In July 2018, over a decade after the DES encryption algorithm was retired, 3DES was also officially deprecated. While previous work suggests a successful deprecation of DES, with less than 1% of observed SSL/TLS handshakes using some form of DES up until 2018, such work tends to be limited in scope and does not necessarily capture the true persistence of DES across the entire TLS ecosystem. We actively investigate online support for DES and DES-derivative ciphers by querying IP addresses responsive to port 443 connection attempts. To achieve this, we design and implement our own Internet scanning tool built upon ZMap and attempt to negotiate handshakes exclusively using DES ciphers. In total, we have scanned over 24 million unique IP addresses and found that nearly half of them can still successfully establish an HTTPS connection using at least one DES cipher. Moreover, we also find that many servers still support DES40 (which can be broken in seconds) and anon ciphers (which offer no certificate verification and are vulnerable to man-in-the-middle attacks). Our investigation demonstrates the biases and misunderstandings in previous weak cipher studies within the TLS ecosystem, and discloses the severity of this problem by targeting DES-based cipher suites.
Vanessa Frost is a current cybersecurity graduate student working with Dr. Kevin Butler at the FICS research lab at the University of Florida. Her research interests include protecting consumer data privacy from third-parties, limiting the effectiveness of mass-surveillance techniques, and promoting anti-censorship technologies and protocols. After two years in a PhD program, she’s pretty convinced that nothing is secure and never will be and that the human species really took the Stone Age for granted. She’s grateful for the Internet that allows her to play video games with friends and still can’t wrap her head around the fact that most of the giants in computer science are still living. Her heroes include her mother and caffeine. She hates lima beans and public speaking.