@inproceedings{60970, author = {{Hebrok, Sven Niclas and Storm, Tim Leonhard and Cramer, Felix Matthias and Radoy, Maximilian Manfred and Somorovsky, Juraj}}, booktitle = {{34th USENIX Security Symposium}}, title = {{{STEK Sharing is Not Caring: Bypassing TLS Authentication in Web Servers using Session Tickets}}}, year = {{2025}}, } @inbook{56079, author = {{Radoy, Maximilian Manfred and Hebrok, Sven Niclas and Somorovsky, Juraj}}, booktitle = {{Lecture Notes in Computer Science}}, isbn = {{9783031708954}}, issn = {{0302-9743}}, publisher = {{Springer Nature Switzerland}}, title = {{{In Search of Partitioning Oracle Attacks Against TLS Session Tickets}}}, doi = {{10.1007/978-3-031-70896-1_16}}, year = {{2024}}, } @inproceedings{57816, abstract = {{TLS-Attacker is an open-source framework for analyzing Transport Layer Security (TLS) implementations. The framework allows users to specify custom protocol flows and provides modification hooks to manipulate message contents. Since its initial publication in 2016 by Juraj Somorovsky, TLS-Attacker has been used in numerous studies published at well-established conferences and helped to identify vulnerabilities in well-known open-source TLS libraries. To enable automated analyses, TLS-Attacker has grown into a suite of projects, each designed as a building block that can be applied to facilitate various analysis methodologies. The framework still undergoes continuous improvements with feature extensions, such as DTLS 1.3 or the addition of new dialects such as QUIC, to continue its effectiveness and relevancy as a security analysis framework.}}, author = {{Bäumer, Fabian and Brinkmann, Marcus and Erinola, Nurullah and Hebrok, Sven Niclas and Heitmann, Nico and Lange, Felix and Maehren, Marcel and Merget, Robert and Niere, Niklas and Radoy, Maximilian Manfred and Schmidt, Conrad and Schwenk, Jörg and Somorovsky, Juraj}}, booktitle = {{Proceedings of Cybersecurity Artifacts Competition and Impact Award (ACSAC ’24)}}, keywords = {{SSL, TLS, DTLS, Protocol State Fuzzing, Planning Based}}, location = {{Hawaii}}, title = {{{TLS-Attacker: A Dynamic Framework for Analyzing TLS Implementations}}}, year = {{2024}}, } @inproceedings{49654, abstract = {{State actors around the world censor the HTTPS protocol to block access to certain websites. While many circumvention strategies utilize the TCP layer only little emphasis has been placed on the analysis of TLS-a complex protocol and integral building block of HTTPS. In contrast to the TCP layer, circumvention methods on the TLS layer do not require root privileges since TLS operates on the application layer. With this proposal, we want to motivate a deeper analysis of TLS in regard to censorship circumvention techniques. To prove the existence of such techniques, we present TLS record fragmentation as a novel circumvention technique and circumvent the Great Firewall of China (GFW) using this technique. We hope that our research fosters collaboration between censorship and TLS researchers.}}, author = {{Niere, Niklas and Hebrok, Sven Niclas and Somorovsky, Juraj and Merget, Robert}}, booktitle = {{Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security}}, publisher = {{ACM}}, title = {{{Poster: Circumventing the GFW with TLS Record Fragmentation}}}, doi = {{10.1145/3576915.3624372}}, year = {{2023}}, } @inproceedings{43060, author = {{Hebrok, Sven Niclas and Nachtigall, Simon and Maehren, Marcel and Erinola, Nurullah and Merget, Robert and Somorovsky, Juraj and Schwenk, Jörg}}, booktitle = {{32nd USENIX Security Symposium}}, title = {{{We Really Need to Talk About Session Tickets: A Large-Scale Analysis of Cryptographic Dangers with TLS Session Tickets}}}, year = {{2023}}, } @inproceedings{32573, author = {{Maehren, Marcel and Nieting, Philipp and Hebrok, Sven Niclas and Merget, Robert and Somorovsky, Juraj and Schwenk, Jörg}}, booktitle = {{31st USENIX Security Symposium (USENIX Security 22)}}, publisher = {{USENIX Association}}, title = {{{TLS-Anvil: Adapting Combinatorial Testing for TLS Libraries}}}, year = {{2022}}, }