The State of SSL in the World Michael Boman Omegapoint
Who am I? <ul><li>Consultant at Omegapoint (Stockholm) </li></ul><ul><li>Penetration Tester </li></ul><ul><li>Incident Han...
Agenda <ul><li>Background </li></ul><ul><li>Data collection method </li></ul><ul><li>Results from data analysis </li></ul>
A little background <ul><li>Lacked a good tool to perform OWASP-CM-001 tests (Testing for SSL-TLS, OWASP Testing Guide) </...
A little background (2) <ul><li>Re-write SSLAudit or port SSLScan? </li></ul><ul><ul><li>http://sourceforge.net/projects/s...
SSLSCAN IN ACTION, SINGLE INSTANCE <ul><li>Demo </li></ul>
Why scan a lot of HTTPS servers? <ul><li>I noticed that some organizations that you would think would have good security f...
First large scan attempt <ul><li>Single instance with a large collection of hosts </li></ul><ul><li>Took forever and was n...
Second large scan attempt <ul><li>Multiple instances with a handful of targets each </li></ul><ul><li>Much better performa...
Third large scan attempt <ul><li>Using Amazon AWS </li></ul><ul><ul><li>SQS to keep track of jobs </li></ul></ul><ul><ul><...
Forth large scan attempt <ul><li>Added Amazon EC2 to the mix </li></ul><ul><ul><li>Now I have theoretically unlimited serv...
Forth large scan design
Forth large scan design
SSLSCAN ON AMAZON EC2 <ul><li>Demo </li></ul>
The Question <ul><li>What are the key factors for a good HTTPS configuration? </li></ul><ul><ul><li>Money? </li></ul></ul>...
THE NUMBERS… <ul><li>So what did I find? </li></ul>
Data details <ul><li>Alexa list from 18 Apr 2010 </li></ul><ul><li>Fortune 500 (2010) </li></ul><ul><li>Data aquired 26 Ap...
HOW MANY OF THE TESTED SERVERS SUPPORTS SSL/TLS TO BEGIN WITH?
Fortune 500
Alexa 10k
PROTOCOL SUPPORT
Fortune 500
Alexa 10k
Fortune 500
Alexa 10k
Fortune 500
Alexa 10k
INSECURE KEY EXCHANGE
Fortune 500
Alexa 10k
KEY LENGTHS
NO ENCRYPTION (0 BIT KEY)
Fortune 500
Alexa 10k
WEAK ENCRYPTION (1-127 BIT KEY)
Fortune 500
Alexa 10k
MEDIUM ENCRYPTION (128-255 BIT KEY)
Fortune 500
Alexa 10k
STRONG ENCRYPTION (>=256 BIT KEY)
Fortune 500
Alexa 10k
SESSION RENEGOTIATION
Fortune 500
Alexa 10k
FORTUNE 500 VS ALEXA 500 <ul><li>16 Organizations are on both lists </li></ul>
Money vs. Popularity: HTTPS enabled?
Money vs. Popularity: SSLv2 enabled? (= bad)
Money vs. Popularity: 0-bit keys being enabled?(=bad)
Money vs. Popularity: Weak keys being enabled?(=bad)
Money vs. Popularity: No auth kx being enabled?(=bad)
Money vs. Popularity: Secure Session Renegotation?
Fortune 500 Industries
Fortune 500 Industries
Fortune 500 Industries
Fortune 500 Industries
Fortune 500 Industries Bad Worse
Fortune 500 Industries
Commercial Banks
Conclusion <ul><li>What the data told me is that </li></ul><ul><ul><li>Money (Fortune) seems to have something to do with ...
What’s next? <ul><li>Deeper investigation into the Swedish market in co-operation with .SE (The Internet Infrastructure Fo...
Questions and Answers <ul><li>Research website: </li></ul><ul><ul><li>http://sslresearch.michaelboman.org </li></ul></ul><...
Upcoming SlideShare
Loading in …5
×

