research-article

Open access

Measuring the Security Harm of TLS Crypto Shortcuts

Authors:

Drew Springall,

Zakir Durumeric, and

J. Alex HaldermanAuthors Info & Claims

IMC '16: Proceedings of the 2016 Internet Measurement Conference

November 2016

Pages 33 - 47

https://doi.org/10.1145/2987443.2987480

Published: 14 November 2016 Publication History

Abstract

TLS has the potential to provide strong protection against network-based attackers and mass surveillance, but many implementations take security shortcuts in order to reduce the costs of cryptographic computations and network round trips. We report the results of a nine-week study that measures the use and security impact of these shortcuts for HTTPS sites among Alexa Top Million domains. We find widespread deployment of DHE and ECDHE private value reuse, TLS session resumption, and TLS session tickets. These practices greatly reduce the protection afforded by forward secrecy: connections to 38% of Top Million HTTPS sites are vulnerable to decryption if the server is compromised up to 24 hours later, and 10% up to 30 days later, regardless of the selected cipher suite. We also investigate the practice of TLS secrets and session state being shared across domains, finding that in some cases, the theft of a single secret value can compromise connections to tens of thousands of sites. These results suggest that site operators need to better understand the tradeoffs between optimizing TLS performance and providing strong security, particularly when faced with nation-state attackers with a history of aggressive, large-scale surveillance.

References

[1]

D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In 22nd ACM Conference on Computer and Communications Security, Oct. 2015.

Digital Library

[2]

Alexa Internet, Inc. Alexa Top 1,000,000 Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.

[3]

J. Angwin, C. Savage, J. Larson, H. Moltke, L. Poitras, and J. Risen. AT&T helped U.S. spy on Internet on a vast scale. The New York Times, Aug. 16, 2015. http://www.nytimes.com/2015/08/16/us/politics/atthelped-nsa-spy-on-an-array-of-internet-traffic.html.

[4]

N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt. DROWN: Breaking TLS with SSLv2. In 25th USENIX Security Symposium, Aug. 2016. https://drownattack.com.

[5]

M. Belshe, R. Peon, and M. Thomson. Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540 (Proposed Standard), May 2015.

[6]

B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In 36th IEEE Symposium on Security and Privacy, May 2015.

Digital Library

[7]

E. Burzstein and J. M. Picod. Recovering Windows secrets and EFS certificates offline. In 4th USENIX Workshop on Offensive Technologies, Aug. 2010.

Digital Library

[8]

Cavium. Intelligent network adapters. http://www.cavium.com/Intelligent_Network_Adapters_NIC4E.html.

[9]

S. Checkoway, J. Maskiewicz, C. Garman, J. Fried, S. Cohney, M. Green, N. Heninger, R.-P. Weinmann, E. Rescorla, and H. Shacham. A systematic analysis of the Juniper Dual EC incident. In 23rd ACM Conference on Computer and Communications Security, Oct. 2016.

Digital Library

[10]

CNE access to core mobile networks. Media leak. https://theintercept.com/document/2015/02/19/cne-access-core-mobile-networks-2/.

[11]

Codenomicon. The Heartbleed bug. http://heartbleed.com/.

[12]

D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280 (Proposed Standard), May 2008.

[13]

T. Dierks and C. Allen. The TLS protocol version 1.0. RFC 2246 (Proposed Standard), Jan. 1999.

Digital Library

[14]

T. Dierks and E. Rescorla. The transport layer security (TLS) protocol version 1.2. RFC 5246 (Proposed Standard), Aug. 2008. http://www.ietf.org/rfc/rfc5246.txt.

[15]

W. Diffie, P. C. Van Oorschot, and M. J. Wiener. Authentication and authenticated key exchanges. Designs, Codes and cryptography, 2(2):107--125, 1992.

Digital Library

[16]

Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman. Censys: A search engine backed by Internet-wide scanning. In 22nd ACM Conference on Computer and Communications Security, Oct. 2015.

Digital Library

[17]

Z. Durumeric, J. A. Halderman, et al. Internet-wide scan data repository. https://scans.io.

[18]

Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS certificate ecosystem. In 13th ACM Internet Measurement Conference, IMC '13, pages 291--304, 2013.

Digital Library

[19]

Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. A. Halderman. The matter of Heartbleed. In 14th ACM Internet Measurement Conference, IMC '14, pages 475--488, 2014.

Digital Library

[20]

Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide scanning and its security applications. In 22nd USENIX Security Symposium, Aug. 2013.

Digital Library

[21]

R. Gallagher. Operation Socialist. The Intercept, Dec. 13, 2014. https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/.

[22]

S. Gallagher. Googlers say "f*** you" to NSA, company encrypts internal network. Ars Technica, Nov. 2013. http://arstechnica.com/information-technology/2013/11/googlers-say-f-you-to-nsa-companyencrypts-internal-network/.

