Towards a Complete View of the SSL/TLS Service Ports in the Wild

With the emergence of service port obfuscation and abuse, malicious services can hide their communication behaviors in large-scale normal SSL/TLS traffic easily. Therefore, it is of great significance to get the complete view of SSL/TLS service ports and understand the potential threat of SSL/TLS usage. In this paper, we conduct a comprehensive analysis of the SSL/TLS service port by carrying out a large-scale passive measurement based on two ISP-level networks with a total bandwidth of up to 100 Gbps for over one year. Specifically, we first investigate the overall SSL/TLS service port view and uncover that the actual usage of port is in a state of confusion. At the same time, through in-depth analysis of specific well-known ports which are used by SSL/TLS, it is revealed that the well-known ports could be exploited by malicious SSL/TLS services easily. Then, we dig into some specific certificates to explore their ports behavior and discover that the self-signed certificates and EV certificates are in sorry state. Meanwhile, we uncover practices that may be exploited by malicious services, and reveal the potential threats or vulnerabilities in SSL/TLS service ports. We believe that the work will be beneficial to both SSL/TLS and web security in the future.