OWASP AppSec Research 2010 - The State of SSL in the World

966 views

Published on

OWASP AppSec Research 2010 - The State of SSL in the World

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
966
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OWASP AppSec Research 2010 - The State of SSL in the World

  1. 1. The State of SSL in the World Michael Boman Omegapoint
  2. 2. Who am I? <ul><li>Consultant at Omegapoint (Stockholm) </li></ul><ul><li>Penetration Tester </li></ul><ul><li>Incident Handler </li></ul><ul><li>Course Instructor </li></ul><ul><ul><li>Secure Development </li></ul></ul><ul><ul><li>Security Testing </li></ul></ul>
  3. 3. Agenda <ul><li>Background </li></ul><ul><li>Data collection method </li></ul><ul><li>Results from data analysis </li></ul>
  4. 4. A little background <ul><li>Lacked a good tool to perform OWASP-CM-001 tests (Testing for SSL-TLS, OWASP Testing Guide) </li></ul><ul><ul><li>Couldn’t find any that suited my requirements </li></ul></ul><ul><ul><ul><li>Free, Runs locally, Works on Windows </li></ul></ul></ul><ul><li>Wrote SSLAudit in Perl (GPL) </li></ul><ul><ul><li>http://code.google.com/p/sslaudit/ </li></ul></ul><ul><ul><li>No longer maintained </li></ul></ul>
  5. 5. A little background (2) <ul><li>Re-write SSLAudit or port SSLScan? </li></ul><ul><ul><li>http://sourceforge.net/projects/sslscan/ </li></ul></ul><ul><li>Ported SSLScan to Windows (GPL) </li></ul><ul><ul><li>http://code.google.com/p/sslscan-win/ </li></ul></ul><ul><li>Enhanced SSLScan </li></ul><ul><ul><li>Renegotiation tests </li></ul></ul><ul><ul><li>Enhanced XML output format </li></ul></ul><ul><ul><li>Refactored output code </li></ul></ul>
  6. 6. SSLSCAN IN ACTION, SINGLE INSTANCE <ul><li>Demo </li></ul>
  7. 7. Why scan a lot of HTTPS servers? <ul><li>I noticed that some organizations that you would think would have good security failed miserable on the HTTPS configuration </li></ul><ul><li>Was it a fluke? What differs organizations with good HTTPS settings with those with not-so-good or insecure settings? </li></ul><ul><ul><li>Money? Popularity? Industry? </li></ul></ul>
  8. 8. First large scan attempt <ul><li>Single instance with a large collection of hosts </li></ul><ul><li>Took forever and was not that stable </li></ul><ul><ul><li>Could not easily resume failed scan process </li></ul></ul>
  9. 9. Second large scan attempt <ul><li>Multiple instances with a handful of targets each </li></ul><ul><li>Much better performance, but still takes long time to complete the scan </li></ul><ul><li>Still could not easily resume failed scan process </li></ul><ul><ul><li>But I didn’t need to start from beginning, just the failed batch </li></ul></ul>
  10. 10. Third large scan attempt <ul><li>Using Amazon AWS </li></ul><ul><ul><li>SQS to keep track of jobs </li></ul></ul><ul><ul><li>S3 to store results </li></ul></ul><ul><li>Multiple instances scanning one target each </li></ul><ul><li>Easy to resume failed jobs </li></ul><ul><li>Still taking a long time to perform the scan… </li></ul>
  11. 11. Forth large scan attempt <ul><li>Added Amazon EC2 to the mix </li></ul><ul><ul><li>Now I have theoretically unlimited servers to scan from </li></ul></ul><ul><li>Can scan the required dataset within a few days without problem </li></ul>
