Home   >   CSC-OpenAccess Library   >    Manuscript Information
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Eng. Mohanned Hassan Momani, Adam Ali.Zare Hudaib
Pages - 159 - 176     |    Revised - 10-07-2014     |    Published - 10-08-2014
Volume - 8   Issue - 4    |    Publication Date - August 2014  Table of Contents
SSL, TLS, BEAST Attack, CRIME Attack, Heartbleed Detection, RC4.
Since its introduction in 1994 the Secure Socket Layer (SSL) protocol (later renamed to Transport Layer Security (TLS)) evolved to the de facto standard for securing the transport layer. SSL/TLS can be used for ensuring data confidentiality, integrity and authenticity during transport. A main feature of the protocol is its flexibility. Modes of operation and security aims can easily be configured through different cipher suites. During its evolutionary development process several flaws were found. However, the flexible architecture of SSL/TLS allowed efficient fixes in order to counter the issues. This paper presents an overview on theoretical and practical attacks of the last 20 years.
CITED BY (1)  
1 Ghafoor, I., Jattalai, I., Durranit, S., & Ch, M. T. Analysis of OpenSSL Heartbleed Vulnerability for Embedded Systems.
1 Google Scholar 
2 CiteSeerX 
3 refSeek 
4 Scribd 
5 SlideShare 
6 PdfSR 
“April 2014 Web Server Survey”. Netcraft. April 2 204. Internet:http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html [Apr, 2014].
“Daily Ruleset Update Summary”. Emerging Threats Snort Ruleset. Internet:http://www.emergingthreats.net/2014/04/09/daily-ruleset-update-summary-04092014/ [Apr, 2014].
“Description of the Secure Sockets Layer (SSL) Handshake“. Internet:http://www.support.microsoft.com [Dec. 1, 2013].
“Detecting OpenSSL Heartbleed with Suricata”. Inliniac. Internet:http://blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/ [Apr, 2014].
“OpenSSL Security Advisory”. OpenSSL. Internet:https://www.openssl.org/news/secadv_20140407.txt [Apr, 2014].
“Secure electronic transaction”. Internet:http://en.wikipedia.org/wiki/Secure_Electronic_Transaction [Dec. 12, 2013].
“SSL/TLS in Detail“. Microsoft TechNet, July 31, 2003.
“SSL: Intercepted today, decrypted tomorrow”. Netcraft, pp. 10-12, May 25, 2013.
“The Heartbleed Bug”. Codenomicon, Internet: http://heartbleed.com/ [Apr, 2014].
“The Secure Sockets Layer Protocol”. Internet:http://www.cs.bris.ac.uk/~bradley/publish/SSLP/chapter4.html [Nov. 22, 2013].
“Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?”.Electronic Frontier Foundation. Internet: https://www.eff.org/deeplinks/2014/04/wild-heart-were intelligence-agencies-using-heartbleed-november-2013 [Apr, 2014].
„Another crypto-attack on SSL/TLS encryption“. Internet: http://www.honline.com/security/news/item/Another-crypto-attack-on-SSL-TLS-encryption-1823227.html [June, 2014].
„Detect Exploit openSSL Heartbleed vulnerability using Nmap and Metasploit on Kali Linux“. Internet: http://www.blackmoreops.com/2014/05/03/detect-exploit-openssl-heartbleedvulnerability-using-nmap-metasploit-kali-linux/ [June, 2014].
„Heart attack: detecting heartbleed exploits in real-time“. Internet:http://www.tripwire.com/state-of-security/incident-detection/heart-attack-detect-heartbleedexploits-in-real-time-with-active-defense/ [June, 2014].
„How to Detect a Prior Heartbleed Exploit“. Internet:http://www.riverbed.com/blogs/Retroactively-detecting-a-prior-Heartbleed-exploitation-fromstored-packets-using-a-BPF-expression.html [June, 2014].
„List of browsers support for different TLS version“. Internet:https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers [June, 2014].
„Software >> sslstrip“. Internet: http://www.thoughtcrime.org/software/sslstrip/ [June,2014].
„SSL, GONE IN 30 SECONDS“. Internet: http://breachattack.com/ [June, 2014].
„Vulnerability Summary for CVE-2012-4929“. Internet:http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929 [June, 2014].
„zOompf. Explaining the Crime weakness in SPDY and SSL“. Internet:http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl [June, 2014].
Be'ery, Tal and Amichai Shulman. "TIME Prefect CRIME." Internet:https://media.blackhat.com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.pdf [June,2014].
Canvel, B.“Password Interception in a SSL/TLS Channel“. Internet:http://lasecwww.epfl.ch/memo_ssl.shtml [February, 2003].
Christopher Meyer. „SoK: Lessons Learned From SSL/TLS Attacks“. Internet:http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/08/19/paper.pdf [June, 2014].
Constantin Lucian. „Researchers resurrect and improve CRIME attack against SSL“.Internet: http://www.networkworld.com/news/2013/031413-researchers-resurrect-and-improve-crime-267698.html?page=1 [June, 2014].
Dan Goodin. „Two new attacks on SSL decrypt authentication cookies“. Internet:http://arstechnica.com/security/2013/03/new-attacks-on-ssl-decrypt-authentication-cookies/ [June,2014].
Hong lei Zhang. „Three attacks in SSL protocol and their solutions“. Internet:https://www.cs.auckland.ac.nz/courses/compsci725s2c/archive/termpapers/725zhang.pdf [June,2014].
Ivan Ristic. „SSL/TLS Deployment Best Practices“. Internet:https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf [June, 2014].
Jonsson J. „On the Security of RSA Encryption in TLS“. In Proc. of CRYPTO '02, pp. 127-142, 2002.
Kelsey John. "3091." 2002. IACR.org. 9 4 2013. Internet;http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf [June, 2014].
Kurt Seifried. „As with marriage, SSL security success is in the details Attacks Against SSL“. Internet: http://www.linux-magazine.com/Issues/2010/112/Security-Lessons-SecureProgramming[June, 2014].
Lars Nybom, Alexander Wall. „SSL/TLS and MITM attacks“. Internet:http://www.it.uu.se/edu/course/homepage/distrinfo/ht09/presentations/Group7.pdf [June, 2014].
Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering, Jacob Schuldt. „On the Security of RC4 in TLS“. Internet: http://www.isg.rhul.ac.uk/tls/ [June, 2014].
OpenSSL TLS/DTLS Heartbeat Read Overrun Vulnerability. Internet:http://herjavecgroup.com/admin/pdf/THG_TAB_Heartbleed.pdf [May, 2014].
Pratik Guha Sarkar. „Attacks on ssl a comprehensive study of beast, crime, time, breach,lucky 13 & rc4 biases“. Internet:https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf [June, 2014].
Scott C. Johnson. „CRIME Attack on SSL/TSL“. Internet:http://www.cs.rit.edu/~sxj4236/crypto2_paper2.pdf [June, 2014].
Vlastimil Klíma. „Attacking RSA-based Sessions in SSL/TLS“. Internet:http://eprint.iacr.org/2003/052.pdf [June, 2014].
Mr. Eng. Mohanned Hassan Momani
Sr. Information Security & Technology Consultant IT security trainer C|EI Security Wits Technologies Jordan - Jordan
Mr. Adam Ali.Zare Hudaib
Information & Cyber Security Expert Licensed penetration tester L|PT Sweden - Sweden

View all special issues >>