Skip to Main content Skip to Navigation
Conference papers

Turning Active TLS Scanning to Eleven

Abstract : Transport Layer Security (TLS) is the fundament of today’s web security, but the majority of deployments are misconfigured and left vulnerable to a phletora of attacks. This negatively affects the overall healthiness of the TLS ecosystem, and as such all the protocols that build on top of it. Scanning a larger number of hosts or protocols such as the numerous IPv4-wide scans published recently for a list of known attacks in TLS is non-trivial. This is due to the design of the TLS handshake, where the server chooses the specific cipher suite to be used. Current scanning approaches have to establish an unnecessary large number of connections and amount of traffic. In this paper we present and implemented different optimized strategies for TLS cipher suite scanning that, compared to the current best practice, perform up to 3.2 times faster and with 94% less connections used while being able to do exhaustive scanning for many vulnerabilities at once. We thoroughly evaluated the algorithms using practical scans and an additional simulation for evaluating current cipher suite practices at scale. With this work full TLS cipher suite scans are brought to a new level, making them a practical tool for further empiric research.
Document type :
Conference papers
Complete list of metadatas

Cited literature [22 references]  Display  Hide  Download
Contributor : Hal Ifip <>
Submitted on : Monday, November 27, 2017 - 10:32:27 AM
Last modification on : Monday, November 27, 2017 - 10:34:00 AM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Wilfried Mayer, Martin Schmiedecker. Turning Active TLS Scanning to Eleven. 32th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), May 2017, Rome, Italy. pp.3-16, ⟨10.1007/978-3-319-58469-0_1⟩. ⟨hal-01649020⟩