research-article

Free access

Love All, Trust Few: on Trusting Intermediaries in HTTP

Authors:

Thomas Fossati,

Vijay K. Gurbani,

Vladimir KolesnikovAuthors Info & Claims

HotMiddlebox '15: Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization

Pages 1 - 6

https://doi.org/10.1145/2785989.2785990

Published: 21 August 2015 Publication History

Abstract

Recent pervasive monitoring of Internet traffic has resulted in an effort to protect all communications by using Transport Layer Security (TLS) to thwart malicious third parties. We argue that such large-scale use of TLS may potentially disrupt many useful network-based services provided by middleboxes such as content caching, web acceleration, anti-malware scanning and traffic shaping when faced with congestion. As the use of Internet grows to include devices with varying resources and capabilities, and access networks with differing link characteristics, the prevalent two-party TLS model may prove restrictive. We present EFGH, a pluggable TLS extension that allows a trusted third-party to be introduced in the two-party model without affecting the underlying end-to-end security of the channel. The extension stresses the end-to-end trust relationship integrity by allowing selective exposure of the exchanged data to trusted middleboxes.

References

[1]

S. Farrell and H. Tschofenig. Pervasive monitoring is an attack. RFC 7258, May 2014.

[2]

Internet Architecture Board. IAB statement on Internet confidentiality. https://www.iab.org/2014/11/14/, 2014.

[3]

T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, August 2008.

[4]

Angeliki Zavou, Elias Athanasopoulos, et al. Exploiting split browsers for efficiently protecting user data. In Proceedings of the 2012 ACM Workshop on Cloud Computing Security Workshop, CCSW '12, pages 37--42, New York, NY, USA, 2012. ACM.

Digital Library

[5]

Jeff Jarmoc and Dell SecureWorks Counter Threat Unit. SSL/TLS interception proxies and transitive trust. Black Hat Europe, 2012.

[6]

Salvatore Loreto, John Mattsson, et al. Explicitly authenticated proxy in HTTP/2.0. IETF Internet-Draft (work-in-progress), July 2014.

[7]

Roberto Peon. Explicit proxies for HTTP/2.0. IETF Internet-Draft (work-in-progress), June 2012.

[8]

David A. McGrew, Dan Wing, et al. TLS Proxy Server Extension. IETF Internet-Draft, July 2012.

[9]

Andrea Bittau, Michael Hamburg, et al. The case for ubiquitous transport-level encryption. In 19th Usenix Security Symposium, August 2013.

Digital Library

[10]

Andrea Bittau, Michael Hamburg, et al. Cryptographic protection of TCP streams. IETF Internet-Draft (work-in-progress), July 2014.

[11]

Sneha Kasera, Semyon Mizikovsky, et al. On securely enabling intermediary-based services and performance enhancements for wireless mobile users. In Workshop on Wireless Security, 2003, pages 61--68, 2003.

Digital Library

[12]

Yongguang Zhang and Bikramjit Singh. A multi-layer IPsec protcol. In in 9th Usenix Security Symposium, August 2000.

Digital Library

[13]

Karthikeyan Bhargavan, Cèdric Fournet, et al. Proving the TLS Handshake Secure (As It Is). In Advances in Cryptology, CRYPTO 2014, volume 8617 of Lecture Notes in Computer Science, pages 235--255. Springer Berlin Heidelberg, 2014.

[14]

Hugo Krawczyk, Kenneth Paterson, et al. On the Security of the TLS Protocol: A Systematic Analysis. In Advances in Cryptology, CRYPTO 2013, volume 8042 of Lecture Notes in Computer Science, pages 429--448. Springer Berlin Heidelberg, 2013.

[15]

D. Eastlake 3rd. Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066, January 2011.

[16]

E. Rescorla. Keying Material Exporters for Transport Layer Security (TLS). RFC 5705, March 2010.

[17]

Internet Assigned Numbers Authority. Transport Layer Security (TLS) Parameters, 2015.

[18]

Jim Roskind. QUIC, Quick UDP Internet Connections. https://goo.gl/XMfO6Q, 2013.

