documentclass[11pt,a4paper]{article}
usepackage[utf8]{inputenc}
usepackage{glossaries}
usepackage[titletoc,title]{appendix}
usepackage{geometry}
usepackage{graphicx}
usepackage{subcaption}
usepackage{caption}
usepackage{hyperref}
usepackage{cite}
usepackage{apacite}
usepackage[gen]{eurosym}
usepackage{cite}
usepackage{apacite}
geometry{portrait, margin=1.5in}
begin{document}
title{
center {
LARGE{POODLE SSL \ From a hosting provider perspective}
}
}
author{Bryan van Wijk \ 4363329 \ \ Delft University of Technology \ b.vanwijk@student.tudelft.nl}
date{today}
maketitle
setcounter{secnumdepth}{1}
% ============================================================================
% The abstract should be no longer than 100 to 150 words. It should convey the topic and research question, the hypothesis, the key findings and key discussion points – all within the 150 word limit.
begin{abstract}
POODLE SSL is an attack which can occur with the deprecated SSL version 3. Even 5 year after the vulnerability is published there are still numerous servers vulnerable for this attack. In this report factors explaining the difference between hosting providers are investigated to explain the difference in the percentage of POODLE vulnerable servers. From the literature review, the large differences and difficulties to measure and capture characteristics of hosting providers became clear. The ASN is used to identify hosting providers although not the best identifier and make a linear regression to explain the differences in the percentage of vulnerable servers per AS. It is found that the ratio of domain names hosted on an AS is positively correlated with the percentage of POODLE vulnerable servers in the network. This could be explained by the difference in business models for hosting providers.
end{abstract}
newpage
% The introduction/justification and purpose section includes the background information on the security issue and its importance.
section{Introduction}
The General Data Protection Regulation (GDPR) which took effect in May 2018 was a wake-up call for a lot of companies in the Netherlands and in the European Union. This, in short, meant stricter rules on all organizations that collect and processes data of EU residents. Although these organizations are responsible they are not always aware or able to protect the end-users data on their servers. They may not have the knowledge or capacity to deal with all the security issues or are unable to do so because a third party takes care of it. An important part of the infrastructure organizations have to secure is the communication between the end-users and their servers. Securing this communication channel is a very complex concept. There are a lot of known and unknown vulnerabilities regarding this concept. The focus of this report is on the SSL vulnerability called POODLE.
POODLE (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability for the communication between a server and an end-user using the security protocol SSL. In a POODLE attack an attacker could act as a man-in-the-middle and in this way read all data over the encrypted connection. This includes personal data such as email addresses, passwords, and credit card numbers. SSL was designed to exactly protect against this types of exposure of personal data.
Servers using SSL version 3.0 (SSLv3) are vulnerable to the poodle attack. The solution for this vulnerability is to disable SSLv3 on the server. Disabling SSLv3 entirely right away was not practical because it was needed occasionally to work with legacy systems. The POODLE vulnerability is discovered in 2014 cite{moller2014poodle}, in 2018 there are still numerous public servers that have SSLv3 enabled. Although SSLv3 is now deprecated and should not be used anymore.
Hosting providers can play an important role in preventing cybercrime in general but specifically in the poodle SSL vulnerability. They could ensure all their servers require at least an SSL version higher than SSLv3. This will protect the end-users for this vulnerability without requiring the end-users to take action.
The remainder of this report is structured as follows, first, in section 2 the relevant literature is described. Section 3 informs about the research objective and hypothesis based on the literature. Section 4 elaborates about the methodology to test the hypothesis. The results are presented in section 5 and followed by the limitations in section 6. In the last section, the conclusion of the performed research is presented.
newpage
% The literature review is a summary of the pertinent, existing research on the security issue under investigation. Please include a discussion of 5 high quality peer-reviewed references related to your security issue. Oftentimes the literature review will provide evidence for the types of variables selected as well as a review of what research has already been done and what still remains to be done for the context and research question selected.
section{Literature Review}
In this section, literature is reviewed to get more insight in hosting providers and the security measures they already take in general. First, in the next subsection, a more technical description of the POODLE vulnerability is given based on a published paper about the issue.
