The SSL/TLS protocol is one of the most widely used security protocols in communication security and identity authentication.It plays a very important role in ensuring the security of information system.However,due to the complexity of the SSL/TLS protocol,web sites are prone to security vulnerabilities such as code implementation vulnerabilities,deployment configuration defects and certificate key management problems when implementing and deploying SSL/TLS protocols.This type of security problems often occurs in Web sites,which also causes a lot of network security events,affecting a large number of sites.However,the existing methods to analyze and detect web security cannot satisfy the need.First,there are very few tools in this field,and their targets tend to focus on some certain aspects.In addition,these problems need to be further explored to acquire more detailed analysis and recommendations.In this paper,we design and implement a detection system to test the SSL/TLS protocol deployment of web site based on SSL/TLS.Our system performs vulnerability scanning and analysis mainly from three aspects:protocol basic configuration,cipher suites support,and typical attack test.We use it to scan the top 1 million websites of Alexa,and give detailed statistics and analysis.We found that the unsafe cipher suite 3DES is generally supported and the critical expansion OCSP Stapling support rate is less than 25%.What's more serious is that there are still many sites suffering from HeartBleed attacks and many other serious problems.Finally,the corresponding solutions or suggestions are given for the main problems in the scanning results.%SSL/TLS协议是目前通信安全和身份认证方面应用最为广泛的安全协议之一,对于保障信息系统的安全有着十分重要的作用.然而,由于SSL/TLS协议的复杂性,使得Web网站在实现和部署SSL/TLS协议时,很容易出现代码实现漏洞、部署配置缺陷和证书密钥管理问题等安全缺陷.这类安全问题在Web网站中经常发生,也造成了许多安全事件,影响了大批网站.因此,本文首先针对Web网站中安全检测与分析存在工具匮乏、检测内容单一、欠缺详细分析与建议等问题,设计并实现了Web网站SSL/TLS协议部署配置安全漏洞扫描分析系统,本系统主要从SSL/TLS协议基础配置、密码套件支持以及主流攻击测试三方面进行扫描分析;之后使用该检测系统对Alexa排名前100万网站进行扫描,并做了详细的统计与分析,发现了不安全密码套件3DES普遍被支持、关键扩展OCSP Stapling支持率不足25%、仍然有不少网站存在HeartBleed攻击等严重问题;最后,针对扫描结果中出现的主要问题给出了相应的解决方案或建议.
展开▼
