Decrypting the Mess that is SSL /TLS Negotiation – Preparing for the 2020 Apocalypse

Jim Nitterauer

Speaker Bio

Currently a Senior Security Specialist at AppRiver, LLC., his team is responsible for global network deployments and manages the SecureSurf global DNS infrastructure and SecureTide global spam & virus filtering infrastructure as well as all internal applications. They also manage security operations for the entire company. He holds a CISSP certification in addition to a Bachelor of Science degree with a major in biology from Ursinus College and a Master of Science degree with a major in microbiology and biochemistry from the University of Alabama. He is a 2000 graduate of Leadership Santa Rosa and a 2001 graduate of Leadership Pensacola. He is also well-versed in ethical hacking and penetration testing techniques and has been involved in technology for more than 20 years.

Jim has presented at NolaCon, ITEN WIRED, BSides Las Vegas, BSides Atlanta, BSides San Francisco, CircleCityCon, DEF CON, DerbyCon and several smaller conferences. He is a regular contributor to the Tripwire Blog and Peerlyst. He regularly attends national security conferences and is passionate about conveying the importance of developing, implementing and maintaining security policies for organizations. His talks convey unique and practical techniques that help attendees harden their security
in practical and easy-to-deploy ways.

Jim is a senior staff member with BSides Las Vegas, a member of the ITEN WIRED Planning Committee and the President of the Florida Panhandle (ISC)2 Chapter. He served as President and CEO of GridSouth Networks, LLC, a joint venture between Creative Data Concepts Limited Inc. and AppRiver, LLC., and founded Creative Data Concepts Limited, Inc.

He stays connected with the InfoSec and ethical hacker community and is well-known by his peers. In addition to his work at AppRiver, he devotes his time to advancing IT security awareness and investigating novel ways to implement affordable security controls.

When not at the computer, Jim can be found working out, playing guitar, traveling or just relaxing with an adult beverage.

Presentation

Recently, all major browser vendors agreed in principle to end support for TLS (Transport Layer Security) versions 1.0 and 1.1 in 2020. SSL (Secure Sockets Layer) version 3.0 support was removed from Chrome in early 2015 effectively ending the use of SSL completely. Akamai will discontinue support for TLS 1.0/1.1 on January 7th, 2019. These protocols have all been found to have various vulnerabilities that no longer make them safe for use in the negotiation of secure connections between end points.

With the deprecation of these cryptographic protocols, several new security exploits have come to light. These exploits including Heartbleed, POODLE, BEAST, CRIME and others attempt to disrupt the availability of services or stealing data. The most common service using TLS is obviously web traffic that is transmitted via https. Since SSL and TLS are secure connection negotiation protocols, the process for establishing a secure connection can be used for almost any type of traffic. Some of the more common ones aside from https are DNS, VPN, SMTP, POP3 and IMAP. All rely on the ability of client and server to understand a common protocol and the ability to negotiate a connection based upon a commonly understood version.

Many server-side instances still utilize older versions that support deprecated SSL/TLS versions leaving them vulnerable to availability and integrity attacks. Many client applications have the same issues with many of those built into IOT devices which are rarely upgraded.

We needed to find a means to understand what types of conversations were happening on our publicfacing proxy services. We noticed a rash of SSL downgrade attacks that resulted in intermittent outages.

We also wanted to be able to proactively engage our customers by letting them know that they had devices on their network reaching out to us using deprecated or soon to be deprecated SSL/TLS versions.

This talk will provide a quick overview of the major SSL/TLS versions along with their major vulnerabilities. I will then discuss how we were able to use some F5 iRule magic on our load balancers combined with Graylog (a log aggregation platform) to track as well as block undesirable client and server connections to our proxy end points. This strategy can easily be adapted to any protocol scenario that uses TLS connection negotiation.