subsection{This POODLE bites: exploiting the SSL 3.0 fallback}
The POODLE vulnerability is discovered by Google in 2014 cite{moller2014poodle}. The security issue is found in SSL version 3. SSLV3 is an obsolete protocol which should not be used anymore. SSLv3 has two encryptions that both have known security issues, namely using the RC4 stream cipher (which have known biases), and block ciphers in CBC mod, which can be exploited with the POODLE attack. Though SSLv3 is used less often since the introduction of the TLS protocols, some legacy products may be dependent on SSLv3 and are unable to be upgraded. In such a case, TLS clients can downgrade the protocol to avoid interoperability bugs on the server-side. This downgrade can also be triggered by adversaries when interfering with a handshake attempt between client and server. The adversary then becomes a ‘man-in-the-middle’, able to intercept data from the client and the server. This compromises the security of the client, thus harming its values like privacy, confidentiality, integrity and authenticity cite{performance}. If the attack is successful, the client and the server start communicating over a weakly-encrypted connection, which can be decrypted by the adversary. In this way, the adversary can steal sensitive data from a data owner. The data theft could harm the data owner in cases like identity theft.
subsection{The role of Internet Service Providers in Botnet Mitigation}
In cite{pijpker} the role of Dutch Internet Service Providers (ISPs) is studied. A reference model which summarizes measures for botnet mitigation from scientific literature that ISPs can take is created. The model is validated by interviewing Dutch ISPs. From the interviews became clear which measures ISPs have taken or have not taken to prevent botnets. ISPs are spending most of their time on prevention and notification of their customers during the botnet mitigation. Reason for this is the requirement from the government according to the Telecommunications Act. ISPs are capable of taking more active actions but are not doing so due to privacy concerns. Applying this to the Poodle vulnerability means ISPs could also notify their customers about vulnerable servers and if necessary help them in updating their servers. Although the POODLE vulnerability is a completely different problem this study shows one of the security measures ISPs are taking and what they are capable of. It also shows that there are differences between the security performance of different ISPs.
subsection{Self Hosting vs. Cloud Hosting: Account for the security impact of hosting in the cloud}
In cite{Molnar_selfhosting} the increased number of organizations that move their applications from dedicated hosting infrastructure to shared infrastructure leased in the cloud is studied. This change has also effect on the already doubtful security of most applications. A downside of using the cloud is the decreased control over the hardware, construction, operation, and auditing of infrastructure that is leased. You are for example depending on the provider to update the SSL protocol to a newer version than SSLv3 to mitigate the POODLE SSL vulnerability. In cite{Molnar_selfhosting} the authors also investigated potential countermeasures which could also be contractual or procedural to improve the security when using the cloud. Benefits of moving to cloud-based hosting are the shared high cost of security measures which makes them affordable even for small companies. Other benefits are the elasticity of resources and the cost savings due to the economics of scale. The same machines can be used for multiple companies and dynamically allocated to the customers as needed.
subsubsection{The Role of Web Hosting Providers in Detecting Compromised Websites}
cite{canali}. found that providers face difficulties in adopting effective security practices in a highly price-competitive market. 22 shared hosting providers are tested by infecting a leased server with different malicious software. All these attacks were easily detectable but very few of the hosting providers detected them. Everyone can host a website and because this is so simple there are more and more websites hosted by people which are less skilled. Most of these websites are hosted on shared resources to reduce the costs. Because this is becoming so common shared hosting websites also have a higher chance of being attacked. In most cases, the website owner is depended on the hosting provider to update the security settings because they are not allowed to modify these settings themselves. But it, dependents on the contract whether the hosting providers have an obligation to their users. This is also relevant for the POODLE vulnerability as this requires to update the settings where not all customers would have access to. Since the research also showed the inability of shared hosting providers to detect compromised websites this could be a source of servers vulnerable for the POODLE attack.
newpage
subsubsection{Apples, Oranges and Hosting Providers}
Hosting providers play an important role in all kinds of Internet-based services, as well as in preventing and mitigating abuse of these services. The main problem in taking advantage of the key role in the internet infrastructure is the heterogeneity and complexity in the market. To be able to set up policies and best practices for the market information about the number of providers and what they manage should be known. Are large providers able to deliver the same level of security as a small provider? The most research relies on the assumption that an AS is equal to a hosting provider which is not the case. A large portion of the address space assigned to an AS is not actually managed by the AS owner. 5 characteristics of hosting providers are proposed in cite{apples} first the IP address range size which showed that it takes a large number of providers to account for 80% of the market. This is surprising as one would expect with the economies of scale and services that can be globally delivered a few large providers would dominate the market. Second, the percentage of IP addresses used for website hosting. This provides information about the core business model of the hosting provider. Third the percentage of IP range used for shared hosting. Shared hosting is due to the low-profit-margin often flagged as a problem area for security. Fourth, the percentage of domain names on shared hosting. Which didn't show large differences between hosting providers. Lastly, the density of domains on IP address could give insight into the value a hosting provider gets from their customers. More domains on the same IP address indicates more shared resources to lower the costs. All these characteristics of hosting providers can be used to make business profiles and explain differences in security performance regarding the POODLE SSL vulnerability.
newpage
% Postulate and state a relevant research question in economics of cybersecurity related to the dataset you have used during the previous assignments.
