Characterization of cipher suite selection, downgrading, and other weaknesses observed in the wild / Karaktärisering av cipher suite val, nedgradering och andra svagheter som observerats i det vilda

Kjell, Edvin, Frisenfelt, Sebastian

January 2021

The importance of security on the web is growing every day. How domains handle and prioritize their level of security is varying. Tradeoffs between security and convenience have to be made to uphold a website's public image. This thesis uses a subset of domains from the Alexa Top 1M list. The list was used to create our datasets, collected through active scans with testssl.sh. This thesis has through the mentioned datasets compared domains in regards to several security aspects and analyzed how they handle security and convenience. We performed our scans over the course of two weeks to analyze each domain's level of security. As well as looking at top domains for several popular categories. Our analysis mainly focused on comparing the domains on their choice of Transport Layer Security (TLS) version, cipher suite, support for HSTS, and if they were exposed to any vulnerabilities. The subset of domains that we looked at saw about 50% implementation of TLS 1.3. We discovered that the most popular domains tend to choose availability as one of their highest priorities, leaving them exposed to vulnerabilities in earlier versions of the TLS protocol. Most domains that showed exposure to one vulnerability, in general, also were exposed to BEAST. This was also the most prominent vulnerability among all domains. We also showed that many of the negotiated cipher suites on the list of domains still utilize cipher block chaining, which is known to be weak. Our results show that different browsers, mobile operating systems, and the time of day had a negligible impact on the choice of TLS version. Most of the domains in the popular categories had not yet adopted TLS 1.3 and were overall more exposed to the tested vulnerabilities than those on the top million list. The support for HSTS was low in both the categories and on the Alexa top list. We conclude that upgrading to the latest recommended standard should always be a priority for server operators.

TLS

HTTPS

HSTS

cipher suites

vulnerabilities

Computer and Information Sciences

Data- och informationsvetenskap

The Everyday Internet, a Minefield in Disguise : Characterization of different types of domains including malicious and popularity / Internet, ett minfält i förklädnad.

Petersson, Linn, Lindkvist, Rebecka

January 2022

Today, security has become a growing concern for all internet users, where technology is developing faster than its security is implemented, which leads to insecure domains. In this thesis, we look at the reality of today’s domains and research if some categories of domains are safer than others and the reason behind it. The total amount of researched domains was 8080 divided into four categories; popular, categories, continents, and malicious. The analysis was made by looking closer at default protocols, cipher suites, certificate authorities (CAs), certificate classifications, page loading times, and vulnerabilities. Our result indicated that TLS 1.2 and TLS 1.3 are the most commonly used protocol. The largest difference between the domains could be seen among the CAs, even though no definite reason for this could be found. The most popular cipher suite for popular, categories, and malicious belonged to TLS 1.3 meanwhile, continents had a cipher suite belonging to TLS 1.2. All four categories were vulnerable to at least five out of eight different types of attacks. The least commonly used certificate classification is EV certificates, while DV is the most commonly used. Through our data collection and analysis, we could conclude that all domains are not as safe as one might think, while the underlying security infrastructure of malicious domains might be better than anyone expects.

characterisation

malicious

domains

vulnerabilities

cipher suites

TLS

protocols

security

certificates

Computer and Information Sciences

Data- och informationsvetenskap