X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-middle

Ralph Holz; Thomas Riedmaier; Nils Kammenhuber; Georg Carle

doi:10.1007/978-3-642-33167-1_13

X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-middle

Ralph Holz, Thomas Riedmaier, Nils Kammenhuber, Georg Carle

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

21 Citations (Scopus)

Abstract

Although recent compromises and admissions have given new credibility to claimed encounters of Man-in-the-middle (MitM) attacks on SSL/TLS, very little proof exists in the public realm. In this paper, we report on the development and deployment of Crossbear, a tool to detect MitM attacks on SSL/TLS and localise their position in the network with a fair degree of confidence. MitM attacks are detected using a notary approach. For the localisation, we use a large number of traceroutes, conducted from so-called hunters from many positions on the Internet. Crossbear collects this data, orchestrates the hunting from a central point and provides the data for analysis. We outline the design of Crossbear and analyse the degree of effectivity that Crossbear achieves against attackers of different kinds and strengths. We also explain how analysis can make use of out-of-band sources like lookups of Autonomous Systems and geo-IP-mapping. Crossbear is already available, and 150 hunters have been deployed on the global PlanetLab testbed.

Original language	English
Title of host publication	Computer Security – ESORICS 2012
Subtitle of host publication	17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings
Editors	Sara Foresti, Moti Yung, Fabio Martinelli
Place of Publication	Berlin, Heidelberg
Publisher	Springer
Pages	217-234
ISBN (Electronic)	978-3-642-33167-1
ISBN (Print)	978-3-642-33166-4
DOIs	https://doi.org/10.1007/978-3-642-33167-1_13
Publication status	Published - 2012
Externally published	Yes
Event	17th European Symposium on Research in Computer Security, ESORICS 2012 - Pisa, Italy Duration: 10 Sep 2012 → 12 Sep 2012 Conference number: 17

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	7459
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	17th European Symposium on Research in Computer Security, ESORICS 2012
Abbreviated title	ESORICS
Country	Italy
City	Pisa
Period	10/09/12 → 12/09/12

Keywords

Man-in-the-middle attack
Detection
Localisation
X.509
SSL/TLS

Access to Document

10.1007/978-3-642-33167-1_13

Fingerprint Dive into the research topics of 'X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-middle'. Together they form a unique fingerprint.

Cite this

Holz, R., Riedmaier, T., Kammenhuber, N., & Carle, G. (2012). X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-middle. In S. Foresti, M. Yung, & F. Martinelli (Eds.), Computer Security – ESORICS 2012: 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings (pp. 217-234). (Lecture Notes in Computer Science; Vol. 7459). Springer. https://doi.org/10.1007/978-3-642-33167-1_13

Holz, Ralph ; Riedmaier, Thomas ; Kammenhuber, Nils ; Carle, Georg. / X.509 Forensics : Detecting and Localising the SSL/TLS Men-in-the-middle. Computer Security – ESORICS 2012: 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings. editor / Sara Foresti ; Moti Yung ; Fabio Martinelli. Berlin, Heidelberg : Springer, 2012. pp. 217-234 (Lecture Notes in Computer Science).

@inproceedings{8b9e1865cdd140c6a3464089921e8eeb,

title = "X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-middle",

abstract = "Although recent compromises and admissions have given new credibility to claimed encounters of Man-in-the-middle (MitM) attacks on SSL/TLS, very little proof exists in the public realm. In this paper, we report on the development and deployment of Crossbear, a tool to detect MitM attacks on SSL/TLS and localise their position in the network with a fair degree of confidence. MitM attacks are detected using a notary approach. For the localisation, we use a large number of traceroutes, conducted from so-called hunters from many positions on the Internet. Crossbear collects this data, orchestrates the hunting from a central point and provides the data for analysis. We outline the design of Crossbear and analyse the degree of effectivity that Crossbear achieves against attackers of different kinds and strengths. We also explain how analysis can make use of out-of-band sources like lookups of Autonomous Systems and geo-IP-mapping. Crossbear is already available, and 150 hunters have been deployed on the global PlanetLab testbed.",

keywords = "Man-in-the-middle attack, Detection, Localisation, X.509, SSL/TLS",

author = "Ralph Holz and Thomas Riedmaier and Nils Kammenhuber and Georg Carle",

year = "2012",

doi = "10.1007/978-3-642-33167-1_13",

language = "English",

isbn = "978-3-642-33166-4",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "217--234",

editor = "Sara Foresti and Moti Yung and Fabio Martinelli",

booktitle = "Computer Security – ESORICS 2012",

note = "17th European Symposium on Research in Computer Security, ESORICS 2012, ESORICS ; Conference date: 10-09-2012 Through 12-09-2012",

