2 - Choi, Dooho

A2 - Guilley , Sylvain

PB - Springer Verlag

Y2 - 25 August 2016 through 25 August 2016

ER -

Oh S, Kim E, Kim H. Empirical analysis of SSL/TLS weaknesses in real websites: Who cares? In Choi D, Guilley S, editors, Information Security Applications - 17th International Workshop, WISA 2016, Revised Selected Papers. Springer Verlag. 2017. p. 174-185. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-56549-1_15

Empirical analysis of SSL/TLS weaknesses in real websites: Who cares?

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this