TLS-Monitor: A Monitor for TLS Attacks

The Transport Layer Security (TLS) protocol is subject to intensive research resulting in a long list of TLS attacks discovered in the last decade. To test the resistance of a TLS server to attacks, several tools or services can be used nowadays, such as the famous Qualys SSL Server Test. Nevertheless, although a security administrator updates the TLS software and configuration, internal attacks or malicious code could change that TLS-installed code or its setting at any time to make it prone to attacks. Thus, either the TLS server configuration is checked continuously, or other techniques are needed to indicate that a running TLS server is potentially vulnerable to attacks. We propose TLS-Monitor, a TLS attack-aware network monitoring tool that inspects the traffic for a target system looking for known TLS vulnerabilities that may lead to attacks. Examples are the self-signed certificate(s) allowing to set up a man-in-the-middle attack or the TLS heartbeat extension for the Heartbleed attack. If a vulnerability is found, the proposed tool checks if the threat applies by launching specific TLS attacks. Ultimately it raises alarms and creates a report. The TLS-Monitor tool employs network monitoring tools, like Suricata and Zeek, and TLS attack tools, like TLS-Attacker or Metasploit. We successfully tested TLS-Monitor in a testbed environment for some selected attacks, including Heartbleed, MITM, and Bleichenbacher. We foresee to extend the tool in the future to support other TLS attacks.