Ivan Ristić

My first SSL Labs project is about HTTP client fingerprinting when SSL is used. A cipher suite, in SSL, is a collection of cryptographic techniques that defines a secure communication channel. There are hundreds of cipher suites, and they are all built out of a dozen or so basic building blocks: key exchange, encryption and integrity validation algorithms. Different programs often use different cipher suites. By observing the list of supported cipher suites one can determine the maximal communication strength, and often even guess the make of the SSL client on the other side.

Possible uses:

• System administrators can make informed decisions about which cipher suites to enable in the SSL servers they maintain. The general goal is disable as many of the weak(er) cipher suites, while leaving enough to still make it possible for users to connect.
• Cross-checking the supported cipher suites with the HTTP client identity offered in the User-Agent header may help uncover some automated attack tools that masquarade themselves as browsers. Although the cipher suites used by an SSL client is completely under its control, such evasive actions require a new layer of SSL expertise. (Whereas it is trivial to spoof the contents of the User-Agent header.)

The proof of concept is an Apache module, which monitors SSL handshakes to extract the supported cipher suites. This approach is quite handy, because you can add the fingerprinting facility to your existing installation and suffer negligible overhead.

A group of 38 researchers and privacy advocates sent a letter to Google asking it to enable SSL encryption by default in all its applications. Google has had the always-use-SSL option for a while but, since the feature is disabled by default, only a small number of users is taking advantage of it. Google's response was somewhere along the lines of "we'll give the users security... eventually... if we must".

Although the performance overhead of SSL is negligible for most web sites, the price of security is likely to be significant in Google's case, considering the size of its user base.

Recently I've found myself spending more and more time not only thinking about SSL, but also working on several SSL-related projects. SSL is a remarkable technology that is not given nearly as much credit as it deserves. I think this is at least partially because SSL is so commonplace today that people take it for granted. Compared to other security technologies, it is also reasonably easy to configure. But therein lies the danger: SSL is so easy to use that most people have stopped thinking about SSL.

I think there's a large gap between how SSL is used today and how it should be used. Actually, I think we first need to make an effort to understand how SSL is actually used today in order to build on that knowledge. With that, in mind, I decided to start a new web site and use it as a launching point for my SSL-related projects. Fast-forward several months; today, I am happy to announce SSL Labs, which has just launched.

My initial work on HTTP client fingerprinting using SSL handshake analysis is already there (I will write more about it in subsequent posts), but I have several other projects, which I will publish in the following weeks.