  12. 12. Forth large scan design
  13. 13. Forth large scan design
  14. 14. SSLSCAN ON AMAZON EC2 <ul><li>Demo </li></ul>
  15. 15. The Question <ul><li>What are the key factors for a good HTTPS configuration? </li></ul><ul><ul><li>Money? </li></ul></ul><ul><ul><li>Popularity? </li></ul></ul><ul><ul><li>Industry? </li></ul></ul>
  16. 16. THE NUMBERS… <ul><li>So what did I find? </li></ul>
  17. 17. Data details <ul><li>Alexa list from 18 Apr 2010 </li></ul><ul><li>Fortune 500 (2010) </li></ul><ul><li>Data aquired 26 Apr 2010 </li></ul>
  18. 18. HOW MANY OF THE TESTED SERVERS SUPPORTS SSL/TLS TO BEGIN WITH?
  19. 19. Fortune 500
  20. 20. Alexa 10k
  21. 21. PROTOCOL SUPPORT
  22. 22. Fortune 500
  23. 23. Alexa 10k
  24. 24. Fortune 500
  25. 25. Alexa 10k
  26. 26. Fortune 500
  27. 27. Alexa 10k
  28. 28. INSECURE KEY EXCHANGE
  29. 29. Fortune 500
  30. 30. Alexa 10k
  31. 31. KEY LENGTHS
  32. 32. NO ENCRYPTION (0 BIT KEY)
  33. 33. Fortune 500
  34. 34. Alexa 10k
  35. 35. WEAK ENCRYPTION (1-127 BIT KEY)
  36. 36. Fortune 500
  37. 37. Alexa 10k
  38. 38. MEDIUM ENCRYPTION (128-255 BIT KEY)
  39. 39. Fortune 500
  40. 40. Alexa 10k
  41. 41. STRONG ENCRYPTION (>=256 BIT KEY)
  42. 42. Fortune 500
  43. 43. Alexa 10k
  44. 44. SESSION RENEGOTIATION
  45. 45. Fortune 500
  46. 46. Alexa 10k
  47. 47. FORTUNE 500 VS ALEXA 500 <ul><li>16 Organizations are on both lists </li></ul>
  48. 48. Money vs. Popularity: HTTPS enabled?
  49. 49. Money vs. Popularity: SSLv2 enabled? (= bad)
  50. 50. Money vs. Popularity: 0-bit keys being enabled?(=bad)
  51. 51. Money vs. Popularity: Weak keys being enabled?(=bad)
  52. 52. Money vs. Popularity: No auth kx being enabled?(=bad)
  53. 53. Money vs. Popularity: Secure Session Renegotation?
  54. 54. Fortune 500 Industries
  55. 55. Fortune 500 Industries
  56. 56. Fortune 500 Industries
  57. 57. Fortune 500 Industries
  58. 58. Fortune 500 Industries Bad Worse
  59. 59. Fortune 500 Industries
  60. 60. Commercial Banks
  61. 61. Conclusion <ul><li>What the data told me is that </li></ul><ul><ul><li>Money (Fortune) seems to have something to do with HTTPS being enabled </li></ul></ul><ul><ul><li>Popularity (Alexa) seems to be they key to enable HTTPS securely </li></ul></ul><ul><ul><li>There is no obvious real trend in what kind of industry a company is in and their HTTPS security settings, but it seems more likely the company is doing business over the webb the more likely they offer HTTPS on their website </li></ul></ul>
  62. 62. What’s next? <ul><li>Deeper investigation into the Swedish market in co-operation with .SE (The Internet Infrastructure Foundation – the guys responsible for .SE TLD) </li></ul>
  63. 63. Questions and Answers <ul><li>Research website: </li></ul><ul><ul><li>http://sslresearch.michaelboman.org </li></ul></ul><ul><ul><ul><li>Raw data, documentation, scripts and tools </li></ul></ul></ul><ul><li>Contact information: </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>www.michaelboman.org </li></ul></ul><ul><li>References: </li></ul><ul><ul><li>http://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001) </li></ul></ul>

×