[23]

B. Gellman and A. Soltani. NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say. The Washington Post, Oct. 30, 2013. https://www.washingtonpost.com/world/nationalsecurity/nsa-infiltrates-links-to-yahoo-google-datacenters-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html.

[24]

Google. Google for work: Enterprise solutions to work the way you live. https://www.google.com/work/.

[25]

N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX Security Symposium, Aug. 2012.

Digital Library

[26]

K. E. Hickman. The SSL protocol, Apr. 1995. https://tools.ietf.org/html/draft-hickman-netscape-ssl-00.

[27]

J. Hoffman-Andrews. Forward secrecy at Twitter, Nov. 2013. https://blog.twitter.com/2013/forward-secrecy-at-twitter.

[28]

M. Holt. Caddy 0.8.3 released, Apr. 2016. https://caddyserver.com/blog/caddy-0_8_3-released.

[29]

R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In 11th ACM Internet Measurement Conference, IMC '11, pages 427--444, 2011.

Digital Library

[30]

Internet Security Research Group. Let's Encrypt certificate authority. https://letsencrypt.org/.

[31]

Jimdo. Website builder: Create a free website. http://www.jimdo.com/.

[32]

D. Korobov. Yandex worker stole search engine source code, tried selling for just 28k. Ars Technica, Dec. 2015. http://arstechnica.com/business/2015/12/yandex-employee-stole-search-engine-source-codetried-to-sell-it-for-just-27000-2/.

[33]

A. Langley. How to botch TLS forward secrecy, June 2013. https://www.imperialviolet.org/2013/06/27/botchingpfs.html.

[34]

Z. Lin. TLS session resumption: Full-speed and secure, Feb. 2015. https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/.

[35]

I. Lovecruft. Twitter, Dec. 2015. https://twitter.com/isislovecruft/status/681590393385914368.

[36]

M. Marquis-Boire, G. Greenwald, and M. Lee. XKEYSCORE: NSA's Google for the world's private communications. The Intercept, July 2015. https://theintercept.com/2015/07/01/nsas-google-worlds-private-communications/.

[37]

J. McLaughlin. Spy chief complains that Edward Snowden sped up spread of encryption by 7 years, Apr. 2016. https://theintercept.com/2016/04/25/spy-chief-complains-that-edward-snowden-sped-upspread-of-encryption-by-7-years/.

[38]

media-34103. Media leak. http://www.spiegel.de/media/media-34103.pdf.

[39]

P. Membrey, D. Hows, and E. Plugge. SSL load balancing. In Practical Load Balancing, pages 175--192. Springer, 2012.

[40]

Microsoft. TLS/SSL settings, Nov. 2015. https:// technet.microsoft.com/en-us/library/dn786418.aspx.

[41]

mod_ssl: Apache HTTP server version 2.4. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html.

[42]

Module ngx_http_ssl_module. http://nginx.org/en/docs/http/ngx_http_ssl_module.html.

[43]

Mozilla Telemetry. https://telemetry.mozilla.org/.

[44]

OpenSSL security advisory, Jan. 2016. https://www.openssl.org/news/secadv/20160128.txt.

[45]

PCS harvesting at scale. Media leak. https://theintercept.com/document/2015/02/19/pcs-harvesting-scale/.

[46]

K. Poulsen. Snowden's email provider loses appeal over encryption keys. Wired, Apr. 2014. https://www.wired.com/2014/04/lavabit-ruling/.

[47]

QUIC, a multiplexed stream transport over UDP. https://www.chromium.org/quic.

[48]

E. Rescorla. The Transport Layer Security (TLS) protocol version 1.3 draft-ietf-tls-tls13-15, Aug. 2016. https://tools.ietf.org/html/draft-ietf-tls-tls13-15.

[49]

I. Ristic. Twitter, Apr. 2014. https://twitter.com/ivanristic/status/453280081897467905.

[50]

I. Ristic. SSL/TLS deployment best practices, Dec. 2014. https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf.

[51]

J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig. Transport layer security (TLS) session resumption without server-side state. RFC 4507 (Proposed Standard), May 2006. Obsoleted by RFC 5077.

[52]

J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig. Transport layer security (TLS) session resumption without server-side state. RFC 5077 (Proposed Standard), Jan. 2008.

[53]

J. Schahill and J. Begley. The great SIM heist. The Intercept, Feb. 19, 2015. https://theintercept.com/2015/02/19/great-sim-heist/.

[54]

T. Taubert. Botching forward secrecy: The sad state of server-side TLS session resumption implementations, Nov. 2014. https://timtaubert.de/blog/2014/11/the-sad-state-ofserver-side-tls-session-resumption-implementations/.

[55]

N. Weaver. In defense of bulk surveillance: It works, Sept. 2015. https://www.lawfareblog.com/defense-bulk-surveillance-it-works.

[56]

K. Zetter. Google hack attack was ultra sophisticated, new details show. Wired, Jan. 2010. https://www.wired.com/2010/01/operation-aurora/.

