X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-middle

Ralph Holz, Thomas Riedmaier, Nils Kammenhuber, Georg Carle

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

31 Citations (Scopus)


Although recent compromises and admissions have given new credibility to claimed encounters of Man-in-the-middle (MitM) attacks on SSL/TLS, very little proof exists in the public realm. In this paper, we report on the development and deployment of Crossbear, a tool to detect MitM attacks on SSL/TLS and localise their position in the network with a fair degree of confidence. MitM attacks are detected using a notary approach. For the localisation, we use a large number of traceroutes, conducted from so-called hunters from many positions on the Internet. Crossbear collects this data, orchestrates the hunting from a central point and provides the data for analysis. We outline the design of Crossbear and analyse the degree of effectivity that Crossbear achieves against attackers of different kinds and strengths. We also explain how analysis can make use of out-of-band sources like lookups of Autonomous Systems and geo-IP-mapping. Crossbear is already available, and 150 hunters have been deployed on the global PlanetLab testbed.
Original languageEnglish
Title of host publicationComputer Security – ESORICS 2012
Subtitle of host publication17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings
EditorsSara Foresti, Moti Yung, Fabio Martinelli
Place of PublicationBerlin, Heidelberg
ISBN (Electronic)978-3-642-33167-1
ISBN (Print)978-3-642-33166-4
Publication statusPublished - 2012
Externally publishedYes
Event17th European Symposium on Research in Computer Security, ESORICS 2012 - Pisa, Italy
Duration: 10 Sept 201212 Sept 2012
Conference number: 17

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference17th European Symposium on Research in Computer Security, ESORICS 2012
Abbreviated titleESORICS


  • Man-in-the-middle attack
  • Detection
  • Localisation
  • X.509


Dive into the research topics of 'X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-middle'. Together they form a unique fingerprint.

Cite this