Indicators of malicious SSL connections


Internet applications use SSL to provide data confidential- ity to communicating entities. The use of encryption in SSL makes it impossible to distinguish between benign and malicious connections as the content cannot be inspected. Therefore, we propose and evaluate a set of indicators for malicious SSL connections, which is based on the unencrypted part of SSL (i.e., the SSL handshake protocol). We provide strong evidence for the strength of our indicators to identify malicious connections by cross-checking on blacklists from professional services. Besides the confirmation of prior research results through our indicators, we also found indications for a potential (not yet blacklisted) botnet on SSL. We consider the analysis of such SSL threats as highly relevant and hope that our findings stimulate the research community to further study this direction.