Skip to main content
SpringerLink
Log in

A Practical Analysis of TLS Vulnerabilities in Korea Web Environment

  • Conference paper
  • First Online:
Information Security Applications (WISA 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10144))

Included in the following conference series:

  • 1327 Accesses

Abstract

TLS protocol provides a secure communication environment by guaranteeing the confidentiality and the integrity of transmitted data between two parties. However, there have been lots of vulnerabilities in TLS protocol and attacks exploiting them in aspects of protocol, implementation, and cryptographic tools. In spite of the lessons learned from the past experiences, various attacks on the network systems are being reported continuously due to the lack of care with regard to the proper TLS deployment and management. In this paper, we investigate TLS vulnerabilities in Korea’s top 100 websites selected from Alexa global top 500 sites and 291 Korea’s public enterprise websites. We compare the analysis results with those of Alexa global top 100 websites. Then, we discuss the lessons learned from this study. In order to analyze TLS vulnerabilities efficiently, we developed a TLS vulnerability scanner, called Network Vulnerabilities Scanner (NVS). We also analyze e-mail security of Korea’s top 3 e-mail service providers, which are supposed to be secured by TLS. Interestingly, we found that the e-mail service of them is not so secured by TLS as opposed to the analysis of Google’s transparency report.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alexa top 500 sites. http://www.alexa.com/topsites/

  2. Center for software security and assurance website. http://iotqv.korea.ac.kr/

  3. Common vulerabilities and exposures. https://cve.mitre.org/

  4. Daum mail. http://mail.daum.net/

  5. Google transparency report about e-mail TLS. https://www.google.com/transparencyreport/saferemail/?hl=ko/

  6. The internet engineering task force. https://www.ietf.org/

  7. Nate mail. http://mail3.nate.com/

  8. Naver mail. http://mail.naver.com/

  9. Qualys ssl labs web site. https://www.ssllabs.com/index.html/

  10. Target website lists and the result of scanning. https://www.dropbox.com/s/mhr4f7mpioow0hd/Result%20of%20scanning.xlsx?dl=0/

  11. Wireshark. https://www.wireshark.org/

  12. Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04159-4_7

    Chapter  Google Scholar 

  13. Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J.A., Dukhovni, V., et al.: Drown: Breaking TLS using SSLv2

    Google Scholar 

  14. Bhargavan, K., Leurent, G., Cadé, D., Blanchet, B., Paraskevopoulou, Z., Hriţcu, C., Dénès, M., Lampropoulos, L., Pierce, B.C., Delignat-Lavaud, A., et al.: Transcript collision attacks: breaking authentication in TLS, IKE, and SSH. In: Network and Distributed System Security Symposium-NDSS 2016 (2016)

    Google Scholar 

  15. Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005). doi:10.1007/11426639_3

    Chapter  Google Scholar 

  16. Dierks, T.: The transport layer security (TLS) protocol version 1.2 (2008)

    Google Scholar 

  17. Durumeric, Z., Adrian, D., Kasten, J., Springall, D., Bailey, M., Halderman, J.: Poodle attack and SSLv3 deployment (2014)

    Google Scholar 

  18. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM (2014)

    Google Scholar 

  19. Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001). doi:10.1007/3-540-45537-X_1

    Chapter  Google Scholar 

  20. Fogel, B.: A survey of web vulnerabilities. Ph.D. thesis, Auburn University (2015)

    Google Scholar 

  21. Gujrathi, S.: Heartbleed bug: AnOpenSSL heartbeat vulnerability. Int. J. Comput. Sci. Eng. 2(5), 61–64 (2014)

    Google Scholar 

  22. Fogel, B., Farmer, S., Alkofahi, H., Skjellum, A., Hafiz, M.: POODLEs, more POODLEs, FREAK attacks too: how server administrators responded to three serious web vulnerabilities. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 122–137. Springer, Cham (2016). doi:10.1007/978-3-319-30806-7_8

    Chapter  Google Scholar 

  23. Liang, J., Lai, X.J.: Improved collision attack on hash function MD5. J. Comput. Sci. Technol. 22(1), 79–87 (2007)

    Article  MathSciNet  Google Scholar 

  24. Möller, B., Duong, T., Kotowicz, K.: This poodle bites: exploiting the SSL 3.0 fallback. Google, September 2014

    Google Scholar 

  25. Popov, A.: Prohibiting RC4 cipher suites. Comput. Sci. 2355, 152–164 (2015)

    Google Scholar 

  26. Sasaki, Y., Naito, Y., Kunihiro, N., Ohta, K.: Improved collision attack on MD5. IACR Cryptology ePrint Archive 2005, 400 (2005)

    Google Scholar 

  27. Vanhoef, M., Piessens, F.: All Your biases belong to Us: Breaking RC4 in WPA-TKIP and TLS. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 97–112 (2015)

    Google Scholar 

  28. Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). doi:10.1007/11535218_2

    Chapter  Google Scholar 

  29. Yau, A.K.L., Paterson, K.G., Mitchell, C.J.: Padding Oracle attacks on CBC-mode encryption with secret and random IVs. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 299–319. Springer, Heidelberg (2005). doi:10.1007/11502760_20

    Chapter  Google Scholar 

Download references

Acknowledgments

This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (No. 2016R1A2A2A05005402). This work was also supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. R0190-15-2011, Development of Vulnerability Discovery Technologies for IoT Software Security).

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Korea University, 145, Anam-ro, Seongbuk-gu, Seoul, 136-701, Korea

    Jongmin Jeong, Hyunsoo Kwon, Hyungjune Shin & Junbeom Hur

Authors
  1. Jongmin Jeong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyunsoo Kwon
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hyungjune Shin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Junbeom Hur
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jongmin Jeong .

Editor information

Editors and Affiliations

  1. ETRI, Daejeon, Korea (Republic of)

    Dooho Choi

  2. Secure-IC, S.A.S., Paris, France

    Sylvain Guilley

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Jeong, J., Kwon, H., Shin, H., Hur, J. (2017). A Practical Analysis of TLS Vulnerabilities in Korea Web Environment. In: Choi, D., Guilley, S. (eds) Information Security Applications. WISA 2016. Lecture Notes in Computer Science(), vol 10144. Springer, Cham. https://doi.org/10.1007/978-3-319-56549-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-56549-1_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-56548-4

  • Online ISBN: 978-3-319-56549-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation