TLS Proxies: Friend or Foe?

@article{ONeill2016TLSPF,
  title={TLS Proxies: Friend or Foe?},
  author={Mark O'Neill and Scott Ruoti and Kent E. Seamons and Daniel Zappala},
  journal={Proceedings of the 2016 Internet Measurement Conference},
  year={2016}
}
We measure the prevalence and uses of TLS proxies using a Flash tool deployed with a Google AdWords campaign. We generate 2.9 million certificate tests and find that 1 in 250 TLS connections are TLS-proxied. The majority of these proxies appear to be benevolent, however we identify over 1,000 cases where three malware products are using this technology nefariously. We also find numerous instances of negligent, duplicitous, and suspicious behavior, some of which degrade security for users… 

Figures and Tables from this paper

Killed by Proxy: Analyzing Client-end TLS Interce

This work designs and performs a thorough analysis of eight antivirus and four parentalcontrol applications for Windows that act as TLS proxies, along with two additional products that only import a root certificate, finding that four products are vulnerable to full server impersonation under an active man-in-the-middle (MITM) attack out of the box, and two more if TLS filtering is enabled.

Live Detection and Analysis of HTTPS Interceptions

A system to passively detect HTTPS interceptions on live traffic and analyze the impact on connection security is presented, which shows that on average, 4.2% of all observed connections are intercepted.

The Security Impact of HTTPS Interception

This work introduces a novel technique for passively detecting HTTPS interception based on handshake characteristics, and assesses the prevalence and impact of HTTPS interception by applying heuristics to nearly eight billion connection handshakes.

Rules and Results for SSL/TLS Nonintrusive Proxy Based on JSON Data

The purpose of this study is to implement an adaptive, non-intrusive proxy in between a client and SSL/TLS web server using more practical and "middle" approach that can moderate the ongoing and

Unveiling SSL/TLS MITM Hosts in the Wild

  • Zhuguo LiG. XiongLi Guo
  • Computer Science
    2020 IEEE 3rd International Conference on Information Systems and Computer Aided Education (ICISCAE)
  • 2020
This work designs and implements a novel method to discovery suspicious SSL MITM hosts in the wild and shows that hosts using untrusted certificates are vulnerable to MITM attacks.

1 Capturing Traffic Locally in User-Space

This paper uses data collected by Lumen, a mobile measurement platform, to analyze how 7,258 Android apps use TLS in the wild and analyzes and fingerprint handshake messages to characterize the TLS APIs and libraries that apps use, and evaluates weaknesses.

RAPID: Resource and API-Based Detection Against In-Browser Miners

The results demonstrate the applicability of detection mechanisms as a server-side approach, e.g., to support the enhancement of existing blacklists, and the feasibility of deploying prototypes of some detection mechanisms directly on the browser.

A Formal Treatment of Accountable Proxying Over TLS

A provably-secure alternative to soon-to-be-standardized mcTLS is proposed: a generic and modular protocol-design that care- fully composes generic secure channel-establishment protocols, which prove secure.

Non-intrusive SSL/TLS proxy implementation and issues

This paper extends the implementation of the proxy using Perl language and currently available tools, data repository and techniques to take a more practical and “middle” approach that can moderate the ongoing and future SSL/TLS sessions.

Nonintrusive SSL/TLS Proxy with JSON-Based Policy

A policy rule in JSON schema and data is proposed in handling SSL/TLS connection delegated by a non-intrusive, pass-through proxy that can moderate the ongoing and future SSL/ TLS sessions while not compromising the user privacy.
...

References

SHOWING 1-10 OF 60 REFERENCES

Killed by Proxy: Analyzing Client-end TLS Interce

This work designs and performs a thorough analysis of eight antivirus and four parentalcontrol applications for Windows that act as TLS proxies, along with two additional products that only import a root certificate, finding that four products are vulnerable to full server impersonation under an active man-in-the-middle (MITM) attack out of the box, and two more if TLS filtering is enabled.

Here's my cert, so trust me, maybe?: understanding TLS errors on the web

This work identifies low-risk scenarios that consume a large chunk of the user attention budget and makes concrete recommendations to browser vendors that will help maintain user attention in high-risk situations.

Analysis of the HTTPS certificate ecosystem

A large-scale measurement study of the HTTPS certificate ecosystem---the public-key infrastructure that underlies nearly all secure web communications---is reported, uncovering practices that may put the security of the ecosystem at risk and identifying frequent configuration problems that lead to user-facing errors and potential vulnerabilities.

Analyzing Forged SSL Certificates in the Wild

This work has designed and implemented a method to detect the occurrence of SSL man-in-the-middle attack on a top global website, Facebook, and indicates that 0.2% of the SSL connections analyzed were tampered with forged SSL certificates.

No attack necessary: the surprising dynamics of SSL trust relationships

It is found that common intuition falls short in assessing the maliciousness of an unknown certificate, since their typical artifacts routinely occur in benign contexts as well.

SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements

This work survey and categorize prominent security issues with HTTPS and provides a systematic treatment of the history and on-going challenges, intending to provide context for future directions.

Protecting browsers from DNS rebinding attacks

Defenses to DNS rebinding attacks are analyzed, including improvements to the classic “DNS pinning,” and changes to browser plug-ins, firewalls, and Web servers are recommended.

ConfiDNS: Leveraging Scale and History to Improve DNS Security

This work augments the cooperative lookup process with configurable policies that utilize multi-site agreement and per-site lookup histories, and provides better security than cooperative approaches, but for up to 99.8% of unique lookups, ConfiDNS exceeds the security of standard DNS resolvers.

X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-Middle

The development and deployment of Crossbear is reported on, a tool to detect MitM attacks on SSL/TLS and localise their position in the network with a fair degree of confidence and the degree of effectivity that Crossbear achieves against attackers of different kinds and strengths is analysed.

Measuring the Practical Impact of DNSSEC Deployment

A large-scale measurement of the effects of DNSSEC on client name resolution using an ad network to collect results from over 500,000 geographically-distributed clients shows that enablingDNSSEC measurably increases end-to-end resolution failures and corroborates those of previous researchers in showing that a relatively small fraction of users are protected by DNSSec-validating resolvers.
...