% State a substantive hypothesis based on your research question that can be tested with the data/metrics that you have developed during the group assignments (or further metrics, if you so desire), where needed complemented by additional metrics/datasets as explanatory factors. Make sure you show how the hypothesis is related to your literature review.
section{Research Question, Objective and Hypothesis}
As we have seen in the literature review ISPs are in a good position to act upon cybersecurity vulnerabilities but there are large differences between their characteristics. These characteristics influence or could explain the difference in security performance. The POODLE SSL vulnerability is relatively easy to solve although there are still numerous servers vulnerable. In the previous assignments, we already found the difference between ASs for their percentage of vulnerable servers Figure ref{fig:vulnerable_servers}. In the literature review, we also found characteristics for hosting providers that influences or could explain the security performance. One of them is the insecurity for shared hosting providers due to the price-competitive market. The hypothesis is that for cheap hosting services which are only used for hobby projects or semi-professional purposes there is less incentive to spend money on making these services more secure. Hosting providers delivering services to highly valuable customers with thousands or millions of end-users have more value and hosting providers serving these companies will have less hosted domains.
Research Question: What is the influence of the delivered service by hosting providers on the percentage of poodle vulnerable servers?
The hypothesis that will be tested is:
Hypothesis: Hosting providers serving a larger portion of their IP range as shared hosting have a higher percentage of POODLE vulnerable servers.
begin{figure}[h]
centering
includegraphics[width=15cm]{asn_vulnerable}
caption{Percentage of servers vulnerable per ASN, for ASNs with vulnerability percentages $>$ 5%.}
label{fig:vulnerable_servers}
end{figure}
newpage
% Describe the research method (qualitative or quantitative, or a combination thereof, descriptive, explanatory) and statistical technique (comparison of means, regression analysis, etc.) that you will use to answer your research question and test your hypotheses.
section{Methodology (Research Design)}
The dataset used consists of a large number of records consisting of an IP address and timestamp indicating the server at that IP address is vulnerable for the POODLE SSL vulnerability at that moment. All servers tested are located in the Netherlands and approximately tested every week.
For this research is assumed that an ASN is equal to an ISP although this is not always the case also explained in cite{apples}. Based on this data we could say something about the security performance of the ISPs regarding the POODLE SSL vulnerability. Hosting providers with a large percentage of vulnerable servers are assumed to perform less.
Using a linear regression we try to explain the variance between the different ASs for the percentage of POODLE vulnerable servers. The characteristic of hosting providers used to test the hypothesis is the ratio of domains hosted to the size of the AS.
subsection{Data preparation}
For the analysis, the last week of the dataset (24 August 2018 till 1 September 2018) is used to calculate per ASN the number of vulnerable servers. To get the percentage of servers this number is divided by the total number of IPs assigned to this ASN retrieved from cite{CAIDA}. The number of domains assigned to an AS is retrieved from cite{dsnlytics}. ASs not appearing in one of these data sets are removed to still do the analysis and only ASs hosting at least 1 domain are considered. This resulted in a dataset of 743 ASs.
The dependent variable in this analysis is the percentage of 'vulnerable' servers (with vulnerable is meant the server still supports SSLv3). An overview of the variables used is presented in Table ref{tab:1}.
begin{table}[htbp]
centering
begin{tabular}{|p{20mm}|p{50mm}|p{20mm}|}
hline
textbf{Variable} & textbf{Description} & textbf{Source} \ hline
textit{ASN} & Identifier & \ hline
textit{size} & The number of address observed in this AS & CAIDA \ hline
textit{ndomains} & number of domains hosted on this AS & DNSlytics \ hline
textit{npoodlesll} & number of servers vulnerable for the POODLE attack & Provided by the course instructor\ hline
end{tabular}
caption{Used variables for the analysis}
label{tab:1}
end{table}
newpage
% Describe the findings from your study. Include and discuss the results of your statistical test. For each;
% Include the relevant statistical output (e.g., ANOVA table, etc.) or a chart, figure, or graphs that illustrates your results. Do not include long frequency distributions or extraneous tables and figures that do not support your findings.
