Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.1.145

A System for SSL/TLS Vulnerability Detection of Servers  

Cho, Sungwon (Naver Corporation)
Choi, Hyunsang (Naver Corporation)
Heo, Gyu (Naver Corporation)
Cho, Sanghyun (Naver Corporation)
Kim, Young-Gab (Sejong University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.1, 2018 , pp. 145-153 More about this Journal
Abstract
SSL (Secure Socket Layer) and TLS (Transport Layer Security) are widely used protocols for secure and encrypted communication over a computer network. However, there have been reported several security vulnerabilities of SSL/TLS over the years. The vulnerabilities can let an adversary carry out critical attacks on SSL/TLS enabled servers. In this paper, we have developed a system which can periodically scan SSL/TLS vulnerabilities on internal network servers and quickly detects, reports and visualizes the vulnerabilities. We have evaluated the system on working servers of Naver services and analyzed detected vulnerabilities. 816 vulnerabilities are found on 213 internal server domains (4.2 vulnerabilities on average) and most vulnerable servers are not opened to public. However, 46 server domains have old vulnerabilites which were found 2016. We could patch and response to SSL/TLS vulnerabilites of servers by leveraging the proposed system.
Keywords
Mobile advertisement; mobile ad injection; abusing;
Citations & Related Records
연도 인용수 순위
  • Reference
1 D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J.A. Halderman, N. Heninger, D. Springall, E. Thome, L. Valenta, B. VanderSloot, E. Wustrow, S.Z. Beguelin, and P. Zimmermann, "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice," Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 5-17, Oct. 2015.
2 Z. Durumeric, J. Kasten, F. Li, J. Amann, J. Beekman, M. Payer, N. Weaver, J. A. Halderman, V. Paxson, and M. Bailey. "The matter of Heartbleed," Proceedings of the 2014 ACM Internet Measurement Conference, pp. 475-488, Nov. 2014.
3 https://www.ssllabs.com/ssltest/
4 https://github.com/nabla-c0d3/sslyze
5 https://testssl.sh/
6 C. Brubaker, S. Jana, B. Ray, S. Khurshid, and V. Shmatikov, "Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations," Proceedings of the 2014 IEEE Symposium on Security and Privacy, pp. 114-129, May 2014.
7 Y. Chen and Z. Su., "Guided Differential Testing of Certificate Validation in SSL/TLS Implementations," Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pp. 793-804, Sep. 2015.
8 J. Somorovsky "Systematic Fuzzing and Testing of TLS Libraries," Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1492-1504, Oct. 2016.
9 S. Sivakorn,G. Argyros, K. Pei, A.D. Keromytis, and S. Jana, "HVLearn: Automated Black-box Analysis of Hostname Verification in SSL/TLS Implementations," Proceedings of the 38th IEEE Symposium on Security & Privacy, May 2017.
10 J. De Ruiter and E. Poll., "Protocol State Fuzzing of TLS Implementations," Proceedings of the 24th USENIX Conference on Security Symposium, pp. 193-206, Aug. 2015.
11 https://golang.org/pkg/crypto/tls/
12 https://www.mongodb.com/
13 https://www.elastic.co/products/elasticsearch
14 https://www.elastic.co/products/kibana
15 https://nodejs.org/