Negotiation transparency and consistency in configurable protocols: an empirical investigation

Configurability (also known as agility), is a protocol design framework that allows protocols to support multiple values for parameters such as the protocol version and ciphersuite. At the beginning of a new protocol session, both communicating parties, e.g. client and server, negotiate these parameters to reach a mutual agreement on optimal values for these parameters, which will be used for the rest of the session. The parameters negotiation phase is critical as it defines the security guarantees that the protocol can provide in a particular session. Hence, it has been an attractive target for downgrade attacks. While the literature has looked at the authenticity and integrity of parameters negotiation in configurable protocols to prevent downgrade attacks under the man-in-the-middle attacker model, negotiation transparency and consistency under other attacker models have been largely overlooked. Are there unexplored attacker models that can result in a downgrade? Can a semi-trusted server discriminate against its clients without being detected? Can two clients' requests to the same server receive inconsistent security guarantees? Can we achieve a better balance between security and backward compatibility? In this thesis we aim to answer these unexplored interrelated questions, with a focus on the TLS protocol as one of the most important and widely used configurable protocols. To this end, we first introduce a taxonomy of downgrade attacks in the TLS protocol and application protocols using TLS. Second, we define three types of negotiation models based on a new notion we introduce, which we call the "negotiation power". Third, we introduce a novel attacker model which we call the "discriminatory" model. Fourth, through a measurement-based case study on the Forward Secrecy property and the TLS protocol, we find that there are indeed servers that select non-Forward Secrecy, nevertheless they support it, proving that, in the same vein, discrimination downgrade attacks can go unnoticed. Fifth, through two measurement-based case studies in TLS and HTTPS, we quantify inconsistencies in HTTPS and TLS responses to requests that differ in subtle variables that are not expected to affect the received security guarantees. Namely, we quantify inconsistent servers' responses to requests with versus without the www. prefix, and to requests from different geographic locations. Finally, we examine the concept of "prior knowledge" to reduce the downgrade attacks' surface. The results of this thesis introduce transparency and consistency as needed properties in configurable protocols, and show that they are not perfectly achieved in widely used protocols today such as TLS and HTTPS.