DeepViolet Features/Improvement Grab Bag

Question

DeepViolet Features/Improvement Grab Bag

spoofzu opened this issue 8 years ago · comments

These are Improvements(I) not targeted to a release; however, future assigned features will come from this area. Improvement numbers (e.g., I3) are provided for easy reference, not intended to communicate priority.

TLS 1.3
On the horizon. Need to investigate what changes are involved to support.

Include vulnerability analysis
Perform analysis for various attacks against TLS. This has been requested by a several people as being a valuable feature for them. Begin preparation to support vuln analysis. Need some basic framework to communicate user adjustable feature settings in a flexible way. After the framework is added I will see what time is remain to begin vuln analysis. It's anticipated to not be very useful at first.

Handshake Simulation
Simulate different web browsers and operating systems to assess impact to negotiated cipher suites.

STARTTLS Support
Support for email and other services.

Suppress HTTP headers
Consider the idea of turning this off in the reference implementation reports by default. The reason is that headers have sensitive information, cookie session ids, etc. Those using the tool may not consider this when taking screen shots and sharing on the Internet. Best approach is to default securely.

Improve scoring system
Consider moving to a scoring system similar to Qualys SSL Labs scoring and TLS Observatory. Today there is no analysis, with the exception of a strong, medium, and weak evaluation of cipher suites. This will make sense if we include vulnerability analysis to DV.

Include vulnerability analysis
Perform analysis for various attacks against TLS. This has been requested by a several people as being a valuable feature for them.

Certificate Transparency
Consider including CT. CT is useful to identify: misissued certificates, rogue CA's, and stolen certificates. Ref: certificate-transparency.org

Cloud Scale
Several attendees at Black Hat EU 2016 mentioned popular TLS/SSL scanning tools today are organized around scanning a single server. Cloud scale solutions do not exist.

JSON
Several attendees at Black Hat EU 2016 mentioned exporting reports in JSON would be a big compatibility benefit. Easy integration with Splunk was one example.

Misc
Check for the following supported features and include them in the UI: Forward Secrecy, OCSP Stapling, HSTS - HTTPS Strict Transport Security, HPKP - Public Key Pinning Extension for HTTP(see Qualys blog), Extended Validation, Warn Soon to Expire Certs, etc

RELATED DOCUMENTATION
Qualys TLS Threat Model
OWASP Transport Layer Protection Cheat Sheet
OpenJDK Inspirational Code

javabeanz commented 8 years ago

Thanks !

javabeanz · Answer 1 · Tue Sep 06 2016 02:27:07 GMT+0800 (China Standard Time)

Maybe use rating from Qualys : https://www.ssllabs.com/projects/rating-guide/index.html

javabeanz · Answer 2 · Tue Sep 06 2016 03:53:22 GMT+0800 (China Standard Time)

Maybe also interesting : Insecure renegotiation, interoperability issues, system clock mismatches, DH vulns, forward secrecy, protocol downgrade, client side TLS issues, client side TLS certificates evaluation
nice threat model : https://www.ssllabs.com/downloads/SSL_Threat_Model.png

javabeanz · Answer 3 · Wed Sep 07 2016 03:04:21 GMT+0800 (China Standard Time)

SSL Diagnostics tool in java : http://support.sas.com/kb/57/370.html#download

javabeanz · Answer 4 · Wed Sep 07 2016 03:38:34 GMT+0800 (China Standard Time)

Certificate Transparency : https://www.certificate-transparency.org/ and https://github.com/google/certificate-transparency (java CT client)
OpenJDK test classes can also be interesting for inspiration : http://cr.openjdk.java.net/~xuelei/7093640/webrev.01/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java.html

javabeanz · Answer 5 · Wed Sep 07 2016 04:13:49 GMT+0800 (China Standard Time)

Android SSL has it's own issues; wilcard certificates should be flagged as well as private IP certificates (19.168.x.x networks and so on) . OWASP website has some great info : https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

Milton Smith · Answer 6 · Wed Sep 07 2016 06:56:32 GMT+0800 (China Standard Time)

Regarding Qualys ratings, Today there is no vulnerability analysis, with the exception of a strong, medium, and weak evaluation of cipher suites. A rating system will make sense if we include vulnerability analysis to DV. For now, I added this as improvement (#I5).

Threat Model, I think your point here is that we should use the threat model to drive the future features, good idea. I will include the link in the improvement list.

SSL Diagnostic Tool, not sure the point you make posting the tool other than a Java tool is available.

Certificate Transparency, I will add this to our list. I know there's a Java API available but even so I'm sure it would be significant work. A super cool idea!

Android SSL, once again today I don't perform any vulnerability analysis. I will include the cheat sheet link so we keep in the forefront of our consideration.
Thanks Sytze! Great ideas.