[57]

Y. Zhu. Why the web needs perfect forward secrecy more than ever. EFF Deeplinks Blog, Apr. 2014. https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy.

Cited By

Hebrok SNachtigall SMaehren MErinola NMerget RSomorovsky JSchwenk JCalandrino JTroncoso C(2023)We really need to talk about session ticketsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620510(4877-4894)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620510
Lim SLee HKim HLee HKwon T(2023)ZTLS: A DNS-based Approach to Zero Round Trip Delay in TLS handshakeProceedings of the ACM Web Conference 202310.1145/3543507.3583516(2360-2370)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583516
Zhang YLiu MZhang MLu CDuan H(2022)Ethics in Security Research: Visions, Reality, and Paths Forward2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW55150.2022.00064(538-545)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSPW55150.2022.00064
Show More Cited By

Index Terms

Measuring the Security Harm of TLS Crypto Shortcuts

Recommendations

RFC 7457: Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)
Read More
Studying TLS Usage in Android Apps
CoNEXT '17: Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies

Transport Layer Security (TLS), has become the de-facto standard for secure Internet communication. When used correctly, it provides secure data transfer, but used incorrectly, it can leave users vulnerable to attacks while giving them a false sense of ...
Read More
RFC 7525: Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '16: Proceedings of the 2016 Internet Measurement Conference

November 2016

570 pages

ISBN:9781450345262

DOI:10.1145/2987443

General Chairs:
Phillipa Gill
University of Massachusetts--Amherst
,
John Heidemann
USC/ISI
,
Program Chairs:
John W. Byers
Boston University
,
Ramesh Govindan
USC

Copyright © 2016 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 November 2016

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation
NSF Graduate Research Fellowship Program
Department of Veterans Affairs
Google
Alfred P. Sloan Foundation

Conference

IMC 2016

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC 2016: Internet Measurement Conference

November 14 - 16, 2016

California, Santa Monica, USA

Acceptance Rates

IMC '16 Paper Acceptance Rate 48 of 184 submissions, 26%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
2,321
Total Downloads

Downloads (Last 12 months)249
Downloads (Last 6 weeks)19

Other Metrics

View Author Metrics

Citations

Cited By

Hebrok SNachtigall SMaehren MErinola NMerget RSomorovsky JSchwenk JCalandrino JTroncoso C(2023)We really need to talk about session ticketsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620510(4877-4894)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620510
Lim SLee HKim HLee HKwon T(2023)ZTLS: A DNS-based Approach to Zero Round Trip Delay in TLS handshakeProceedings of the ACM Web Conference 202310.1145/3543507.3583516(2360-2370)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583516
Zhang YLiu MZhang MLu CDuan H(2022)Ethics in Security Research: Visions, Reality, and Paths Forward2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW55150.2022.00064(538-545)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSPW55150.2022.00064
Vermeer MWest JCuevas ANiu SChristin NVan Eeten MFiebig TGañán CMoore T(2021)SoK: A Framework for Asset Discovery: Systematizing Advances in Network Measurements for Protecting Organizations2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00037(440-456)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00037
Aviram NGellert KJager T(2021)Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTTJournal of Cryptology10.1007/s00145-021-09385-034:3Online publication date: 18-May-2021
https://doi.org/10.1007/s00145-021-09385-0
McNiece MLi RReaves B(2021)Characterizing the Security of Endogenous and Exogenous Desktop Application Network FlowsPassive and Active Measurement10.1007/978-3-030-72582-2_31(531-546)Online publication date: 30-Mar-2021
https://doi.org/10.1007/978-3-030-72582-2_31
Sy EMoennich MMueller TFederrath HFischer MVolkamer MWressnegger C(2020)Enhanced performance for the encrypted web through TLS resumption across hostnamesProceedings of the 15th International Conference on Availability, Reliability and Security10.1145/3407023.3407067(1-10)Online publication date: 25-Aug-2020
https://dl.acm.org/doi/10.1145/3407023.3407067
Wijitrisnanto FSuhardi Yustianto P(2020)HTTPS Contribution in Web Application Security: A Systematic Literature Review2020 International Conference on Information Technology Systems and Innovation (ICITSI)10.1109/ICITSI50517.2020.9264971(347-356)Online publication date: 19-Oct-2020
https://doi.org/10.1109/ICITSI50517.2020.9264971
Kreutz DYu JRamos FEsteves-Verissimo P(2019)ANCHORACM Transactions on Privacy and Security10.1145/330130522:2(1-36)Online publication date: 26-Feb-2019
https://dl.acm.org/doi/10.1145/3301305
Hu XWei CLi JWill BYu PGong LGuan HHollingsworth JKeidar I(2019)QTLSProceedings of the 24th Symposium on Principles and Practice of Parallel Programming10.1145/3293883.3295705(158-172)Online publication date: 16-Feb-2019
https://dl.acm.org/doi/10.1145/3293883.3295705
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents