Uma Primeira Analise do Ecosistema HTTPS no Brasil
Resumo
O HTTPS (SSL/TLS) é essencial para garantir a segurança (e.g. confidencialidade dos dados) das comunicações que utilizam o protocolo HTTP na Internet. Entretanto, apesar da crescente adoção do HTTPS, muitos sites ainda não implementam da maneira correta os certificados digitais. Neste trabalho é presentado um primeiro levantamento sobre o estado do ecossistema SSL/TLS no Brasil. Para a análise, foram selecionados 44 sites de instituições financeiras e governamentais, incluindo o governo federal e governos estaduais. Os resultados apontam que a maioria dos sites utilizam ou suportam versões antigas do SSL ou do TLS, que contém vulnerabilidades conhecidas e passíveis de exploração por agentes maliciosos.
Palavras-chave:
Análise de protocolos de segurança, Segurança em redes, Software seguro: desenvolvimento, testes e certificação
Referências
Bokslag, W. (2016). The problem of popular primes: Logjam. arXiv preprint arXiv:1602.02396.
Chothia, T., Garcia, F. D., Heppel, C., and Stone, C. M. (2017). Why Banker Bob (still) Can’t Get TLS Right: A Security Analysis of TLS in Leading UK Banking Apps. In Int. Conf. on Financial Cryptography and Data Security, pages 579–597. Springer.
Durumeric, Z., Kasten, J., Bailey, M., and Halderman, J. A. (2013). Analysis of the https certificate ecosystem. In ACM IMC, pages 291–304. ACM.
Frost, V., Tian, D. J., Ruales, C., Prakash, V., Traynor, P., and Butler, K. R. B. (2019). Examining DES-based Cipher Suite Support Within the TLS Ecosystem. In 2019 ACM AsiaCCS, pages 539–546. ACM.
Huang, J., Zhang, Z., Li, W., and Xin, Y. (2019). Assessment of the impacts of TLS vulnerabilities in the HTTPS ecosystem of China. Procedia computer science, 147:512–518.
Matsumoto, S. and Reischuk, R. M. (2015). Certificates-as-an-insurance: Incentivizing accountability in ssl/tls. In USENIX NDSS WSENT.
Merzdovnik, G., Falb, K., Schmiedecker, M., Voyiatzis, A. G., and Weippl, E. (2016). Whom You Gonna Trust? A Longitudinal Study on TLS Notary Services. In Data and Applications Security and Privacy, pages 331–346. Springer.
Möller, B., Duong, T., and Kotowicz, K. (2014). This poodle bites: exploiting the ssl 3.0 fallback. Security Advisory.
Samarasinghe, N. and Mannan, M. (2019). Another look at TLS ecosystems in networked devices vs. Web servers. Computers & Security, 80:1 – 13.
Sarkar, P. G. and Fitzgerald, S. (2013). Attacks on SSL a comprehensive study of beast, crime, time, breach, lucky 13 & RC4 biases. http://bit.do/ssl_survey.
Vratonjic, N., Freudiger, J., Bindschaedler, V., and Hubaux, J.-P. (2013). The inconvenient truth about web certificates. In Economics of information security and privacy iii, pages 79–117. Springer.
Chothia, T., Garcia, F. D., Heppel, C., and Stone, C. M. (2017). Why Banker Bob (still) Can’t Get TLS Right: A Security Analysis of TLS in Leading UK Banking Apps. In Int. Conf. on Financial Cryptography and Data Security, pages 579–597. Springer.
Durumeric, Z., Kasten, J., Bailey, M., and Halderman, J. A. (2013). Analysis of the https certificate ecosystem. In ACM IMC, pages 291–304. ACM.
Frost, V., Tian, D. J., Ruales, C., Prakash, V., Traynor, P., and Butler, K. R. B. (2019). Examining DES-based Cipher Suite Support Within the TLS Ecosystem. In 2019 ACM AsiaCCS, pages 539–546. ACM.
Huang, J., Zhang, Z., Li, W., and Xin, Y. (2019). Assessment of the impacts of TLS vulnerabilities in the HTTPS ecosystem of China. Procedia computer science, 147:512–518.
Matsumoto, S. and Reischuk, R. M. (2015). Certificates-as-an-insurance: Incentivizing accountability in ssl/tls. In USENIX NDSS WSENT.
Merzdovnik, G., Falb, K., Schmiedecker, M., Voyiatzis, A. G., and Weippl, E. (2016). Whom You Gonna Trust? A Longitudinal Study on TLS Notary Services. In Data and Applications Security and Privacy, pages 331–346. Springer.
Möller, B., Duong, T., and Kotowicz, K. (2014). This poodle bites: exploiting the ssl 3.0 fallback. Security Advisory.
Samarasinghe, N. and Mannan, M. (2019). Another look at TLS ecosystems in networked devices vs. Web servers. Computers & Security, 80:1 – 13.
Sarkar, P. G. and Fitzgerald, S. (2013). Attacks on SSL a comprehensive study of beast, crime, time, breach, lucky 13 & RC4 biases. http://bit.do/ssl_survey.
Vratonjic, N., Freudiger, J., Bindschaedler, V., and Hubaux, J.-P. (2013). The inconvenient truth about web certificates. In Economics of information security and privacy iii, pages 79–117. Springer.
Publicado
16/09/2019
Como Citar
ESCARRONE, Thiago; KREUTZ, Diego; FIORENZA, Maurício.
Uma Primeira Analise do Ecosistema HTTPS no Brasil. In: ESCOLA REGIONAL DE REDES DE COMPUTADORES (ERRC), 17. , 2019, Alegrete.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 130-135.
DOI: https://doi.org/10.5753/errc.2019.9226.
