Title :
Safe configuration of TLS connections
Author :
Atighetchi, Michael ; Soule, Nathaniel ; Pal, Parama ; Loyall, Joseph ; Sinclair, Alastair ; Grant, Robert
Author_Institution :
Raytheon BBN Technol., Cambridge, MA, USA
Abstract :
Transport Layer Security (TLS) and its precursor Secure Sockets Layer (SSL) are the most widely deployed protocol to establish secure communication over insecure Internet Protocol (IP) networks. Providing a secure session layer on top of TCP, TLS is frequently the first defense layer encountered by adversaries who try to cause loss of confidentiality by sniffing live traffic or loss of integrity using man-in-the-middle attacks. Despite its wide deployment and evolution over the last 18 years, TLS remains vulnerable to a number of threats at the protocol layer and therefore does not provide strong security out-of-the-box, requiring tweaks to its configuration in order to provide the expected security benefits. This paper provides a summary of the current TLS threat surface together with a validated approach for minimizing the risk of TLS-compromise. The main contributions of this paper include 1) identification of configuration options that together maximize security guarantees in the context of recent TLS exploits and 2) specification of expected flows and automated comparison with observed flows to flag inconsistencies.
Keywords :
IP networks; cryptographic protocols; transport protocols; IP networks; Internet Protocol networks; SSL; TCP; TLS threat surface; TLS-compromise; man-in-the-middle attacks; protocol layer; secure session layer; secure sockets layer; security out-of-the-box; transport layer security; Authentication; Best practices; Ciphers; Internet; Protocols; Servers; Secure Socket Layer (SSL); Transport Layer Security (TLS); configuration; secure flow modeling;
Conference_Titel :
Communications and Network Security (CNS), 2013 IEEE Conference on
Conference_Location :
National Harbor, MD
DOI :
10.1109/CNS.2013.6682755
