|
Title:
|
SSL/TLS STATUS SURVEY IN ASIA REGION - TRANSITIONING AGAINST THE RENEGOTIATION VULNERABILITY, CRIME ATTACKS AND UNTRUSTED X.509 CERTIFICATES |
|
Author(s):
|
Yuji Suga |
|
ISBN:
|
978-972-8939-98-4 |
|
Editors:
|
Piet Kommers, Tomayess Issa, Nurfadhlina Mohd Sharef and Pedro IsaĆas |
|
Year:
|
2013 |
|
Edition:
|
Single |
|
Keywords:
|
SSL/TLS, Renegotiation function, CRIME attacks, Transitioning of cryptographic algorithms, Transition engineering, RFC5746, SSLyze, EFF SSL Observatory |
|
Type:
|
Short Paper |
|
First Page:
|
79 |
|
Last Page:
|
84 |
|
Language:
|
English |
|
Cover:
|
|
|
Full Contents:
|
click to dowload 
|
|
Paper Abstract:
|
In 2009, researchers released details of the vulnerability in the SSL and TLS protocols that could allow Man-in-the-Middle attacks to be carried out. This vulnerability can be attributed to a problem in the SSL and TLS protocol specifications themselves. Fixes have been released for OpenSSL and Apache immediately, however most of these involve simply disabling the renegotiation feature that is causing the problem. More thorough measures would require an update to the current specifications and migration to implementations that follow the new specifications. IETF published countermeasures with unprecedented speed as RFC5746, however server-side implementations are not deployed because of problems in business such as the loss of opportunities and backward compatibilities. Moreover due to the Flame problem, Microsoft was carrying out a fundamental review of many areas and launching new initiatives. An update that blocks RSA keys less than 1024 bits, which it is recognized should only be used by those understanding the risks involved, was planned for release in August last year. Moreover in September 2012, a demo for eavesdropping cookies when the compression function is enabled for SSL/TLS was released. This CRIME attack exploits the fact that even when data of the same length is compressed, the dictionary length changes based on whether the same characters are included in the data before compression. As described above, various weaknesses in SSL/TLS were into the open, so we need to deal with the problems in the SSL/TLS servers. This paper shows the latest status of web sites especially in Asia region with the aforementioned issues including the SSL/TLS renegotiation vulnerability, CRIME attacks and untrusted X.509 certificates by crawling with SSLyze. This paper also shows observations especially differences of setting status against measures due to differences of countries or regions. |
|
|
|
|
|
|
