Threat-TLS: An Intrusion Detection and Monitoring Tool for Mitigating TLS Attacks

This thesis explores the Transport Layer Security (TLS) protocol, a widely-used cryptographic protocol designed for secure communication between two parties by exchanging parameters such as cipher suites, keys, and certificates. Originally introduced as SSL 2.0 in 1995, the protocol has evolved to address emerging vulnerabilities, culminating in the current version, TLS 1.3, released in 2018. Despite these advancements, TLS remains susceptible to vulnerabilities due to specific implementations or misconfigurations. Existing tools, such as Qualys' SSL Server Test, TLSAssistant, and TLSAttacker, can assess a host's TLS security at a specific point in time, but lack the capability for continuous monitoring to detect changes that may expose systems to attacks. Factors like software updates, configuration changes, and internal threats can make systems vulnerable at any time. Studies have shown that many online recommendations for securing popular web servers such as Apache and Nginx are often inadequate, with high percentages of configurations relying on deprecated or insecure TLS versions and ciphers. To address this gap, this thesis proposes a tool called Threat-TLS, an evolution of a past tool, designed to use Intrusion Detection Systems (IDS) such as Suricata and Zeek to monitor network traffic for TLS-related vulnerabilities in real time. Threat-TLS continuously analyzes TLS packet exchanges, inspecting parameters such as cipher suites, extensions, and certificates, to identify markers indicative of known vulnerabilities. The tool also verifies the validity of server certificates through mechanisms like Certificate Revocation Lists (CRL), Online Certificate Status Protocol (OCSP), and Certificate Transparency (CT). By integrating offensive tools such as Metasploit, Nmap, and TLS-Attacker, Threat-TLS can further validate potential vulnerabilities and raise alarms if real threats are detected. This work enhances the original tool's performance, accuracy, and scope. Specifically, the architecture has been optimized to improve performance, enabling the tool to handle multiple servers concurrently. The ruleset has been refined to enhance detection accuracy, and additional TLS attack vectors have been integrated to increase its monitoring capabilities. Extensive testing has been conducted to verify the improved performance and robustness of the tool, making it a more effective solution for detecting TLS vulnerabilities in real-time environments.