TLS-Monitor: An Intrusion Detection-based Monitoring Tool for countering TLS Attacks

The Transport Layer Security (TLS) protocol is the most used protocol nowadays to securely establish a safe connection. It is used in many different contexts, such as in authentication and authorization frameworks or in web-based digital identity systems. This protocol allows exchanging data between two parties, with 5 main security properties: Authentication (Peer Authentication and Message Authentication), Integrity, and Confidentiality, protection against Filtering attacks, and protection against Replay attacks. To this large use of the TLS protocol, a long list of attacks was discovered in the last decade. Nowadays, there are some tools, such as Qualys SSL Server Test, used to test the resistance of a TLS server against various attacks. Nevertheless, this tool can be used to test the target server at that specific moment in time. If some malicious code or internal attack changes the internal configuration of the server, no one notices the vulnerability until the next test. For this purpose, the tool Monitor for TLS attacks is developed. This tool continuously monitors the TLS packets exchanged between the client and the tested TLS server looking for known TLS vulnerabilities marker that may lead to attacks. The Monitor for TLS attacks tool doesn’t support TLS 1.3, because the attacks integrated can be exploited until TLS 1.2 version and with a cipher suite that TLS 1.3 doesn’t use. Some marker examples are the heartbeat extension that can bring to the Heartbleed vulnerability, some weak mode cipher (ex. CBC) that can bring to a Padding Oracle Attack, or self-signed certificate(s) allowing to set up a man-in-the-middle attack. If a possible vulnerability is found in the TLS packets exchanged, the proposed tool uses some of the most famous TLS attacks tool, such as Metasploit, Nmap, and TLS-Attacker, to check if the threat is real. If the threat is real, it raises an alarm and creates a log file with the result of the test. The Monitor for TLS attacks tool uses IDS, such as Zeek and Suricata, to inspect the network. In addition, the tool verifies the server’s certificate. It verifies if the server’s certificate is still valid with CRL and OCSP and the trustworthiness of the server certificate by the Certificate Transparency (CT). After the tool’s deployment, it is tested in a virtual and real environment for some selected attacks, including Heartbleed and Bleichenbacher. To test the tool in the lab an OpenSSL vulnerable library was installed on the monitoring server and then a TLS connection was established between a Client and Server. The monitoring server used an Apache web server with the vulnerable OpenSSL library. The test is done for the following integrated TLS attack in the Monitor for TLS attacks tool: Heartbleed, Bleichenbacher, Padding Oracle Attack, POODLE, LogJam, Lucky13, CRIME, DROWN, Sweet32, CCS Injection. Other 3 TLS attacks are integrated into the proposed tool: ROCA, Ticketbleed, and ROBOT. For these attacks, it is not possible to test the proposed tool because they are TLS attacks against specific hardware. Then, in a real environment, a stress test is done to see the tool’s performance with more packets. All the tests are done with both the IDS to verify how much the tool’s performance depends on the IDS. With this final test, it is possible to compare also the integrated IDS behavior.