turning active tls scanning to eleven
TRANSCRIPT
TURNING ACTIVE TLS SCANNING TO ELEVEN
Wilfried Mayer, Martin SchmiedeckerIFIP SEC 2017, Rome 29.5.2017
2016 - SBA Research gGmbH
Turning Active TLS Scanning to Eleven
• Scans the full TLS Cipher Suite configuration• Evaluated new methods and approaches• Improvement: 3.2 times faster
6% connections
TLS ScanningMeasure the state of the TLS ecosystem
• Fundament of today‘s web security• Need to know the current state
• Existing projects: scans.io / censys / SSLTest• Existing tools: zmap / masscan / SSLyze
• Efficiently scan the state?• What is the state?
2016 - SBA Research gGmbH
TLS ScanningTools and Cipher Suites
• zmap / masscanEfficiently scan all hosts once
• SslyzeScan all cipher suites of hosts
• SSLTestScan one public host intense
2016 - SBA Research gGmbH
TLS ScanningTLS Handshake
2016 - SBA Research gGmbH
TLS ScanningCipher Suites
2016 - SBA Research gGmbH
ApproachesDefined Requirements
• Time• Parallelization• Connections• Completeness
2016 - SBA Research gGmbH
ApproachesExisting approach: „Naive“
• 1 cipher suite / request• All requests at the same time
2016 - SBA Research gGmbH
ApproachesConnection optimal
• Request include cipher suites with unknown result• Requests serialized
2016 - SBA Research gGmbH
ApproachesBased on cryptographic primitives
• Request groups cipher suites• Multiple requests at the same time• Multiple rounds necessary
2016 - SBA Research gGmbH
ApproachesBased on existing results
• Multiple parallel rounds of requests• Find configurations with highest probability
Existing DataFull TLS Cipher Suite Scan from 2015
• No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large
• Internet-wide scan of TLS cipher suite configurations
• SSLyze (naive approach) used~10 billion TLS handshakes~20 million IP/port results
2016 - SBA Research gGmbH
Existing DataPatterns in Cipher Suite Usage
Most-used cipher suite patterns for HTTPS,• Internet-wide scan in Aug. 2015• Even higher percentage for other protocols (SMTP)
2016 - SBA Research gGmbH
Existing DataCoverage + Patterns
Host coverage by number of patterns
2016 - SBA Research gGmbH
Tests
• Simulated with existing results
• Experimental testing with active scanning
2016 - SBA Research gGmbH
ResultsSimulation
With the state of TLS scanned 2015
C … Average number of connectionsR … Average number of rounds
2016 - SBA Research gGmbH
ResultsExperimental
2016 - SBA Research gGmbH
ResultsExperimental
2016 - SBA Research gGmbH
ResultsAlexa Top10k
• Scanned Alexa and Umbrella Top10k hosts• Compared Patterns• Mozilla SSL Configuration Generator
2016 - SBA Research gGmbH
Discussion
● Ethics„poor trade-off in terms of good Internet citizenship versus lessons that can be learned“ [Holz et al.]
● Other factors of optimizationBandwidth usage, TCP/IP settings, parallelization
● TLS 1.3.
2016 - SBA Research gGmbH
Conclusion
● New approaches to TLS Cipher Suite scanning
● Performance gain● 3.2 times faster● 6% of the connections
● Implemented & Evaluated
2016 - SBA Research gGmbH
