Abstract
We present an empirical study on the patching characteristics of the top 100,000 web sites in response to three recent vulnerabilities: the POODLE vulnerability, the POODLE TLS vulnerability, and the FREAK vulnerability. The goal was to identify how the web responds to newly discovered vulnerabilities and the remotely observable characteristics of websites that contribute to the response pattern over time. Using open source tools, we found that there is a slow patch adoption rate in general; for example, about one in four servers hosting Alexa top 100,000 sites we sampled remained vulnerable to the POODLE attack even after five months. It was assuring that servers handling sensitive data were more aggressive in patching the vulnerabilities. However, servers that had more open ports were more likely to be vulnerable. The results are valuable for practitioners to understand the state of security engineering practices and what can be done to improve.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Adamczyk, P., Hafiz, M., Johnson, R.: Non-compliant and proud: a case study of HTTP compliance. Technical report, UIUC (2008)
Al-Bassam, M.: Top Alexa 10,000 Heartbleed scan (2014). https://github.com/musalbas/heartbleed-masstest
Barrett, R., Kandogan, E., Maglio, P.P., Haber, E.M., Takayama, L.A., Prabaker, M.: Field studies of computer system administrators: analysis of system management tools and practices. In: CSCW 2004. ACM (2004)
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: SMACK: state machine attacks (2015). https://www.smacktls.com/
Blevins, B.: POODLE SSL vulnerability doesn’t equal Heartbleed, but still bad (2014)
Botta, D., Werlinger, R., Gagné, A., Beznosov, K., Iverson, L., Fels, S., Fisher, B.: Towards understanding it security professionals and their tools. In: SOUPS 2007. ACM (2007)
Cheswick, W., Bellovin, S., Rubin, A.: Firewalls and Internet Security: Repelling the Wily Hacker, 2nd edn. Addison-Wesley Professional, Reading (2003)
Dierks, T., Allen, C.: The TLS protocol
Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., Paxson, V.: The matter of heartbleed. In: IMC 2014. ACM (2014)
Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A.: Analysis of the https certificate ecosystem. In: IMC 2013. ACM (2013)
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: SEC 2013. USENIX Association (2013)
Fu, K., Sit, E., Smith, K., Feamster, N.: Dos and don’ts of client authentication on the web. In: SSYM 2001. USENIX Association (2001)
Haber, E.M., Kandogan, E., Maglio, P.: Collaboration in system administration. Queue 8(12), 10:10–10:20 (2010)
Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements. In: IMC 2011. ACM (2011)
IBM developerWorks. The Secure Sockets Layer and Transport Layer Security. http://www.ibm.com/developerworks/library/ws-ssl-security/
Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: NDSS 2015. IEEE (2015)
Langley, A.: POODLE attacks on sslv3, October 2014
Langley, A.: The POODLE bites again, December 2014
Lee, H., Malkin, T., Nahum, E.: Cryptographic strength of SSL/TLS servers: current and recent practices. In: IMC 2007. ACM (2007)
Lyon, G.: Download the free nmap security scanner for linux/mac/unix or windows (2015). https://nmap.org/download.html
Mahendiran, J., Hawkey, K.A., Zincir-Heywood, N.: Exploring the need for visualizations in system administration tools. In: CHI EA 2014. ACM (2014)
Moeller, B.: TLS Signaling Cipher Suite Value (SCSV) for preventing protocol downgrade attacks
Moore, D., Shannon, C., Claffy, K.: Code-Red: a case study on the spread and victims of an internet worm. In: IMW 2002. ACM (2002)
Murray, E.: SSL server security survey (2000)
Opera Software ASA. operasoftware/tlsprober (2014). https://github.com/operasoftware/tlsprober
Provos, N., Honeyman, P.: ScanSSH - scanning the internet for SSH servers. In: LISA 2001. USENIX Association (2001)
Rescorla, E.: Security holes... who cares? In: SSYM 2003. USENIX Association (2003)
Saldana, J.: The Coding Manual for Qualitative Researchers. Sage Publications Limited, Singapore (2009)
Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of oauth sso systems. In: CCS 2012. ACM (2012)
The OpenSSL Project. OpenSSL 1.0.1j (2014). https://www.openssl.org/source/
TIM Trustworthy Internet Movement. SSL Pulse: Survey of the SSL implementation of the most popular web sites (2012)
Vehent, J.: jvehent/cipherscan (2014). https://github.com/jvehent/cipherscan
Velasquez, N.F., Weisband, S., Durcikova, A.: Designing tools for system administrators: an empirical test of the integrated user satisfaction model. In: LISA 2008. USENIX Association (2008)
Werlinger, R., Hawkey, K., Botta, D., Beznosov, K.: Security practitioners in context: their activities and interactions with other stakeholders within organizations. Int. J. Hum. Comput. Stud. 67(7), 584–606 (2009)
Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 debian OpenSSL vulnerability. In: IMC 2009. ACM (2009)
Acknowledgements
This was funded by the Auburn Cyber Research Center. We thank Paul Adamczyk, Farhana Ashraf, Jeff Overbey, Awais Rashid, and the anonymous reviewers for their comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Fogel, B., Farmer, S., Alkofahi, H., Skjellum, A., Hafiz, M. (2016). POODLEs, More POODLEs, FREAK Attacks Too: How Server Administrators Responded to Three Serious Web Vulnerabilities. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-30806-7_8
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30805-0
Online ISBN: 978-3-319-30806-7
eBook Packages: Computer ScienceComputer Science (R0)