Skip to main content
SpringerLink
Log in

POODLEs, More POODLEs, FREAK Attacks Too: How Server Administrators Responded to Three Serious Web Vulnerabilities

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9639))

Included in the following conference series:

Abstract

We present an empirical study on the patching characteristics of the top 100,000 web sites in response to three recent vulnerabilities: the POODLE vulnerability, the POODLE TLS vulnerability, and the FREAK vulnerability. The goal was to identify how the web responds to newly discovered vulnerabilities and the remotely observable characteristics of websites that contribute to the response pattern over time. Using open source tools, we found that there is a slow patch adoption rate in general; for example, about one in four servers hosting Alexa top 100,000 sites we sampled remained vulnerable to the POODLE attack even after five months. It was assuring that servers handling sensitive data were more aggressive in patching the vulnerabilities. However, servers that had more open ports were more likely to be vulnerable. The results are valuable for practitioners to understand the state of security engineering practices and what can be done to improve.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Adamczyk, P., Hafiz, M., Johnson, R.: Non-compliant and proud: a case study of HTTP compliance. Technical report, UIUC (2008)

    Google Scholar 

  2. Al-Bassam, M.: Top Alexa 10,000 Heartbleed scan (2014). https://github.com/musalbas/heartbleed-masstest

  3. Barrett, R., Kandogan, E., Maglio, P.P., Haber, E.M., Takayama, L.A., Prabaker, M.: Field studies of computer system administrators: analysis of system management tools and practices. In: CSCW 2004. ACM (2004)

    Google Scholar 

  4. Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: SMACK: state machine attacks (2015). https://www.smacktls.com/

  5. Blevins, B.: POODLE SSL vulnerability doesn’t equal Heartbleed, but still bad (2014)

    Google Scholar 

  6. Botta, D., Werlinger, R., Gagné, A., Beznosov, K., Iverson, L., Fels, S., Fisher, B.: Towards understanding it security professionals and their tools. In: SOUPS 2007. ACM (2007)

    Google Scholar 

  7. Cheswick, W., Bellovin, S., Rubin, A.: Firewalls and Internet Security: Repelling the Wily Hacker, 2nd edn. Addison-Wesley Professional, Reading (2003)

    MATH  Google Scholar 

  8. Dierks, T., Allen, C.: The TLS protocol

    Google Scholar 

  9. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., Paxson, V.: The matter of heartbleed. In: IMC 2014. ACM (2014)

    Google Scholar 

  10. Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A.: Analysis of the https certificate ecosystem. In: IMC 2013. ACM (2013)

    Google Scholar 

  11. Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: SEC 2013. USENIX Association (2013)

    Google Scholar 

  12. Fu, K., Sit, E., Smith, K., Feamster, N.: Dos and don’ts of client authentication on the web. In: SSYM 2001. USENIX Association (2001)

    Google Scholar 

  13. Haber, E.M., Kandogan, E., Maglio, P.: Collaboration in system administration. Queue 8(12), 10:10–10:20 (2010)

    Google Scholar 

  14. Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements. In: IMC 2011. ACM (2011)

    Google Scholar 

  15. IBM developerWorks. The Secure Sockets Layer and Transport Layer Security. http://www.ibm.com/developerworks/library/ws-ssl-security/

  16. Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: NDSS 2015. IEEE (2015)

    Google Scholar 

  17. Langley, A.: POODLE attacks on sslv3, October 2014

    Google Scholar 

  18. Langley, A.: The POODLE bites again, December 2014

    Google Scholar 

  19. Lee, H., Malkin, T., Nahum, E.: Cryptographic strength of SSL/TLS servers: current and recent practices. In: IMC 2007. ACM (2007)

    Google Scholar 

  20. Lyon, G.: Download the free nmap security scanner for linux/mac/unix or windows (2015). https://nmap.org/download.html

  21. Mahendiran, J., Hawkey, K.A., Zincir-Heywood, N.: Exploring the need for visualizations in system administration tools. In: CHI EA 2014. ACM (2014)

    Google Scholar 

  22. Moeller, B.: TLS Signaling Cipher Suite Value (SCSV) for preventing protocol downgrade attacks

    Google Scholar 

  23. Moore, D., Shannon, C., Claffy, K.: Code-Red: a case study on the spread and victims of an internet worm. In: IMW 2002. ACM (2002)

    Google Scholar 

  24. Murray, E.: SSL server security survey (2000)

    Google Scholar 

  25. Opera Software ASA. operasoftware/tlsprober (2014). https://github.com/operasoftware/tlsprober

  26. Provos, N., Honeyman, P.: ScanSSH - scanning the internet for SSH servers. In: LISA 2001. USENIX Association (2001)

    Google Scholar 

  27. Rescorla, E.: Security holes... who cares? In: SSYM 2003. USENIX Association (2003)

    Google Scholar 

  28. Saldana, J.: The Coding Manual for Qualitative Researchers. Sage Publications Limited, Singapore (2009)

    Google Scholar 

  29. Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of oauth sso systems. In: CCS 2012. ACM (2012)

    Google Scholar 

  30. The OpenSSL Project. OpenSSL 1.0.1j (2014). https://www.openssl.org/source/

  31. TIM Trustworthy Internet Movement. SSL Pulse: Survey of the SSL implementation of the most popular web sites (2012)

    Google Scholar 

  32. Vehent, J.: jvehent/cipherscan (2014). https://github.com/jvehent/cipherscan

  33. Velasquez, N.F., Weisband, S., Durcikova, A.: Designing tools for system administrators: an empirical test of the integrated user satisfaction model. In: LISA 2008. USENIX Association (2008)

    Google Scholar 

  34. Werlinger, R., Hawkey, K., Botta, D., Beznosov, K.: Security practitioners in context: their activities and interactions with other stakeholders within organizations. Int. J. Hum. Comput. Stud. 67(7), 584–606 (2009)

    Article  Google Scholar 

  35. Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 debian OpenSSL vulnerability. In: IMC 2009. ACM (2009)

    Google Scholar 

Download references

Acknowledgements

This was funded by the Auburn Cyber Research Center. We thank Paul Adamczyk, Farhana Ashraf, Jeff Overbey, Awais Rashid, and the anonymous reviewers for their comments.

Author information

Authors and Affiliations

  1. Auburn University, Auburn, AL, 36849, USA

    Benjamin Fogel, Shane Farmer, Hamza Alkofahi, Anthony Skjellum & Munawar Hafiz

Authors
  1. Benjamin Fogel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shane Farmer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hamza Alkofahi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Anthony Skjellum
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Munawar Hafiz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benjamin Fogel .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Madrid, Spain

    Juan Caballero

  2. Paderborn University & Fraunhofer IEM, Paderborn, Germany

    Eric Bodden

  3. VU University, Amsterdam, The Netherlands

    Elias Athanasopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Fogel, B., Farmer, S., Alkofahi, H., Skjellum, A., Hafiz, M. (2016). POODLEs, More POODLEs, FREAK Attacks Too: How Server Administrators Responded to Three Serious Web Vulnerabilities. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30806-7_8

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30805-0

  • Online ISBN: 978-3-319-30806-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation