ANALISIS KEAMANAN JARINGAN UNIVERSITAS KRISTEN DUTA WACANA DENGAN SERANGAN SSL/TLS

Nathanael Dharmawan; Gani Indriyanta; I Kadek Dendy Senapartha

doi:10.21460/jutei.2022.62.214

Authors

(*) Nathanael Dharmawan, Universitas Kristen Duta Wacana
Gani Indriyanta, Universitas Kristen Duta Wacana
I Kadek Dendy Senapartha, Universitas Kristen Duta Wacana

(*) Corresponding Author

DOI:

https://doi.org/10.21460/jutei.2022.62.214

Keywords:

SSL Test, SSL Strip

Abstract

The security of data communication over the network has become an obligation that needs to be considered in a technology ecosystem. Data security has various layers, one layer that needs to be protected is the presentation layer where SSL/TLS is located. If at this layer there are vulnerabilities where sensitive data such as cookies, usernames, and passwords are present, then data leakage will have a major impact on all stakeholders in the technology sector using SSL/TLS technology. In order to research and improve data security in Duta Wacana Christian University (DWCU) campus network, the researchers conducted SSL/TLS vulnerability testing on the SSAT and E-Class websites using the SSL Test from Qualys and a script from testssl.sh, the author also conducted Checking Mixed Content with GeekFlare and checking HSTS Preload using the HSTS Preload website provided by Google. Researchers also conducted SSL Strip penetration tests at 12 points of the DWCU building and also in Lab D. Based on the results of the study, there were several results found. The results on the SSL Test using Qualys found that the SSAT and E-Class websites already use HTTP Strict Transport Security (HSTS) rules with Max-Age 31536000 (1 year) but HSTS Preload has not been implemented, Mixed Content testing with GeekFlare shows that all transactions on SSAT and E-Class already uses HTTPS paths, then in tests using the testssl.sh script there are vulnerabilities that are read, and SSL Strip attacks are possible in Duta Wacana Christian University network under several conditions.

References

M. S. Hossain, A. Paul and M. H. Islam, "Survey of the Protection Mechanisms to the SSL-based Session Hijacking Attacks," Network Protocols and Algorithms, pp. 83-108, 2018.

K. V. K and A. R. K. P, "Taxonomy of SSL/TLS Attacks," I. J. Computer Network and Information Security, pp. 15-24, 2016.

X. Li, C. Wu, S. Ji, Q. Gu and R. Beyah, "HSTS Measurement and an Enhanced Stripping Attack Against HTTPS," SecureComm, pp. 489-509, 2017.

"Check Mixed Content (HTTP)," GeekFlare, [Online]. Available: https://geekflare.com/tools/mixed-content-test. [Accessed 7 November 2022].

K. A. McKay and D. A. Cooper, "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations," NIST Special Publication 800-52 Revision 2, 2019.

"Hearthbleed," Hearthbleed, [Online]. Available: https://heartbleed.com/. [Accessed 7 November 2022].

W. S. Raharjo and A. A. Bajuadji, "Analisa Implementasi Protokol HTTPS pada Situs Web Perguruan Tinggi di Pulau Jawa," ULTIMACS, pp. 102-111, 2016.

E. Rescorla, M. Ray, S. Dispensa and N. Oskov, "Transport Layer Security (TLS) Renegotiation Indication Extension," February 2010.

[Online]. Available: https://www.rfc-editor.org/rfc/rfc5746.

"CVE," [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183.

"CVE," [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000.

I. Ristić, Bulletproof SSL and TLS, London: Feisty Duck Limited, 2015.

"Github," [Online]. Available: https://github.com/bettercap/bettercap/issues/154.