A Modern Solution for Identifying, Monitoring, and Selecting Configurations for SSL/TLS Deployment

  • Lamya Alqaydi

Student thesis: Master's Thesis

Abstract

Establishing secure connections is a must nowadays since a lot of transactions are being done online. People transact in various ways online from shopping for clothes to buying extremely expensive equipment. Hence, the need for securing the sessions and e-commerce is highly urgent. Furthermore, any government entity will require its communication to be secured from eavesdropping and Man in The Middle (MITM) attacks. Web Threats are spreading around the world and becoming more aggressive every year. The transport layer protocol, which started as the Secure Socket Layer (SSL) and then became the Transport Layer Security (TLS) protocol, is the standard for encrypting communications between the client and the server. Many vulnerabilities and loopholes in these Internet protocols have been discovered so far. These vulnerabilities resulted at times from flaws in the protocols themselves but in most cases were caused by faulty configurations. Hence an enhancement to the way the TLS protocol and its configurations are considered is a must. Some of the well-known vulnerabilities like DROWN, POODLE, and Heartbleed affect a subset of all possible configurations of protocols and ciphersuites in SSL/TLS protocol. Recently, new vulnerabilities are also frequently discovered and could be used to mount attacks on systems whose configurations are not updated in time or were misconfigured from the start. Thus, we provide an overview of the landscape of vulnerabilities relating to SSL/TLS protocol versions with estimated risk levels. Selecting the best configuration for a given use-case is a time-consuming task and testing a given configuration of a server for all known vulnerabilities is also difficult. Thus, there is a great motivation to create a new tool that abstracts the tedious parts of this process. Our new software solution can automatically scan and rate the configuration of servers and help in selecting suitable ones. The goal is to simplify testing and evaluation of server-side configurations of SSL/TLS and ciphersuites for the community and thus the software is released as an open source project.
Date of AwardApr 2018
Original languageAmerican English
SupervisorErnesto Damiani (Supervisor)

Keywords

  • TLS
  • SSL
  • Privacy
  • Security
  • TLS Handshake
  • Renegotiaition attack
  • BEAST attack
  • CRIME and BREACH attack
  • Heartbleed Attack.

Cite this

'