Cryptographic assessment of SSL/TLS servers popular in India

Abstract

Major web sites use Secure Sockets Layer (SSL) or its updated version name called Transport Layer Security (TLS) to secure all communications between their servers and web browsers. It is very important to analyze the security of this protocol because the compromise of the banking accounts, health care directories, information of national importance, even vital information about business competitors is unacceptable. SSL/TLS is not a simple encryption or hashing algorithm. It is a protocol which consists of bunch of cryptographic primitives which aim to provide secure communication. Moreover, this protocol has a long history of attacks and it needs to be revised since security field is changing. This paper presents the most commonly used configurations of this protocol among web servers, highlighting issues where it is insecure and areas where it can be improved. Specifically, parameters used in cryptographic primitives and certificates used by the web servers have been reported. The approach was to probe all web servers using a tool - TestSSLServer. There were sets of two experiments carried out. One in which top 500 most popular websites in India were probed and other in which 50 banking sites in India were probed. Some of the surprising results were that servers still posses SSLv2 and v3 despite of its insecurity. Also, banking sites were found not to support forward secrecy. © Springer Nature Singapore Pte Ltd. 2016.