Recently, all major browser vendors agreed in principle to end support for TLS (Transport Layer Security) versions 1.0 and 1.1 in 2020. SSL (Secure Sockets Layer) version 3.0 support was removed from Chrome in early 2015 effectively ending the use of SSL completely. Akamai will discontinue support for TLS 1.0/1.1 on January 7th, 2019. These protocols have all been found to have various vulnerabilities that no longer make them safe for use in the negotiation of secure connections between end points.
With the deprecation of these cryptographic protocols, several new security exploits have come to light. These exploits including Heartbleed, POODLE, BEAST, CRIME and others attempt to disrupt the availability of services or stealing data. The most common service using TLS is obviously web traffic that is transmitted via https. Since SSL and TLS are secure connection negotiation protocols, the process for establishing a secure connection can be used for almost any type of traffic. Some of the more common ones aside from https are DNS, VPN, SMTP, POP3 and IMAP. All rely on the ability of client and server to understand a common protocol and the ability to negotiate a connection based upon a commonly understood version.
Many server-side instances still utilize older versions that support deprecated SSL/TLS versions leaving them vulnerable to availability and integrity attacks. Many client applications have the same issues with many of those built into IOT devices which are rarely upgraded.
We needed to find a means to understand what types of conversations were happening on our publicfacing proxy services. We noticed a rash of SSL downgrade attacks that resulted in intermittent outages.
We also wanted to be able to proactively engage our customers by letting them know that they had devices on their network reaching out to us using deprecated or soon to be deprecated SSL/TLS versions.
This talk will provide a quick overview of the major SSL/TLS versions along with their major vulnerabilities. I will then discuss how we were able to use some F5 iRule magic on our load balancers combined with Graylog (a log aggregation platform) to track as well as block undesirable client and server connections to our proxy end points. This strategy can easily be adapted to any protocol scenario that uses TLS connection negotiation.