% Discuss and interpret each result. This includes which hypothesis you supported and describe what supporting that hypothesis means.
% Explain what you think the statistical results imply.
section{Results}
Figure ref{fig:automation-incoming-requests} shows the result of the simple linear regression between the ratio of domains hosted to the AS size and the percentage of POODLE vulnerable servers as the blue line. In red is the scatter plot of all the data points used for the linear regression. For both variables, the logged value is used to put more focus on differences in the order of magnitude than on the exact differences.
begin{figure}[h]
centering
includegraphics[width=12cm]{scatterplot}
caption{Log relation between the ratio of domains hosted and the percentage of POODLE vulnerable servers}
label{fig:automation-incoming-requests}
end{figure}
In Figure ref{fig:regression-details} the details of the regression or presented. The ordinary Least squares method is used to fit the regression line minimizing the square of a distance from the regression line. Based on the F-test the model can be regarded as significant as the probability value of the F-test is $<$ 0.01. The coefficient of 0.6342 shows that the variables are positively correlated.
The R-squared of 0.507 means that the select variable explains 50.7% of the variance in the percentage of vulnerable servers.
newpage
begin{figure}[h]
centering
includegraphics[width=10cm]{regression-result.png}
caption{Regression result details}
label{fig:regression-details}
end{figure}
A possible explanation for the positive correlation is the type of service these ISPs deliver. More domain names located in an AS relative to the number of IPs could indicate they offer hosting services as the main part of their business. Shared hosting is often flagged as a problem area as found in the literature review due too the low-profit margins of these services. The more domain names registered relatively to the address space the lower is the expected profit per customer of these services. This could be a reason for less attention from the hosting provider regarding security and for example monitoring the use of the deprecated SSLv3 encryption. Another reason could be as these services are cheaper they are used by customers with a less professional purpose for their server. This means they have less incentive to keep their server up to date as it is only for a hobby project or because they are less skilled in co figuring their server.
newpage
% Assess the limitations of your research and discuss the recommendations for others who may research this topic (i.e. what would you do differently?)
section{Limitations}
The mapping of ASs to ISPs is not optimal as explained in cite{apples} not every AS is automatically an ISP or internet hosting provider. The hosting market is more complex as an ISP could manage more than one AS or the IP range of an AS could be assigned to multiple organizations. This means the right might not be 100% accurate as
With more data from these hosting providers like price differences or business plans, it would be possible to get a better result as with just approximating their business plan based on how many domains are hosted in their AS. This research is done only for the ASs which appeared in the last week of the initial POODLE SSL data set provided by the course. These ASs are all located in the Netherlands so to get a more accurate view of the complete problem of vulnerable POODLE servers also other countries should be included.
% Include a substantive answer to your research question and how it supports or does not support existing literature.
% Discuss the relevance of your results in reference to the problem you presented in the introduction.
section{Conclusions}
In this report, the reason for the large number of servers vulnerable for the POODLE SSL attack is investigated. Even with the increased media attention for cybersecurity with the recent introduction of the GDPR, there are still numerous of server vulnerable due to the use of a deprecated SSL version. The POODLE SSL vulnerability is relatively easy to solve. The research is done from the perspective of the ISPs based on data of the number of vulnerable servers in an AS. From the literature review, it became clear that the hosting market is very complex and there are characteristics of these providers that could explain the difference in security performance. The research question that is answered is whether the delivered service by the hosting providers influences the percentage of vulnerable servers. Based on the literature review the hypothesis is that providers with a higher ratio domain names to AS address size will have a higher percentage of servers vulnerable for the POODLE attack. A linear regression is performed to confirm the positive correlation between the percentage of vulnerable servers and the ratio of domain names hosted to the AS address size. As possible explanation is given, the difference in the business profile where providers with a relatively high number of domains are serving another type of customers as providers with a low number of domains. Providers with a lot of domains are providing cheap hosting services which are also used for hobby projects or less professional use where the security is less of an issue. The owners may not have the knowledge how to update their servers and the service is not including support from the providers to automatically update the servers. This is a possible explanation for the difference between ASs in their percentages of POODLE vulnerable servers. Future qualitative research will be necessary to confirm these findings.
newpage
bibliographystyle{apacite}
bibliography{./references}
end{document}