}

Holz, R, Riedmaier, T, Kammenhuber, N & Carle, G 2012, X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-middle. in S Foresti, M Yung & F Martinelli (eds), Computer Security – ESORICS 2012: 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings. Lecture Notes in Computer Science, vol. 7459, Springer, Berlin, Heidelberg, pp. 217-234, 17th European Symposium on Research in Computer Security, ESORICS 2012, Pisa, Italy, 10/09/12. https://doi.org/10.1007/978-3-642-33167-1_13

X.509 Forensics : Detecting and Localising the SSL/TLS Men-in-the-middle. / Holz, Ralph; Riedmaier, Thomas; Kammenhuber, Nils; Carle, Georg.

Computer Security – ESORICS 2012: 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings. ed. / Sara Foresti; Moti Yung; Fabio Martinelli. Berlin, Heidelberg : Springer, 2012. p. 217-234 (Lecture Notes in Computer Science; Vol. 7459).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - X.509 Forensics

T2 - 17th European Symposium on Research in Computer Security, ESORICS 2012

AU - Holz, Ralph

AU - Riedmaier, Thomas

AU - Kammenhuber, Nils

AU - Carle, Georg

N1 - Conference code: 17

PY - 2012

Y1 - 2012

N2 - Although recent compromises and admissions have given new credibility to claimed encounters of Man-in-the-middle (MitM) attacks on SSL/TLS, very little proof exists in the public realm. In this paper, we report on the development and deployment of Crossbear, a tool to detect MitM attacks on SSL/TLS and localise their position in the network with a fair degree of confidence. MitM attacks are detected using a notary approach. For the localisation, we use a large number of traceroutes, conducted from so-called hunters from many positions on the Internet. Crossbear collects this data, orchestrates the hunting from a central point and provides the data for analysis. We outline the design of Crossbear and analyse the degree of effectivity that Crossbear achieves against attackers of different kinds and strengths. We also explain how analysis can make use of out-of-band sources like lookups of Autonomous Systems and geo-IP-mapping. Crossbear is already available, and 150 hunters have been deployed on the global PlanetLab testbed.

AB - Although recent compromises and admissions have given new credibility to claimed encounters of Man-in-the-middle (MitM) attacks on SSL/TLS, very little proof exists in the public realm. In this paper, we report on the development and deployment of Crossbear, a tool to detect MitM attacks on SSL/TLS and localise their position in the network with a fair degree of confidence. MitM attacks are detected using a notary approach. For the localisation, we use a large number of traceroutes, conducted from so-called hunters from many positions on the Internet. Crossbear collects this data, orchestrates the hunting from a central point and provides the data for analysis. We outline the design of Crossbear and analyse the degree of effectivity that Crossbear achieves against attackers of different kinds and strengths. We also explain how analysis can make use of out-of-band sources like lookups of Autonomous Systems and geo-IP-mapping. Crossbear is already available, and 150 hunters have been deployed on the global PlanetLab testbed.

KW - Man-in-the-middle attack

KW - Detection

KW - Localisation

KW - X.509

KW - SSL/TLS

U2 - 10.1007/978-3-642-33167-1_13

DO - 10.1007/978-3-642-33167-1_13

M3 - Conference contribution

SN - 978-3-642-33166-4

T3 - Lecture Notes in Computer Science

SP - 217

EP - 234

BT - Computer Security – ESORICS 2012

A2 - Foresti, Sara

A2 - Yung, Moti

A2 - Martinelli, Fabio

PB - Springer

CY - Berlin, Heidelberg

Y2 - 10 September 2012 through 12 September 2012

ER -

Holz R, Riedmaier T, Kammenhuber N, Carle G. X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-middle. In Foresti S, Yung M, Martinelli F, editors, Computer Security – ESORICS 2012: 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings. Berlin, Heidelberg: Springer. 2012. p. 217-234. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-642-33167-1_13