2013-12-05_tcpflow-and-BE-update

More documents

Recommendations

Info

The actual cipher suites used when connecting to 2.4 Million SSL sites with the cipher suite settings extracted from each browser. *Opera does not includeits TLS 1.2 cipher suites.nternet Explorer does particularly poorly as it does not support any cipher suite that uses both RSA public keys and non-elliptic-curve DH key exchange,Currently PFS is not much of an issue.hich includes the most popular PFS cipher suite. The PFS cipher suites that IE does support have a lower priority than some of the most commonlyupported non-PFS cipher suites. Curiously, IE does support DHE-DSS-AES256-SHA, which uses the rarer DSS authentication method, but not the veryopular DHE-RSA-AES256-SHA.Browser priority Cipher Suite Real-world usage in SSL Survey1 AES128-SHA 63.52%2 AES256-SHA 2.21%3 RC4-SHA 17.12%4 DES-CBC3-SHA 0.41%5 ECDHE-RSA-AES128-SHA 0.08%6 ECDHE-RSA-AES256-SHA 0.21%7 ECDHE-ECDSA-AES128-SHA 0.00%8 ECDHE-ECDSA-AES256-SHA 0.00%9 DHE-DSS-AES128-SHA 0.00%10 DHE-DSS-AES256-SHA 0.00%11 EDH-DSS-DES-CBC3-SHA 0.00%12 RC4-MD5 16.46%Internet Explorer 10's cipher suite ordering and the actual negotiated cipher suite in Netcraft's SSL survey. PFS cipher suites are highlighted in bold andgreen.afari supports many PFS cipher suites but non-elliptic-curve cipher suites are used only as a last resort. As several non-PFS ciphers have a higher priority,“SSL: Intercepted today, decrypted tomorrow”eb servers respecting the browser's preferences will end up selecting a non-PFS cipher suite even if the web server itself does support some (non ellipticurve)PFS cipher suites.hrome, Firefox, and Opera all do better, preferring PFS cipher suites ahead of non-PFS at any given strength level — for example Opera's preference list—Netcraft September 2013http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decryptedtomorrow.htmltarts: DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, AES256-SHA, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, AES128-SHA. Netcraft did notnclude any cipher suites only present in TLS 1.2 which includes many of Opera's PFS cipher suites, so the results for Opera form a lower bound on theumber of SSL sites using PFS with Opera.one of the browsers change their user interface perceptibly to reflect the presence of PFS akin to the way EV certificates are treated to a green addressar. Google Chrome and Opera show the cipher suite used (in popups or dialog boxes), but they rely on a user understanding the implications of wordinguch as "[..] ECDHE_RSA as the key exchange mechanism".eb server support for PFS36
One-page visualization of packet flows - NitrobaTCPFLOW 1.4.0b1Input: /corp/nps/packets/2008-nitroba/nitroba.pcapGenerated: 2013-06-16 21:32:36Date range: 2008-07-21 18:51:07 -- 2008-07-21 23:13:47Packets analyzed: 91,144 (55.02 MB)Transports: IPv4 100%6 MB100%5 MB3 MB2 MB0 MB54 00 06 12 18 24 30 36 42 48 54 00 06 12 18 24 30 36 42 48 54 00 06 12 18 24 30 36 42 48 54 00 06 12 18 24 30 36 42 48 54 00 06 124 hours, 22 minutes (3 minute intervals)0%HTTP HTTPS Port 52227 MB0 B192.168.8.0/21208.111.148.674.125.0.0/2069.22.167.21569.22.167.21469.22.167.224/27196.0.0.0/6204.0.0.0/8Top Source Addresses66.192.0.0/10209.16.0.0/12100%0%40 MB0 B192.168.8.0/21196.0.0.0/6192.168.1.64239.255.255.25069.22.167.21566.192.0.0/10216.112.0.0/1569.22.167.224/28Top Destination Addresses208.111.148.669.22.167.214100%0%1) 192.168.8.0/21 - 6.56 MB (11%) 1) 192.168.8.0/21 - 39.58 MB (71%)2) 208.111.148.6 - 5.41 MB (9%) 2) 192.168.1.64 - 7.77 MB (14%)3) 74.125.0.0/20 - 4.55 MB (8%) 3) 239.255.255.250 - 818.61 KB (1%)45 MB80100%6 MB803971033148100%0 B443397103299233148522234884Top Source Ports3488235804347420%0 B35956348823488433944Top Destination Ports3574234118352640%1) 80 - 44.78 MB (84%) 1) 80 - 5.85 MB (11%)2) 443 - 1.82 MB (3%) 2) 39710 - 5.41 MB (10%)3) 39710 - 178.85 KB (0%) 3) 33148 - 4.44 MB (8%)37
Page 1 and 2: TCPBEflowTCP analysis with tcpflow;
Page 3 and 4: tcpflow is a command-line tool for
Page 6 and 7: tcpflow turns each side of the TCP
Page 14 and 15: tcpflow automatically bins connecti
Page 16 and 17: eport.xml is a DFXML file that reco
Page 18 and 19: tags generated by tcpflow match fiw
Page 20 and 21: Harassment atNITROBAState Universit
Page 22 and 23: To find out what's going on,Nitroba
Page 24 and 25: How to solve this problem:NITROBASt
Page 26 and 27: Slides omitted
Page 28 and 29: tcpflow addresses important “real
Page 30 and 31: 26tcpflow makes transcripts from ea
Page 32 and 33: 28tcpflow makes transcripts with mi
Page 34 and 35: 30tcpflow will detect and split gig
Page 36 and 37: tcpflow 1.4 uses the bulk_extractor
Page 38 and 39: SSL decryption issuesOptions for de
Page 42 and 43: 808023One-page visualization of pac
Page 44 and 45: Radiotap information available at T
Page 46 and 47: 802.11 link-layer information avail
Page 48 and 49: plot_wifi_aps.py will transform thi
Page 50 and 51: BEbulk_extractorimprovements
Page 53 and 54: zip.txt — potential zipfile heade
Page 55 and 56: Beverly, Robert, Simson Garfinkel a
Page 57 and 58: Are low-level binary network data s
Page 59 and 60: Hibernation decompression found eve
Page 61 and 62: BE 1.3 put MAC addresses in ether.t
Page 63 and 64: ip_histogram.txt removes random noi
Page 65 and 66: pcap files are a common file format
Page 67 and 68: We find a lot of packets on disks!A
Page 69 and 70: The big picture:using low-probabili

2013-12-05_tcpflow-and-BE-update

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?