Abstract
TLS protocol provides a secure communication environment by guaranteeing the confidentiality and the integrity of transmitted data between two parties. However, there have been lots of vulnerabilities in TLS protocol and attacks exploiting them in aspects of protocol, implementation, and cryptographic tools. In spite of the lessons learned from the past experiences, various attacks on the network systems are being reported continuously due to the lack of care with regard to the proper TLS deployment and management. In this paper, we investigate TLS vulnerabilities in Korea’s top 100 websites selected from Alexa global top 500 sites and 291 Korea’s public enterprise websites. We compare the analysis results with those of Alexa global top 100 websites. Then, we discuss the lessons learned from this study. In order to analyze TLS vulnerabilities efficiently, we developed a TLS vulnerability scanner, called Network Vulnerabilities Scanner (NVS). We also analyze e-mail security of Korea’s top 3 e-mail service providers, which are supposed to be secured by TLS. Interestingly, we found that the e-mail service of them is not so secured by TLS as opposed to the analysis of Google’s transparency report.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alexa top 500 sites. http://www.alexa.com/topsites/
Center for software security and assurance website. http://iotqv.korea.ac.kr/
Common vulerabilities and exposures. https://cve.mitre.org/
Daum mail. http://mail.daum.net/
Google transparency report about e-mail TLS. https://www.google.com/transparencyreport/saferemail/?hl=ko/
The internet engineering task force. https://www.ietf.org/
Nate mail. http://mail3.nate.com/
Naver mail. http://mail.naver.com/
Qualys ssl labs web site. https://www.ssllabs.com/index.html/
Target website lists and the result of scanning. https://www.dropbox.com/s/mhr4f7mpioow0hd/Result%20of%20scanning.xlsx?dl=0/
Wireshark. https://www.wireshark.org/
Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04159-4_7
Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J.A., Dukhovni, V., et al.: Drown: Breaking TLS using SSLv2
Bhargavan, K., Leurent, G., Cadé, D., Blanchet, B., Paraskevopoulou, Z., Hriţcu, C., Dénès, M., Lampropoulos, L., Pierce, B.C., Delignat-Lavaud, A., et al.: Transcript collision attacks: breaking authentication in TLS, IKE, and SSH. In: Network and Distributed System Security Symposium-NDSS 2016 (2016)
Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005). doi:10.1007/11426639_3
Dierks, T.: The transport layer security (TLS) protocol version 1.2 (2008)
Durumeric, Z., Adrian, D., Kasten, J., Springall, D., Bailey, M., Halderman, J.: Poodle attack and SSLv3 deployment (2014)
Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM (2014)
Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001). doi:10.1007/3-540-45537-X_1
Fogel, B.: A survey of web vulnerabilities. Ph.D. thesis, Auburn University (2015)
Gujrathi, S.: Heartbleed bug: AnOpenSSL heartbeat vulnerability. Int. J. Comput. Sci. Eng. 2(5), 61–64 (2014)
Fogel, B., Farmer, S., Alkofahi, H., Skjellum, A., Hafiz, M.: POODLEs, more POODLEs, FREAK attacks too: how server administrators responded to three serious web vulnerabilities. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 122–137. Springer, Cham (2016). doi:10.1007/978-3-319-30806-7_8
Liang, J., Lai, X.J.: Improved collision attack on hash function MD5. J. Comput. Sci. Technol. 22(1), 79–87 (2007)
Möller, B., Duong, T., Kotowicz, K.: This poodle bites: exploiting the SSL 3.0 fallback. Google, September 2014
Popov, A.: Prohibiting RC4 cipher suites. Comput. Sci. 2355, 152–164 (2015)
Sasaki, Y., Naito, Y., Kunihiro, N., Ohta, K.: Improved collision attack on MD5. IACR Cryptology ePrint Archive 2005, 400 (2005)
Vanhoef, M., Piessens, F.: All Your biases belong to Us: Breaking RC4 in WPA-TKIP and TLS. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 97–112 (2015)
Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). doi:10.1007/11535218_2
Yau, A.K.L., Paterson, K.G., Mitchell, C.J.: Padding Oracle attacks on CBC-mode encryption with secret and random IVs. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 299–319. Springer, Heidelberg (2005). doi:10.1007/11502760_20
Acknowledgments
This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (No. 2016R1A2A2A05005402). This work was also supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. R0190-15-2011, Development of Vulnerability Discovery Technologies for IoT Software Security).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Jeong, J., Kwon, H., Shin, H., Hur, J. (2017). A Practical Analysis of TLS Vulnerabilities in Korea Web Environment. In: Choi, D., Guilley, S. (eds) Information Security Applications. WISA 2016. Lecture Notes in Computer Science(), vol 10144. Springer, Cham. https://doi.org/10.1007/978-3-319-56549-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-56549-1_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56548-4
Online ISBN: 978-3-319-56549-1
eBook Packages: Computer ScienceComputer Science (R0)