Coming of Age: A Longitudinal Study of TLS Deployment

TitleComing of Age: A Longitudinal Study of TLS Deployment
Publication TypeConference Paper
Year of Publication2018
AuthorsKotzias, P., Razaghpanah A., Amann J., Paterson K. G., Vallina-Rodriguez N., & Caballero J.
Published inProceedings of IMC 18

The Transport Layer Security (TLS) protocol is the de-facto standard for encrypted communication on the Internet. However, it has been plagued by a number of different attacks and security issues over the last years. Addressing these attacks requires changes to the protocol, to server- or client-software, or to all of them. In this paper we conduct the first large-scale longitudinal study examining the evolution of the TLS ecosystem over the last six years. We place a special focus on the ecosystem’s evolution in response to high-profile attacks. For our analysis, we use a passive measurement dataset with more than 319.3B connections since February 2012, and an active dataset that contains TLS and SSL scans of the entire IPv4 address space since August 2015. To identify the evolution of specific clients we also create the—to our knowledge—largest TLS client fingerprint database to date, consisting of 1,684 fingerprints. We observe that the ecosystem has shifted significantly since 2012, with major changes in which cipher suites and TLS extensions are offered by clients and accepted by servers having taken place. Where possible, we correlate these with the timing of specific attacks on TLS. At the same time, our results show that while clients, especially browsers, are quick to adopt new algorithms, they are also slow to drop support for older ones. We also encounter significant amounts of client software that probably unwittingly offer unsafe ciphers. We discuss these findings in the context of long tail effects in the TLS ecosystem.


We thank the Censys team for their support throughout writing this paper. We also thank Matías Spatz for his help on collecting TLS fingerprints for Windows. At last, we thank Dave Levin and the anonymous reviewers for their insightful comments and feedback.This work was supported by the US National Science Foundation under grants CNS-1528156, CNS-1564329, and OAC-1348077. This work was also supported by the UK EPSRC under grants EP/M013472/1, EP/K035584/1 and EP/P009301/1. This research was partially supported by the Regional Government of Madrid through the N-GREENS Software-CM project S2013/ICE-2731, by the Spanish Government through the DEDETIS grant TIN2015-7013-R, and by the European Union through the ElasTest project ICT-10-2016-731535. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators,and do not necessarily reflect the views of the sponsors.

ICSI Research Group

Networking and Security