Examining DES-based Cipher Suite Support within the TLS Ecosystem

Examining DES-based Cipher Suite Support within the TLS Ecosystem

In July 2018, over a decade after the DES encryption algorithm was retired, 3DES was also officially deprecated. While previous work suggests a successful deprecation of DES, with less than 1% of observed SSL/TLS handshakes using some form of DES up until 2018, such work tends to be limited in scope and does not necessarily capture the true persistence of DES across the entire TLS ecosystem. We actively investigate online support for DES and DES-derivative ciphers by querying IP addresses responsive to port 443 connection attempts. To achieve this, we design and implement our own Internet scanning tool built upon ZMap and attempt to negotiate handshakes exclusively using DES ciphers. In total, we have scanned over 24 million unique IP addresses and found that nearly half of them can still successfully establish an HTTPS connection using at least one DES cipher. Moreover, we also find that many servers still support DES40 (which can be broken in seconds) and anon ciphers (which offer no certificate verification and are vulnerable to man-in-the-middle attacks). Our investigation demonstrates the biases and misunderstandings in previous weak cipher studies within the TLS ecosystem, and discloses the severity of this problem by targeting DES-based cipher suites.

Presented by