Web网站SSL/TLS协议配置安全研究
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

基金项目:

国家自然科学基金(61472409,61303247);国家重点基础研究计划(973计划)(2013CB338003)


Research on Security Vulnerability of SSL/TLS Protocol Configuration in Web Sites
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    SSL/TLS协议是目前通信安全和身份认证方面应用最为广泛的安全协议之一,对于保障信息系统的安全有着十分重要的作用.然而,由于SSL/TLS协议的复杂性,使得Web网站在实现和部署SSL/TLS协议时,很容易出现代码实现漏洞、部署配置缺陷和证书密钥管理问题等安全缺陷.这类安全问题在Web网站中经常发生,也造成了许多安全事件,影响了大批网站.因此,本文首先针对Web网站中安全检测与分析存在工具匮乏、检测内容单一、欠缺详细分析与建议等问题,设计并实现了Web网站SSL/TLS协议部署配置安全漏洞扫描分析系统,本系统主要从SSL/TLS协议基础配置、密码套件支持以及主流攻击测试三方面进行扫描分析;之后使用该检测系统对Alexa排名前100万网站进行扫描,并做了详细的统计与分析,发现了不安全密码套件3DES普遍被支持、关键扩展OCSP Stapling支持率不足25%、仍然有不少网站存在HeartBleed攻击等严重问题;最后,针对扫描结果中出现的主要问题给出了相应的解决方案或建议.

    Abstract:

    The SSL/TLS protocol is one of the most widely used security protocols in communication security and identity authentication. It plays a very important role in ensuring the security of information system. However, due to the complexity of the SSL/TLS protocol, web sites are prone to security vulnerabilities such as code implementation vulnerabilities, deployment configuration defects and certificate key management problems when implementing and deploying SSL/TLS protocols. This type of security problems often occurs in Web sites, which also causes a lot of network security events, affecting a large number of sites. However, the existing methods to analyze and detect web security cannot satisfy the need. First, there are very few tools in this field, and their targets tend to focus on some certain aspects. In addition, these problems need to be further explored to acquire more detailed analysis and recommendations. In this paper, we design and implement a detection system to test the SSL/TLS protocol deployment of web site based on SSL/TLS. Our system performs vulnerability scanning and analysis mainly from three aspects:protocol basic configuration, cipher suites support, and typical attack test. We use it to scan the top 1 million websites of Alexa, and give detailed statistics and analysis. We found that the unsafe cipher suite 3DES is generally supported and the critical expansion OCSP Stapling support rate is less than 25%. What's more serious is that there are still many sites suffering from HeartBleed attacks and many other serious problems. Finally, the corresponding solutions or suggestions are given for the main problems in the scanning results.

    参考文献
    相似文献
    引证文献
引用本文

胡仁林,张立武. Web网站SSL/TLS协议配置安全研究.计算机系统应用,2017,26(10):124-132

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2017-01-22
  • 最后修改日期:
  • 录用日期:
  • 在线发布日期: 2017-10-31
  • 出版日期:
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京海淀区中关村南四街4号 中科院软件园区 7号楼305房间,邮政编码:100190
电话:010-62661041 传真: Email:csa (a) iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号