[19]

Phillip Rogaway. Authenticated-encryption with associated-data. In Proceedings of the 9th ACM conference on Computer and communications security, pages 98--107. ACM, 2002.

Digital Library

Cited By

Li JChen RSu JHuang XWang X(2020)ME-TLS: Middlebox-Enhanced TLS for Internet-of-Things DevicesIEEE Internet of Things Journal10.1109/JIOT.2019.29537157:2(1216-1229)Online publication date: Feb-2020
https://doi.org/10.1109/JIOT.2019.2953715
Hiller JHenze MZimmermann THohlfeld OWehrle K(2019)The Case for Session Sharing: Relieving Clients from TLS Handshake Overheads2019 IEEE 44th LCN Symposium on Emerging Topics in Networking (LCN Symposium)10.1109/LCNSymposium47956.2019.9000667(83-91)Online publication date: Oct-2019
https://doi.org/10.1109/LCNSymposium47956.2019.9000667
Liu XMa YWang XLiu YXie THuang G(2017)SWAROVsky: Optimizing Resource Loading for Mobile Web BrowsingIEEE Transactions on Mobile Computing10.1109/TMC.2016.264556316:10(2941-2954)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1109/TMC.2016.2645563
Show More Cited By

Recommendations

Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS
SIGCOMM'15

A significant fraction of Internet traffic is now encrypted and HTTPS will likely be the default in HTTP/2. However, Transport Layer Security (TLS), the standard protocol for encryption in the Internet, assumes that all functionality resides at the ...
An End-to-End Measurement of Certificate Revocation in the Web's PKI
IMC '15: Proceedings of the 2015 Internet Measurement Conference

Critical to the security of any public key infrastructure (PKI) is the ability to revoke previously issued certificates. While the overall SSL ecosystem is well-studied, the frequency with which certificates are revoked and the circumstances under which ...
HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting

The encryption of network traffic complicates legitimate network monitoring, traffic analysis, and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

HotMiddlebox '15: Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization

August 2015

80 pages

ISBN:9781450335409

DOI:10.1145/2785989

Program Chairs:
Theophilus Benson
Duke University, USA
,
Costin Raiciu
University Politehnica of Bucharest, Romania

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 August 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGCOMM '15

Sponsor:

SIGCOMM

SIGCOMM '15: ACM SIGCOMM 2015 Conference

August 21, 2015

London, United Kingdom

Acceptance Rates

HotMiddlebox '15 Paper Acceptance Rate 12 of 32 submissions, 38%;

Overall Acceptance Rate 29 of 80 submissions, 36%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
366
Total Downloads

Downloads (Last 12 months)81
Downloads (Last 6 weeks)10

Reflects downloads up to 17 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li JChen RSu JHuang XWang X(2020)ME-TLS: Middlebox-Enhanced TLS for Internet-of-Things DevicesIEEE Internet of Things Journal10.1109/JIOT.2019.29537157:2(1216-1229)Online publication date: Feb-2020
https://doi.org/10.1109/JIOT.2019.2953715
Hiller JHenze MZimmermann THohlfeld OWehrle K(2019)The Case for Session Sharing: Relieving Clients from TLS Handshake Overheads2019 IEEE 44th LCN Symposium on Emerging Topics in Networking (LCN Symposium)10.1109/LCNSymposium47956.2019.9000667(83-91)Online publication date: Oct-2019
https://doi.org/10.1109/LCNSymposium47956.2019.9000667
Liu XMa YWang XLiu YXie THuang G(2017)SWAROVsky: Optimizing Resource Loading for Mobile Web BrowsingIEEE Transactions on Mobile Computing10.1109/TMC.2016.264556316:10(2941-2954)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1109/TMC.2016.2645563
Zhou ZBenson TBenson TRaiciu C(2015)Towards a Safe Playground for HTTPS and Middle Boxes with QoS2Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization10.1145/2785989.2785998(7-12)Online publication date: 21-Aug-2015
https://dl.acm.org/doi/10.1145/2785989.2785998

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten