Characterization of cipher suite selection, downgrading, and other weaknesses observed in the wild

Abstract: The importance of security on the web is growing every day. How domains handle and prioritize their level of security is varying. Tradeoffs between security and convenience have to be made to uphold a website's public image. This thesis uses a subset of domains from the Alexa Top 1M list. The list was used to create our datasets, collected through active scans with testssl.sh. This thesis has through the mentioned datasets compared domains in regards to several security aspects and analyzed how they handle security and convenience. We performed our scans over the course of two weeks to analyze each domain's level of security. As well as looking at top domains for several popular categories. Our analysis mainly focused on comparing the domains on their choice of Transport Layer Security (TLS) version, cipher suite, support for HSTS, and if they were exposed to any vulnerabilities. The subset of domains that we looked at saw about 50% implementation of TLS 1.3. We discovered that the most popular domains tend to choose availability as one of their highest priorities, leaving them exposed to vulnerabilities in earlier versions of the TLS protocol. Most domains that showed exposure to one vulnerability, in general, also were exposed to BEAST. This was also the most prominent vulnerability among all domains. We also showed that many of the negotiated cipher suites on the list of domains still utilize cipher block chaining, which is known to be weak. Our results show that different browsers, mobile operating systems, and the time of day had a negligible impact on the choice of TLS version. Most of the domains in the popular categories had not yet adopted TLS 1.3 and were overall more exposed to the tested vulnerabilities than those on the top million list. The support for HSTS was low in both the categories and on the Alexa top list. We conclude that upgrading to the latest recommended standard should always be a priority for server operators.